Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), establishes strict rules for the processing of personal data, applicable to every company in its capacity as a personal data controller. It introduces severe penalties for non-compliance with data protection provisions, so the following will present the types of penalties that can be imposed by data protection authorities in EU member states, including Romania, as well as concrete examples of fines imposed on data controllers:
- Financial penalties:
Private sector operators can be sanctioned with hefty fines of up to 20 million euros or between 2% and 4% of their total worldwide annual turnover for the preceding financial year, depending on the severity of the breach.
These fines can be applied in cases of non-compliance with GDPR principles and rules, such as (exemplary, not limited to) conduct that may involve:
-
- Failure to implement technical and organizational measures ensuring the protection and confidentiality of personal data;
- Failure to periodically train the data controller’s employees on GDPR, leading to security incidents caused by the controller’s staff;
- Failure to respect the rights of data subjects (such as the right to access, rectification, deletion “right to be forgotten,” or portability);
- Illegal processing of personal data;
- Failure to ensure data security and confidentiality;
- Failure to notify the supervisory authority or the data subject in the event of security incidents;
- Processing data disregarding the principles of purpose limitation or storage limitation;
- Processing data for excessive periods of time;
- General conditions for imposing administrative fines:
Each supervisory authority ensures that the imposition of administrative fines for GDPR breaches is effective, proportionate, and dissuasive.
To ensure the necessity of applying an administrative fine and, in deciding the amount of the fine, supervisory authorities pay attention to the following aspects provided in Article 83 of the GDPR:
-
- The nature, gravity, and duration of the infringement, taking into account the scope or purpose of processing, the number of data subjects affected, and the level of damage suffered;
- The intentional or negligent character of the infringement;
- Actions taken to mitigate the damage suffered by data subjects;
- The responsibility of the controller and the technical measures implemented;
- Relevant previous infringements;
- Cooperation with the supervisory authority to remedy the infringement;
- The categories of personal data affected;
- Notification of the infringement to the supervisory authority;
- Adherence to codes of conduct or certification mechanisms;
- Any other aggravating or mitigating factors, such as financial benefits gained or losses avoided.
According to Article 83(3) of the GDPR, if a controller or processor infringes several provisions of the Regulation, the total amount of the fine shall not exceed the amount specified for the most severe infringement. In Romania, the ANSPDCP plays a central role in the field of personal data protection and the investigation of GDPR breaches, as it is responsible for monitoring compliance with the GDPR and applying sanctions in case of reported data protection violations. It is also worth mentioning that sanctions imposed by supervisory authorities for breaches of Regulation (EU) 2016/679 are public, available for consultation, and can be accessed on the ANSPDCP website in a dedicated section that contains details about specific breaches, responsible operators, and the amounts of the fines. The publication of fines plays an important role in raising awareness among operators about the importance of personal data protection. It also allows the public to monitor compliance and understand the consequences of breaches, but it is also central to the image of each data controller both in relation to their customers and their commercial partners.
- Examples of GDPR fines imposed by competent supervisory authorities in member states
Each EU member state has the right to establish its own criteria for determining a fine and its amount when a data controller breaches legal provisions. For this reason, the amounts of fines imposed by competent EU authorities vary widely from one state to another.
For example, the National Commission for Informatics and Liberties (CNIL) is an independent administrative authority in France responsible for ensuring the protection of personal data contained in computer or paper files and processing operations, both in the public and private sectors.
CNIL ensures that information technology serves the citizen and does not affect human identity, human rights, privacy, or individual and public freedoms. Also, in the case of CNIL, corrective measures are published. For example, according to the 2022 annual activity report, CNIL imposed fines totaling approximately 101 million euros, while in Romania, during the same year, the maximum fines imposed amounted to approximately 215,000 euros.
Although both authorities aim to ensure compliance with personal data protection rules, it can be observed that the limits and specific procedures may vary depending on national legislation and the context of each country. Below are some illustrative examples of fines imposed by EU supervisory authorities for non-compliance with GDPR provisions.
These fines also represent valuable guidelines for data controllers’ compliance, as they include important interpretations by authorities regarding GDPR obligations:
-
- In 2023, very large fines amounting to 1.3 billion euros were recorded in Ireland. A record fine of 1.2 billion was received by Meta for violating Article 25(1) and (2) of the GDPR, for ensuring data protection by design and by default.
- In Romania, in 2023, among the largest fines imposed by ANSPDCP was received by Rompetrol Downstream SRL, namely 110,000 euros. This was imposed for unauthorized, repeated access to customer data from the company’s software program and illegal disclosure of personal data of some customers. The purpose of these actions was to obtain loans from non-banking financial companies in the name of these customers. Also, in July of the same year, UiPath SRL received a fine of 70,000 euros from the Romanian Supervisory Authority. The breach of data confidentiality consisted of the illegal publication of personal data of approximately 600,000 Academy platform users on a website accessible via a URL.
- Lastly, also as an example, the French Data Protection Authority imposed a fine of 32 million euros on January 23, 2024, after a thorough investigation, on Amazon France Logistique for failing to implement employee monitoring measures, specifically creating an intrusive system for monitoring employee activities and performance at work.
In conclusion, complying with the GDPR is essential for protecting personal data and avoiding fines that can be imposed by supervisory authorities. Data controllers must not ignore the fact that any data subject whose data is being processed by them can file a complaint with the ANSPDCP.
For further information or any additional inquiries, please do not hesitate to contact us:
➡ Phone: (+4) 031 426 0745
📧 Email: office@grecupartners.ro
We are here to assist and provide legal support for all your needs. We look forward to discussing with you.
Mihaela Balau – Attorney at Law