Country: Greece (first fine ever issued by the Greek data protection authority)
Fine Amount: €150,000
Issued to: PWC Business Solutions
Reason: The company, i.e. an employer, had decided to use consent as a legal basis for processing the personal data of its employees for various standard work-related purposes (e.g. paying the employees, sending the employees' personal data to relevant tax and labour authorities etc.). The Greek data protection authority held that consent is not a sound legal basis in the context of employment, due to the relationship between employer and employee being a subordinate one where there is a natural imbalance of power.
Country: Sweden (first fine ever issued by the Swedish data protection authority)
Fine Amount: 200,000 SEK (approximately €19,000)
Issued to: A public school
Reason: The school was using a camera with facial recognition in a classroom of 22 students to register student presence in class. The school had acquired the children's explicit consent, however the Swedish authority held that such consent is not valid, due to how dependent the students were on the school, raising questions on whether they could, in reality, have refused to give their consent. Furthermore, the Swedish authority held that regulating student presence in class can be carried out in a manner which is much less intrusive to the students' privacy.
Fine Amount: €2,500
Issued to: UTTIS Industries Srl
Reason: The company could not prove that it had informed data subjects that it was processing their personal data/images via a video surveillance system which it had been operating since 2016.
Fine Amount: €180,000
Issued to: Active Assurances (car insurer)
Reason: A significant amount of customer data, including copies of driver's licences, vehicle registrations and bank statements were all easily accessible online by the general public. In particular, the French data protection authority criticised the poor password management in place, whereby unauthorised access was possible without any authentication being required.
Country: United Kingdom
Fine Amount: €110,390,200
Issued to: Marriott International, Inc.
Reason: The company had notified the UK data protection authority ('ICO') of a data breach which had occurred in November 2018, whereby the records of approximately 339 million guests, including around 30 million EU residents, were exposed online due to an IT vulnerability. The vulnerability appears to have been present in the systems of the Starwood hotels group as far back as 2014. Marriott had later acquired Starwood in 2016, but did not discover the vulnerabilities in question until 2018. The ICO held that Marriott failed to carry out the necessary due diligence when acquiring Starwood and should have also had better security in place in its IT systems.
Note: This fine is not yet final since Marriott and other supervisory authorities of other EU Member States have yet to make their representations.
Country: United Kingdom
Fine Amount: €204,600,000 (highest GDPR fine ever issued thus far)
Issued to: British Airways
Reason: The company had notified the ICO of a data breach which had occurred in September 2018, whereby online user traffic on the company's website was being diverted to a fraudulent site which was harvesting customer details, including payment card details, travel booking details, names and addresses. It is estimated that approximately 500,000 customers were affected by this breach.
Note: This fine is not yet final since British Airways and other supervisory authorities of other EU Member States have yet to make their representations.