This blog posting represents the views of the author, David Fosberry. Those opinions may change over time. They do not constitute an expert legal or financial opinion.

If you have comments on this blog posting, please email me .

The Opinion Blog is organised by threads, so each post is identified by a thread number ("Major" index) and a post number ("Minor" index). If you want to view the index of blogs, click here to download it as an Excel spreadsheet.

Click here to see the whole Opinion Blog.

To view, save, share or refer to a particular blog post, use the link in that post (below/right, where it says "Show only this post").

The Biggest Fines After Three Years Of GDPR.

Posted on 30th May 2021

Show only this post
Show all posts in this thread (Legal).

I found this article on the BBC interesting. It lists the 5 largest fines so far under the EU's GDPR regulations.

Some of the offences are the kind of thing I had expected; others are rather shocking. In summary:

  1. Google (€50m) in 2019, for failure to make its statements about its consumer data processing policy easily accessible to its users, and for not seeking the consent of its users to use customers' data for targeted advertising campaigns.
  2. H&M (€35.3m) in 2020 for secretly monitoring hundreds of its employees.
  3. Tim - Telecom Italia (€27.8m) because customers received a large number of unwanted (nuisance) promotional calls.
  4. British Airways (£20m) (the most shocking of the list) in 2020 directed its website users to a fraudulent site, allowing hackers to to harvest the personal data of about 400,000 people (the leaked data included login and travel booking details, names, addresses and credit card information).
  5. Marriott International Hotels (£18.4m) (also shocking) suffered a hack dating back to 2014, but not uncovered until four years later, exposing the personal details of about 300 million customers, including credit card information, passport numbers and dates of birth.

What this tells us is that companies are unable to protect the data of their customers, and that legislation like GDPR that limit the data collected and held, and puts requirements for data security on those companies regarding handling and storage are very much needed.

There is only one type of organisation that has proven to be less secure than even commercial companies in handling and storing data about us: government agencies.