GDPR Anniversary Edition: Fines Dealt & Challenges Ahead

GDPR Anniversary Edition: Fines Dealt & Challenges Ahead

9 benefits of CRM
9 Benefits of a CRM System in B2B Marketing & Sales
May 22, 2019
account based marketing inbound marketing
Account-Based Marketing + Inbound Marketing = Best B2B Marketing Strategy?
May 27, 2019

On 25th May 2019 it will be a year since the General Data Protection Regulation has been legally enforced by the European Union with a vision to safeguard the data of the citizens of the European Union.

The regulation allows citizens full control over the acquisition, process, retention or omission of their personal data, which in turn gives them complete control on how & to what extent they want to disclose their data to the business companies.

According to the French data protection agency CNIL’s Mathias Moulin, May 2018 to May 2019 has been a transition year for GDPR where several national data protection regulators finalized their rules & approaches towards GDPR compliances & decided to probe into the probable violations.

GDPR has been highly impactful in terms of sensitizing the organizations & the common masses at large about the value of data as a currency, to be leveraged only with the consent of the individuals to whom it belongs.

However, GDPR certainly has some visible loopholes. The most obvious one being that the law somehow has failed to impose fines on companies that have failed to adequately protect the customers' data – except for a few well-known industry giants, where the violations were too grave to be forgiven including Google, Facebook & Uber.

The challenges with GDPR have always been immense, majorly because the law has been the only one of its kind ever since its inception. The pre-GDPR world already had moved very far & fast in the direction of improving personalization for the customers & to optimize their experiences deriving data from Internet of Things (IoT) was a common practice. GDPR came as a renaissance for the marketers and compelled them to review their data protection, acquisition, processing, retention, and omission strategies.

The marketers across the world have just started acclimatizing to GDPR as the fines from failing to abide by the regulation are hefty which can amount up to €20 million or 4% of the global turnover of the company in any particular fiscal, whichever is greater. Majority of the firms across the globe were GDPR-phobic when it was launched but have now started reporting data breaches.

According to Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner's Office, the number of data breach reported in 2019 is expected to be approximately twice of those reported in 2018 (36,000 breaches expected in 2019, compared to roughly 18,000 to 20,000 reported in 2018).

Notable GDPR Non-Compliance Fines

1. Google witnessed the Highest Data Protection Fine Ever

The French Data Protection Authority, CNIL, fined the tech giant Google €50 million in January 2019 for violating the GDPR norms of obtaining consent that must be “granular, freely given, informed & must involve affirmative action”.

Google was fined because of its economic model that is dependent on ads & personalization. They violated GDPR guidelines “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalization”.

The penalty came as a result of complaints filed by two European pressure groups: None Of Your Business (NOYB) and La Quadrature du Net in May 2018.

The fine of €50 million, though largest till date, is still minimum for Google, as the maximum penalty would have been €4 billion if were calculated on the basis of the annual turnover of Google.

2. Chat app Knuddels fined €20,000 for Data Breach

In July 2018, the personal information of more than 3,30,000 users of the German social media platform Knuddels were hacked & compromised. The company discovered the breach in 2018 & reported the breach to the German Data Protection Authority, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI).

The accounts of all the impacted users were immediately shut down. In November, the LfDI issued a fine of €20,000. LfDI also discovered that the company stored the password in plain text. The fine was minimal considering that it could have been somewhere close to €10 million if the company would have been fined 4% of its annual revenue.

LfDI however, commended Knuddels for their "extreme co-operation" & the steps that they took afterwards to improve the data security of their users

3. Digital Marketing Company Bisnode levied

On April 1, 2019, the Sweden Headquartered Digital marketing Company Bisnode, which has a location in Poland, was fined €220,000 by the Polish Data Protection Authority, the national Personal Data Protection Office (UODO) for violating obligations under article 14 of GDPR.

The fine has been imposed as a result of the business model of the company which relies on the processing of the scraped data, which they utilize for insights without individually taking the consent of the data subjects.

In addition to the fine, the company must separately send an email to 6 million people within the next three months which will incur an additional cost of €8 million.

Bisnode though has said that it will push the controversial privacy penalty of the apex court of Europe & the final verdict may impact the privacy model of businesses across the globe.

4. Equifax Fined for failing to protect Personal Information

The Information Commissioner's Office fined Equifax LTD with £500,000 for failing to protect the personal information of 15 million UK citizens.

5. Denmark’s Taxi Company Taxa 4x35 for Retaining Customer Data Without Consent

A fine of 1.2 million kroner ($180,000) was imposed by Denmark's Data Protection Authority (DPA) on the taxi company Taxa 4x35 for not deleting customers’ telephone numbers.

6. Other Penalties

  • The fines during these early days of GDPR have been relatively lesser though as €4,500 for a CCTV system that was deemed excessive.

  • Uber was fined a combined $1.7 million by British & Dutch Data Protection Authorities (CNIL, AP, ICO) in November 2018 for a 2016 Data Breach. For more than a year this information was kept hidden by Uber. In the US, the company paid an additional $150 million as part of a settlement in September 2018 for failing to notify 6,00,000 affected drivers of the breach. Since the breach occurred in a pre-GDPR era the fines were low but could have been as high as 4% of the annual turnover of the company (USD 120 billion).

  • A shipping company was fined by Hessian DPA £5,000 for missing Data Processing Agreement.

