They were in breach of the GDPR requirement for transparency. They also failed to obtain a valid legal basis for processing personal data for ad personalization, which violates the GDPR requirements for specific and unambiguous consent for all forms of personal data processing.
This is not the first GDPR fine, but it’s by far the most significant.
In October 2020 the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued a fine of 35,258,707.95 EUR against clothing retailer H&M Hennes & Mauritz Online Shop.
GDPR violations involved the monitoring of employees, using their personal data to make decisions about people’s employment, and sharing sensitive personal information between the managers.
Make sure you follow the data minimization principle. Do not process people’s personal information unless you have a legitimate basis and a specific purpose for it. Also, pay attention to the access controls on the data, which should be implemented as well.
The same year, Italian telecommunications operator TIM was hit with a €27.8 million GDPR penalty from the Italian Data Protection Authority (Garante), for an overly aggressive marketing strategy. Millions of subjects were approached without consent, and they received promotional calls and unsolicited communications.
In October 2020, the UK Information Commissioner's Office (ICO) hit British Airways with a $26 million fine, because they had not implemented sufficient security measures. As a result, their system was compromised by hackers, who managed to get passengers’ personal information, including names, addresses, payment information, and log-in details.
There have been other, smaller cases across various industries. In 2018, a Portuguese hospital was fined 400,000 EUR after its staff used bogus accounts to access patient records. And a German social network operator “Knuddels.de” was fined 20,000 EUR for storing social media passwords in plain text. The list goes on...