Ireland is one of several European countries that has not yet administered fines for GDPR breaches
Analysis conducted of 28 European countries with supervisory authorities
Czech Republic, Germany and Hungary have administered the most fines since the introduction of GDPR in May 2018
Mazars have published an analysis showing that of the GDPR fines administered to date across Europe, the finance sector has received 11 fines, significantly more than any other industry. The majority of these fines were administered for breaches related to the processing of personal data.
The analysis also shows that of the twenty-eight European countries with supervisory authorities examined, eight countries have yet to administer fines. The countries include Croatia, Estonia, Finland, Ireland, Luxemburg Switzerland, Slovakia and Slovenia. However, penalties related to ongoing Irish investigations are expected in the near future.
Since the introduction of GDPR in May 2018, there have been a total of 68 fines across 20 European countries with supervisory authorities. The Czech Republic, Germany and Hungary have administered the most fines with nine each. The analysis showed that 40% of the countries that had issued fines had administered only one fine – these being Belgium, Greece, Italy, Lithuania, Malta, Netherlands, Portugal and Sweden.
Of the fines administered, the finance sector received 11 fines, significantly more than any other. This was followed by professional services with seven, followed by the public sector with five and healthcare, hospitality, technology and telecommunications, all of which received four fines each. Interestingly four fines were administered to private citizens and a large cohort of fines (17) could not be categorised by sector as their details were not publically available.
The Mazars analysis shows that most fines (41) were administered for violations of Article 5 – ‘Principles relating to the processing of personal data’ followed by 23 fines for breach of Article 6 – ‘Lawfulness of processing’. It is also noteworthy that three fines have been administered for Articles 33 ‘Notification of a personal data breach to the supervisory authority’ and one for Article 34 ‘Communication of a personal data breach to the data subject’. This highlights that while an organisation may implement strong controls to protect personal data in the event of a security incident, which may prevent them from being fined, organisations may still be liable for fines if they fail to follow protocol about a notification.
Of note were the average fine amounts administered for each article. While the most number of fines (41) were noted for Article 5 ‘Principles relating to processing of personal data’, the average fine administered was €.34m. This contrasts with breaches of Article 32 ‘Security of data processing’ with 15 companies fined on average a staggering €21m. A total of three organisations in breach of Article 14 ‘Information to be provided where personal data have not been obtained from the subject’ received an average fine of €4.2m. The analysis also showed that 23 organisations were fined on average €.55m for breach of Article 6 ‘Lawfulness of processing. Finally, seven fines were administered for breaches of Article 13 ‘The right to be informed’ with an average penalty of €1.8m.
Commenting on the analysis, Liam McKenna, Partner with Mazars Ireland stated; “What we can understand from examining the industries in which fines are being directed is that no organisation is exempt from the reach of the supervisory authorities, even private citizens are being subjected to fines for noncompliance. Our analysis shows that issues around the processing of personal data have to date been the most prevalent but given the regulations are only just over a year old, this pattern may change as organisations become more familiar with their responsibilities. With the Irish Data Protection Commissioner set to administer fines in the future, it will be interesting to note the sectors impacted and most common violations fined and how they compare to other European countries.”
Mazars consulting is a specialist unit within the Mazars group with an expertise spanning a wide range of areas We operate globally and thus have close links with our international counterparts frequently liaising with them on assignments.
GDPR came into force on 25th May 2018. Mazars has supported many organisations attain GDPR compliance. We will continue to provide support to our clients in refining and maintaining compliance as the regulatory and legal environment matures.
Mazars are the market leading provider of Data Protection Impact Assessments and Privacy Impact Assessments in Ireland. We have been providing Privacy Impact Assessments for the last 10 years and Data Protection Impact Assessments since the publication of the GDPR in 2016.