Since the beginning of 2020, the Supervisory Authorities across the European Union have issued several fines on companies breaching the provisions of the GDPR or national marketing laws.
The main decisions are as follows:
– Italy: two fines of respectively €11,5 million and €27,8 million for unlawful marketing
– Netherlands: €525,000 for unlawful selling by a tennis association of its members’ personal data to third party sponsors.
– Cyprus: €82,000.00 fine for lack of legal basis when processing employees’ data to score their sick leaves and makes decisions about it, including sanction.
– Greece: €15 000 for use of unlawful use of CCTV and denial of employee’s right of access.
These decisions either relates to unlawful marketing activities (1) or HR data processing (2).
1. Sanctions relating to unlawful direct marketing activities
– First Decision: In January 2020, the Italian Supervisory Authority served two fines of €8.5 and 3 million on Eni Gas and Luce (Egl), an Italian electricity and gas supplier.
The first decision sanctions the illicit processing of personal data in the context of promotional activities while the second one sanctions the activation of unsolicited contracts.
The authority determined the amount of the fines by taking into account parameters such as the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl. For more details about this sanction, you can read our article here.
– Second decision: On February 1, 2020, the Italian supervisory authority fined TIM SpA €27,802,496 for several breaches of the GDPR and marketing laws including the following:
- Performance of unsolicited marketing calls without any consent or despite the called parties’ inclusion in the public opt-out register;
- Breach of the accountability principle (e.g. The company contacted by phone individuals not included in the company’s list of marketing phone numbers or called an individual 155 times in one month; it also failed to keep an up-to-date opt-out list, obtained invalid consents as joining the incentive discount scheme was conditional on providing consent to receiving marketing and, provided an inaccurate information notice;
- Breach of the privacy by design requirements ( e.g. TIM’s blacklists did not match those of the contractor call centres; it stored the phone numbers relating to other phone operators’ customers for longer than permitted by the applicable law and used them for marketing campaigns without the customers’ consent).
- Ineffectiveness of the data breach management system.
In addition to the fine, the Italian SA imposed 20 corrective measures on TIM including banning TIM from using, for marketing purposes, the data of (i) the users that had refused to receive marketing calls when contacted by the call centres, (ii) the users included in the blacklists, and (iii) the ‘non-customers’ that had not given their consent.
The Dutch Data Protection Authority (AP) imposes a fine of €525,000 on the tennis association KNLTB for selling personal data of up to 300 000 of its members to its sponsors for direct marketing purposes (by phone and post).
To justify its fine, the Authority ruled out the possibility for the Tennis Association to rely on its legitimate interest to sell personal data to third party’s for such marketing purposes and implied that individuals’ consent was necessary.
2. HR-related sanctions
On January 27, 2020, the Cypriot Supervisory Authority fined LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd (Louis Group of Companies) for a total amount of €82,000, for using an automated tool enabling the management, analysis and scoring of employee’s sick leave without appropriate legal ground to do so.
Bradford’s Factor is an automated system managing and scoring employees’ sick leave. The reasoning behind the scoring is that short, frequent, and unplanned absences (as opposed to longer absence) lead to higher disorganisation of the company. Therefore, by using this tool, the company thought it had a legitimate interest to carry out a scoring of its employees’ sick leave with the help of this system and that it could make decisions, including sanction, based on this scoring.
While the Authority acknowledged that employer was entitled to supervise the frequency and validity of sick leaves certificates, it considered that the controller failed to demonstrate that its legitimate interest prevailed over the interests, rights and freedoms of its employees regarding the further scoring and the decisions it made. In its opinion, the mitigation of the risks was inadequate.
The Supervisory authority also considered that the date and the frequency of a sick leave relating to an individual (to the extent the employee is identifiable) entail the processing of “special categories of personal data” and therefore, article 9 GDPR, also applied to the processing.
However, in the Authority’s opinion, none of the legal bases laid down in article 9(2) of the GDPR could apply in this case.
As a result, the Commissioner ordered the controller to stop the processing and delete all data collected and imposed of a fine of €82 000 (€70.000 for LGS Handling Ltd, €10.000 for Louis Travel Ltd and €2.000 for Louis Aviation Ltd. )
The Cyprus Authority raises a legal question to the other EEA SAs via the Mutual assistance procedure and received input from 25 authorities. The replies received validated the absence of legal basis of the said processing and highlighted the need to regulate this issue with specific rules in line with article 88 GDPR (i.e. provision of more specific rules in respect of the processing of employee’s personal data by the Member States).
In January 2020, the Hellenic Supervisory Authority issued a fine of €15,000 after investigating the following data processing activities carried out by a company:
- processing of personal data on a server as well as access to and inspection of employee’s deleted emails;
- the use of a CCTV system;
- denial of employee’s right of access to his personal data contained in his corporate computer.
The Authority noticed that internal policies prohibited the use of electronic resources for personal purposes and allowed internal investigations. Therefore it considered that the company had a legal right under Articles 5(1) (i.e. fairness/transparency) and 6(1)(f) GDPR (legitimate interest of the controller) to carry out an internal investigation and search employee’s emails.
However, it found that the video-surveillance system including the recorded material had been set up and operated in breach of the GDPR and that the company did not satisfy the employee’s right of access to his personal data stored in his corporate PC.
As a result, and in addition to a fine of € 15 000, the Authority ordered the company to:
i) comply immediately with the complainant’s request to exercise his right to access and information concerning his personal data stored in his company’s computer ;
ii) ensure that the processing operations carried out, using its video surveillance system, comply with the provisions of the GDPR