With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds.

First fines

In January 2019, tech giant Google received a EUR 50 million fine by the French Data Protection Authority CNIL for not properly informing users regarding their data consent policies, and not giving users enough control over how their personal data that was used for personalized advertising.

In July 2019, the airline British Airways and the Marriott hotel chain received even higher fines of respectively EUR 205 million and EUR 110 million for not properly protecting the personal information of its customers. These cases, of course, are the most notorious considering the substantial financial punishments. However, the Data Privacy Authorities (DPAs) throughout Europe are not only focusing on the big conglomerates and the major fines. Over the past year, smaller organizations and even individuals have also received penalties for non-compliance with the GDPR.

Here are a few examples to better paint the picture:

  • in January 2019, the Portuguese hospital Centro Hospitalar Barreiro Montijo received a fine of EUR 400,000 from the Portuguese Data Protection Authority as a result of three identified non-compliances with the GDPR. Two of these three focused on the lack of technical and organizational security measures to protect the confidentiality, integrity, and availability of medical data;
  • in May 2019 the Data Privacy Authority of Norway issued a fine of EUR 170,000 to the municipality of Bergen for having insufficient security measures in place: usernames, passwords, dates of birth and school grades were unprotected; 
  • in June 2019 the football league La Liga was issued a fine of EUR 250,000 by the Spanish Data Protection Authority for using a mobile app to discover bars that were ‘illegally’ streaming football matches. The app used the user’s microphone while users were unaware and unable to withdraw consent; and
  • in May 2019 the Belgium data protection authority issued a modest fine of EUR 2,000 to a mayor who misused personal data for election purposes.

Getting ready for more GDPR enforcement

These examples represent over EUR 56 million fines issued by the DPAs of 11 EU member states in the first year of the GDPR. In this respect, the European Data Protection Board indicated that in the first year already 281,088 cases have been reported, divided by 144,376 ‘complaints’ and 89,271 ‘data breach notifications’ [1]. It’s important to note that this is only the beginning, as many European DPAs have substantially increased their workforce and budget. Indicating that further and more extensive GDPR enforcement is expected soon [2]. Now, most of the DPAs are ready for the next phase! But what are the potential repercussions? Let’s, for example, take a look at what the Dutch DPA (Autoriteit Persoonsgegevens or AP) did in this respect. 

On March 14th, 2019, the AP released a policy guideline which included, among other things, the fines categorization based on the GDPR. The AP has divided the different provisions of the GDPR in four categories, each category reflecting a base fine and a specific range for the fines in that category:

Category I

Fine range between EUR 0 - EUR 200,000

Base fine: EUR 100,000

Category II

Fine range between EUR 120,000 - EUR 500,000

Base fine: EUR 310,000

Category III

Fine range between EUR 300,000 - EUR 750,000

Base fine: EUR 525,000

Category IV

Fine range between EUR 450,000 - EUR 1,000,000

Base fine: EUR 725,000

In the policy guideline, it is listed per provision of the GDPR in what fine category a breach thereof would fall. Some examples:

  • the obligation for both controllers and processors to enter into a data processing agreement (clause 28 GDPR). Breach? Fine: Category II;
  • the obligation to ensure a level of security appropriate to the risk (clause 32 GDPR): Category II;
  • the obligation to only process personal data when you have a legal ground (such as specific consent or a contract) (clause 6 GDPR) - Category III;
  • the prohibition of processing sensitive personal data (such as biometric data, ethnic origin, and political opinions), unless explicit consent has been granted (clause 9 GDPR) - Category IV.

Not millions?

One might think: “Hey, that is not the EUR 10 million, EUR 20 million or part of our worldwide turnover, often used to scare me with!” Well, that’s not totally true. It is just an overall outline and the AP always has the authority to issue fines from a higher category. The AP still has the autonomy to apply higher or even the GDPR maximum penalties if it deems appropriate. Therefore, you are not off the hook and should ensure that you are and will be GDPR compliant. The policy guideline is just to be considered another critical step towards more active imposing fines by the AP. 

Buckle up…

Such policy guidelines, and the overall increase in workforce and budget for GDPR enforcement, as well as the significant number of cases already reported to the DPAs, gives the DPAs guidance, power, and ability to actually impose the GDPR. So, let’s see what year two is going to bring... Buckle up, it’s gonna be fines!

Curious about how ZIVVER can help your organization avoid data leaks during digital communication, and consequently hefty fines? Click on the button below for more information!

Download our productsheet

[1]: IAPP Report, May 2019: “GDPR at One Year: What We Heard from Leading European Regulators

[2]: E.g., the Irish Data Protection Commission has increased its budget to EUR 15.2 million this year, which allows them to hire more staff. Also, the Dutch DPA got an extra EUR 3.4 million for enforcing the GDPR in the upcoming years. In Lithuania, the DPA has published a plan to perform 75 ex- officio investigations in 2019.  E.g., Annual report 2018 Dutch DPA (in Dutch), page 18


Authors: Nadine Hoogerwerf (ISO) & Reinout Bautz (GC)


All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
The User Representatives - Always here to help you!

The User Representatives - Always here to help you!

  At ZIVVER the success of our customers is paramount! For that reason, we have a dedicated Customer Success team to help our customers maximize their value from our product. Part of the Customer Success team are the User Representatives. Their ultimate goal is to create happy ZIVVER users, by solving all issues, providing information and representing their voice […]

Read more
Your_Success_our_primary Mission_The Customer Success team_ZIVVER_EN_blog

Your Success, our primary Mission! - The Customer Success team

At ZIVVER the success of our customers is paramount! Our purpose is to add real value to your organization. That’s nothing new, but now we even have a dedicated Customer Success team to help you achieve your desired goals with our product.  […]

Read more