What the first sanctions reveal and what are the choices of the Supervisory Authorities?

Lawyer Vincenzo Colarocco

The supervisory authorities – EU privacy guarantors – have so far taken a reasonable and considered approach to sanctions for non-compliance with the Gdpr, as provided for in the same regulation, which states that sanctions must in any case be effective, proportionate and dissuasive. For example:

 

Authority Fine () Quoted Art. Summary
French Data Protection Authority (CNIL) 50,000,000 for Google Inc. Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPR Lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given “specific” and not “unambigous” (Art. 4 nr. 11 GDPR).
Italian Data Protection Authority (Garante) 50,000 for the Italian political party Movimento 5 Stelle Art. 32 GDPR Insufficient technical and organisational measures to ensure information security
Information Commissioner (ICO) 204,600,000 for British Airways Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

See the list in detail for a better overview.