In 2021, five of the world’s top ten fines were imposed for breaches of the General Data Protection Regulation (GDPR). The Ecovis experts in Lithuania have analysed these cases and worked out what lessons companies can learn from these GDPR fines.

The GDPR came into force almost four years ago. However, its implementation is still a major challenge for companies. The investigations launched by regulators and the mounting fines show that the transition period is over.

1. The case of Amazon

The Luxembourg data protection regulator, the CNPD, issued a fine of EUR 746 million against Amazon for alleged breaches of the GDPR relating to targeted advertising to its users.

What does this imply?
Still little attention is paid to the proper wording of the contents of advertising consent and proper administration of the systems when such consent is withdrawn.

2. The case of WhatsApp Ireland

The Irish Data Protection Commissioner (DPC) fined WhatsApp Ireland a record EUR 225 million after a GDPR investigation into how it shares user data with other Facebook-owned social media platforms.

What does this imply?
Privacy policies and privacy notices must be adapted individually to every company and take into consideration the nature of the organisation, the data subjects, and the life cycle of such organisation’s personal data.

Ecovis Barcelona - Learning from GDPR fines: What are the lessons for other companies?

Companies must correctly implement the General Data Protection Regulation. We know how to do this.

Loreta Andziulytė, Attorney at Law, Partner, ECOVIS ProventusLaw, Vilnius, Lithuania

3. The case of H&M

The German data protection authority fined clothing chain H&M EUR 35.3 million over the illegal surveillance of its employees, as the Swedish firm delved deeply into the private lives of its staff members. It was established that H&M collected and stored a lot of data on the personal life of its employees which was stored on the company’s intranet.

What does this imply?
The fact that the employee has an employment relationship with the company does not mean that any processing of his or her personal data, including surveillance, is justified.

4. The case of booking.com

Booking.com was fined EUR 475,000 for reporting a personal data breach to the supervisory authority too late. The company only reported the incident to the authority 22 days after they had found out about it.

What does this imply?
Booking.com should have reported the case within 72 hours according to the GDPR.

What lessons can other companies learn from these cases of GDPR fines

The cases discussed above show that:

  • Companies must inform their customers in a clear and detailed manner about the personal data they process and privacy notices must be based on their business model rather than the publication of template notices.
  • Promotional messages can be sent only if consent is explicitly obtained. Practice shows that statements such as “legitimate interest” or “implementation of a contract” are clearly inappropriate.
  • It is illegal to collect data about employees or customers “just in case”. Collection of data is allowed only to the extent necessary for a specific purpose.
  • Breaches must be immediately reported to the authorities. Otherwise significant fines may be imposed.

For further information please contact:

Loreta Andziulytė, Attorney at Law, Partner, ECOVIS ProventusLaw, Vilnius, Lithuania
Email: loreta.andziulyte@ecovisproventuslaw.com