A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 30 November 2020
In October 2020, three of the largest ever fines for breaches of the EU General Data Protection Regulation (“GDPR”) were imposed by data protection authorities in the EU. In Germany, the Data Protection Authority of Hamburg fined H&M €35.3m, while in the UK, the Information Commissioner’s Office (“the ICO”) fined British Airways and Marriott International, €22m and €20.45m respectively.
Swedish retail conglomerate H&M was fined for the illegal surveillance of hundreds of its employees. The company had collected sensitive personal data through the use of staff surveys and informal chats. The personal data collected included information about employees’ religious beliefs, medical records, including diagnoses and symptoms of illnesses, as well as private details about vacations and family affairs. The company then used this data to create profiles of its employees.
These practices became public after a technical error whereby the information which was stored on the company's network, became temporarily accessible to staff for several hours in October 2019, prompting the Hamburg authority to open an investigation. The Hamburg authority noted that there had been a gross disregard of data protection rules and the large fine was "justified and should help to scare off companies from violating people's privacy".
The fine against British Airways for its GDPR breaches was reduced to €22m from the original notice of €204m imposed by the ICO in July 2019. An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack in July 2018, which was only discovered two months later. The attack resulted in hackers stealing personal data from more than 400,000 customers of the airline. Interestingly, the ICO stated that it had taken into account the economic impact of Covid-19 and the effect this has had on the airline industry when imposing the reduced fine.
In July 2019, the ICO issued a notice of intention to fine Marriott International just over £99m for failing to keep millions of customers’ personal data secure. Marriott was the subject of a cyber-attack in 2014 from an unknown source which remained undetected until September by which time an estimated 339 million guests’ records were exposed.
The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.
On 30 October 2020, the ICO issued its penalty notice in which it imposed a fine of €20.45m, substantially reducing the initial intended fine. As with its decision in the British Airways matter, the ICO took into account a number of mitigating factors, including the impact of the Covid-19 pandemic. The ICO also acknowledged that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.
The imposition of such high financial penalties in quick succession highlights the wide ranging enforcement powers available to data protection authorities to ensure compliance with the GDPR and that there is no hesitation to use these measures when appropriate. It should serve as a crucial reminder to all companies of their obligations as data controllers and processors under the GDPR. Moving forward, it will be interesting to see if, when imposing fines, other data protection authorities adopt the position taken by the ICO in taking into account the current economic impact that Covid-19 is having across the globe.
The DAC Beachcroft Breach Response Planner provides a step-by-step guide to building a practical plan for managing data breaches and other cyber incidents. The planner includes helpful tips and default content that can be easily customised. Your plan is easily and securely accessed at any time, from anywhere, on any device. It connects all your key stakeholders keeping them informed and engages with best-practice breach response. Find out more here.
+353 (0) 1 231 9683
+353 (0)1 231 9628
+353 (0) 123 19636
+353 (0)1 2319679
+353 (0) 123 19639
+353 1588 2558
Lisa Broderick, Rowena McCormack, Julie-Anne Binchy
Ronan McLoughlin, Sinéad Hennessy, Rowena McCormack, Julie-Anne Binchy
Lisa Broderick, Rowena McCormack, Julie-Anne Binchy, Charlotte Burke, Simon Halpin, David Freeman
Vanessa Taylor-Byrne, Jenny Eacott
Jonathan Brogden, John Dunlop, Louise Bloomfield
Clare Hughes-Williams, Catrin Davies, Naomi Park, Sophie Ruffles
Jonathan Brogden, Aleksandra Spencer