The Netherlands and TikTok
The Dutch supervisory authority imposed a fine of €750,000 on TikTok. The main accusation against the data controller was its failure to comply with its information obligations towards the website's users. According to Article 12 of the GDPR, the controller is obligated to inform data subjects about the data it collects and how it is processed, in the most transparent manner possible. The supervisory authority noted that a significant portion of the website's users are children who might not understand information regarding the processing of personal data published solely in English. Despite promptly submitting comments regarding the identified violations and TikTok's immediate response, the website was unable to avoid the fine.
Spain and the Mercadona supermarket chain
The Spanish supervisory authority has imposed a fine on Mercadona, one of the country's largest supermarket chains. The owner implemented a facial recognition system in 48 stores, which was intended to identify individuals convicted of specific crimes against employees. In this case, the company also processed customers' personal data, including their biometric data, without providing a legal basis. In its ruling, the authority cited the controller for violating, among other things, the fundamental principles of the GDPR (Article 5), the prohibition on processing biometric data (Article 9), the obligation to provide information (Articles 12 and 13), and a failure to conduct a proper data protection impact assessment (DPIA) (Article 35). According to the supervisory authority, the controller failed to assess whether the measures taken were necessary and necessary in this situation. The total amount of the fine was €2,520,000.
Statistics of penalties imposed
The largest number of fines to date has been imposed by the Spanish supervisory authority (252), totaling €32,488,810. Interestingly, Spain ranks only sixth in the total value of fines imposed, ahead of countries such as Luxembourg (11 fines totaling €746,071,000) and Italy (88 fines totaling €84,708,770). Luxembourg's position at the top of the rankings was undoubtedly contributed to the decision to impose a fine on Amazon Europe on July 16, 2021. In Poland, the highest fine remains the one imposed on the website "Morele.net," totaling €660,000.
Lack of cooperation with the supervisory authority = fine
Last year, approximately 6,400 complaints were filed with the Personal Data Protection Office (UODO). Investigative proceedings begin with contacting the data controller and requesting information on the matter. Often, it is at this stage that the matter is resolved and successfully concluded for the controller, especially since cooperation with the supervisory authority benefits all parties. The penalty for failure to provide information is a form of disciplinary sanction and is intended to discipline the party to enable the UODO to conduct the investigation. If the supervisory authority finds a violation of Article 31 and Article 58(1)(e) of the GDPR, it may impose a fine. According to the UODO website, the standard amount for failure to cooperate is EUR 5,000. Regardless of the imposition of an administrative fine for failure to cooperate, the proceedings initiated based on the complaint are still ongoing and may also result in an administrative fine.
You can track the list of current penalties at: https://www.enforcementtracker.com
