Lawyer Vincenzo Colarocco
The supervisory authorities – EU privacy guarantors – have so far taken a reasonable and considered approach to sanctions for non-compliance with the Gdpr, as provided for in the same regulation, which states that sanctions must in any case be effective, proportionate and dissuasive. For example:
|Authority||Fine (€)||Quoted Art.||Summary|
|French Data Protection Authority (CNIL)||50,000,000 for Google Inc.||Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPR||Lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given “specific” and not “unambigous” (Art. 4 nr. 11 GDPR).|
|Italian Data Protection Authority (Garante)||50,000 for the Italian political party Movimento 5 Stelle||Art. 32 GDPR||Insufficient technical and organisational measures to ensure information security|
|Information Commissioner (ICO)||204,600,000 for British Airways||Art. 32 GDPR||Insufficient technical and organisational measures to ensure information security|
See the list in detail for a better overview.