Since its implementation in March 2018, the General Data Protection Regulation has forced the Data Protection Commissions of European countries to impose numerous fines. In the spotlight, we have the GAFAMs (Google, Apple, Facebook, Apple and Microsoft) that have been awarded astronomical sums for violating one or more rules of the GDPR in the European Union.
As we can see in the graph, we have Amazon as an example that excels in the field with the highest fine ever recorded which has been assessed at 790 million euros (approximately SEK 70 986 240 million) in 2021.
IMY in action
It’s not just the big multinationals that are being targeted. Indeed, since 2018, the IMY (Swedish Authority for Privacy Protection) has been examining several cases, many of which have already received their verdict. Here are the 5 biggest fines imposed by the IMY for non-compliance with the GDPR law.
In fifth place is Klarna, a financial company. During the investigation conducted in March 2022, the IMY found that the company was handling many people’s data improperly.
Indeed, among the various infringements committed by Klarna, IMY states in its press release that Klarna did not provide “information on the purpose and legal basis on which personal data was processed in any of the company’s departments”.
In addition, the company provided “incomplete information on the rights of data subjects, including the right to delete data, the right to data portability and the right to object to the processing of personal data.”
As a result of these actions, the financial company was ordered to pay SEK 7 million (approximately 630 100 euros).
In June 2021, the Swedish Authority for Privacy Protection fined the medical call center Medhelp SEK 12 million (close to 1 080 210 euros).
Recorded phone calls to the medical consultation service “1177” were available unprotected on a poorly configured server without a password. Several unauthorised users were even able to access calls and may have recorded files.
In fact, several organisations were involved in this incident and each had a role in the management of personal data. Medhelp, being the main medical care provider and the data controller, is responsible for the breaches, as they had to take the necessary measures to ensure that sensitive data was not accessible to other parties.
In addition, the company did not provide the callers to 1177 with information in accordance with the rules of the GDPR and the Patient Records Act. For example, Medhelp must inform the callers of how their personal data is processed and that it is also the data controller.
3. Stockholm’s public transport
In July 2021, the Swedish Privacy Authority fined Stockholm’s public transport SEK 16 million (about 1 440 280 euros) for “Illegal use of body cameras in Stockholm’s public transport”.
The Swedish authority ruled that the organisation violated the GDPR by allowing its controllers to be equipped with body cameras recording video and sound. In addition, it found that passengers were not adequately informed about the camera surveillance and the sound that was also recorded.
For the organisation, this was a serious offence as SL did not inform people using public transport in Stockholm about the sound recordings. The conversations between them were recorded without them being aware of it, which resulted in SL receiving one the highest fines for GPDR in Sweden.
2. Health care providers
The Swedish Privacy Authority has investigated eight health care providers on how they regulate and limit staff access to major electronic health record systems. In december 2020, the Swedish Privacy Authority found shortcomings that in seven of the eight cases lead to administrative fines of up to SEK 30 million (approximately 2 700 520 euros).
As a result, the seven healthcare providers have not taken the necessary steps to ensure and demonstrate a sufficient level of security for personal information.
In the first place is Google, the well-known search engine. In arch 2020, the IMY fined Google 75 million Swedish kronor (about 7 million euros) because the company did not fulfill its obligations regarding the right to request removal from the list.
The large multinational did not give individuals the opportunity to have their search results removed from the list.
According to Olle Pettersson, legal adviser at the Swedish Data Protection Authority, “In its delisting request form, Google states that the site owner will be informed of the request in a way that could lead people to refrain from exercising their right to delist, thus undermining the effectiveness of this right. This is without doubt non-compliance with the GDPR.
With the GDPR law, it is clear that it is not just the big brands that are making headlines for non-compliance. In fact, all entities are affected, whether they are small, large, private or public.
As a business, you need to ensure that you inform your customers about how their personal data is processed. For example, the data you collect, the purpose of the collection and the retention period must be communicated to them.
For more information, we advise you to follow this “Step-by-step GDPR compliance guide” to ensure you comply with the law.