For the third time, global law firm DLA Piper has prepared a report on reported violations of the GDPR and penalties published by national authorities. This is not a random moment to post it. For 14 years now, January 28 has been celebrated as Personal Data Protection Day. This is a good opportunity to summarize how the GDPR works in Poland and Europe.
The latest study shows that between January 28, 2020 and January 19, 2021, European authorities imposed fines totaling 272.5 million euros, an increase of 39%. Compared to the previous 20-month period that was calculated from the date of the entry into force of the GDPR, that is, as of May 25, 2018. In addition, last year 121,165 violations were reported. In 2019, there were 19 percent of them. Less – 101 403. This means that there are 278 violations recorded per day. Is that much and how does Poland compare to the 27 European Union countries?
Heavy penalties and many violations
Personal Data Protection Office There were 8,635 cases recorded Notifications of Violations. Himself It is ranked sixth among the 27 countries of the European Union. However, as the report’s authors point out, not all countries provide accurate statistics, and some reports may also cover the lead-up to the GDPR. In this ranking, Germany takes first place – 77.7 thousand applications, the second place is the Netherlands – 66.5 thousand applications, and the third place is Great Britain – 30 thousand. Submissions. Although the UK left the European Union on January 31, 2020, it has implemented and respects the GDPR, hence it was included in the report. In the replay The total fines imposed in Poland amounted to 1,705,683 eurosAnd the Put our country in the ninth place Compared to countries with higher penalties. In this ranking, Italy won – 69.3 million euros in fines, followed by Germany – 69 million euros, and France in third place with 54.4 million euros. The last place goes to Estonia, where the fines total only 408 euros.
Read at LEX: Legal remedies in the event of a data breach>
The pandemic makes the penalties less
The highest financial penalty so far remains the one imposed by the French supervisory authority on Google – the giant pays 50 million euros for violations of the principle of transparency and lack of valid consent. Interestingly, although in June 2019, the British equivalent of the Personal Data Protection Office – Information Commissioner’s Office, in short ICO, the British ICO published announcements. For intending to impose a fine of 99.2 million pounds on Marriott To disclose the personal data of the guests (their number was 339 million people around the world, including 7 million Britons), in October 2020 It cut it to £ 18.4 million (About 20 million euros). The ICO also significantly reduced the penalty for British airlines (British Airways) from £ 183 million to £ 20 million (About 22.2 million euros) for a data breach of 400,000. Customers. – We’ve seen some leniency by regulators in the past year due to the ongoing pandemic, which is reflected in reduced fines in several high-profile cases. Due to corporate financial difficulties – Ewa Kurowska-Tober, Partner in the Polish subsidiary of DLA Piper and Co-Chair of Global Data Protection, Privacy and Security Group DLA Piper resides.
The courts also correct the decisions of the authorities
The report shows that the Austrian supervisory authority failed in court. The sentence of 18 million he imposed after an appeal in December 2020 was withdrawn. Ewa Kurowska-Tober estimates that although regulatory authorities test the limits of their powers, they are not able to do so to the end in all cases. Outside of Austria, there have been a number of appeals in Europe that have resulted in a positive outcome for applicants, as well as many significant reductions in fines imposed.
– Given the high amounts of fines and the risk of further claims for compensation, we expect that we will deal with a tendency for more appeals and continued stronger defense in enforcement proceedings – Iowa Korowska-Topper adds, however, this trend is not visible in Poland. In our country, the head of the Personal Data Protection Office definitely wins, which we wrote on Law.pl. According to several attorneys, if the judge – as in the decisions of the head of the Office of Competition and Consumer Protection – was able to assess the legality of decisions relating to a violation of the GDPR or the use of experts, there would be fewer losers. For example, at the beginning of September 2020, the Regional Administrative Court in Warsaw rejected Morele.net’s complaint against the decision of the head of the Personal Data Protection Office to impose a fine of 2.8 million PLN on it. A little earlier, at the end of August 2020, the Regional Administrative Court rejected the complaint of Mayor Alexandru Kujawski against the decision of the Personal Data Protection Office, to impose 40 thousand. PLN fine for violating the GDPR. At the end of 2019, the WSA overturned its decision in the Bisnode case, but opened the way for a higher penalty.