  • A report published by DLA Piper GDPR Data Breach Survey in Feb. 2019 mentioned that more than 59,000 instances of personal data breach were reported in Europe till Jan 2019 & 91 fines were enforced in total.

  • Netherlands followed by Ireland & Denmark witnessed the highest number of breaches reported

Ongoing Probes

  • Facebook under scanner for storing passwords insecurely

  • Microsoft being probed for GDPR complaint data processing

  • Rubrik may face penalties for leaking customer data

  • Amazon is being probed by the European Union on the ways it uses data from the customers

  • Google is being investigated for breaking EU privacy laws in 7 different cases

  • British Airways can be fined $500 million for data breach

  • Besides, EU authorities are also inquiring Twitter in certain cases, US tech giant Apple in 2 cases, Facebook in 7 different cases & Microsoft-owned LinkedIn in one case of GDPR violation

  • Companies like Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax and Experian are under scanner for not completely disclosing the Data Protection & Intrusion documents

GDPR Implementation Challenges

a. Organizations need to hold themselves accountable for the secure processing of data throughout the customers’ buying cycle

b. Fines and Penalties are subjective and depend upon various factors including:

  • Nature of infringement,
  • Intention,
  • Mitigation measures taken by the organizations,
  • Preventive measures,
  • History of organizations,
  • How firms co-operate with the data protection authorities (dpas),
  • The data type in question,
  • The notification period for the breach,
  • Whether or not the firms had adhered to approved code of conduct,
  • Other aggravating or mitigation factors
  • & The vulnerability of the data & the customers involved.

c. The organizations need to match up with the minimum transparency & information requirements to comply with GDPR.

d. The potential costs for Subject Assess Requests (SARs) & data portability has to be abided by the organizations.

e. Under Article 30 of GDPR, the organizations have to keep a track record of the data processing activities

f. The territorial limits of GDPR are blatantly defined & not clear in Article3 (2)

g. Mandatory Data Protection Impact Assessments are additional burdens for organizations

h. Articles 48 & 49 describing the cross-border data transfer are ambiguous

i. It still remains unclear how the European Data Protection Authorities will be able to impose fines against non-complaint nations


In a GDPR compliant age, it is mandatory for the companies to act in accordance with GDPR rules not only to avoid the hefty fines but also to captivate the trust of their customers, investors & marketplace at large. Though across the globe, GDPR is still a newbie that needs to metamorphose into full-fledged & implementation-based form & has many loopholes; abiding by its norms is not only the best possible form of prevention against the hackers but also ensures that marketers are safe from stressful & expensive penalties & their reputation is intact.

We, at Valasys Media, advise you to be on the safe side of the law and read in detail about how you can be GDPR Compliant. For more information feel free to contact us.


On 25th May 2019 it will be a year since the General Data Protection Regulation has been legally enforced by the European Union with a vision to safeguard the data of the citizens of the European Union.

Share This Post



  1. froleprotrem says:

    Attractive element of content. I just stumbled upon your blog and in accession capital to claim that I get in fact enjoyed account your blog posts. Anyway I’ll be subscribing to your feeds or even I fulfillment you get admission to consistently rapidly.

  2. 0mniartist says:

    I’m no longer certain the place you are getting your information, but good topic.
    I needs to spend some time studying more or figuring out
    more. Thanks for great info I used to be on the lookout for this info for my mission. 0mniartist asmr

  3. 0mniartist says:

    Good information. Lucky me I discovered your blog by
    accident (stumbleupon). I’ve book marked it for later!
    0mniartist asmr

  4. 0mniartist says:

    Hi! I could have sworn I’ve visited this website before but after looking at
    many of the posts I realized it’s new to me. Nonetheless, I’m certainly pleased I found
    it and I’ll be bookmarking it and checking back often! asmr 0mniartist

  5. 0mniartist says:

    Hello There. I found your blog using msn. This is a really well written article.
    I’ll make sure to bookmark it and return to read more of your useful information. Thanks for the post.
    I will definitely return. asmr 0mniartist

  6. 0mniartist says:

    Greetings! Very helpful advice within this article!
    It’s the little changes that will make the biggest changes.
    Many thanks for sharing! asmr 0mniartist

  7. zortilo nrel says:

    Some truly nice and utilitarian info on this website, to I believe the pattern contains good features.

  8. ethelgrissom says:

    If you are going for the best content like me, only pay a quick visit to this site every day because it offers quality content, thanks

  9. john week says:

    Superb post but I was wondering if you could write a little more on this topic? I’d be very grateful you could elaborate a little bit further. Cheers!

    • Dear John, thank you for your feedback. We are thrilled you liked our content. We will definitely cover more about this topic. We look forward to serving you with more powerful insights.

  10. Elsken says:

    Thank you for your blog post.Really looking forward to reading more.

    • Dear Elsken, thank you for taking out time to write to us. We are glad you liked our content and that we are able to add value to you. You can surely share our blog on Facebook. Looking forward to serving you with more powerful insights.

  11. Ostasiewicz says:

    Nice read, I just passed this on to a friend who was doing a little research on that. And he just bought me lunch since I found it for him smile Thus let me rephrase that: Thank you for lunch! “No one can wear a mask for very long.” by Seneca.

Leave a Reply

Your email address will not be published. Required fields are marked *