What GDPR violations were companies fined for in 2021

During the second year of Covid-19 pandemic more businesses have gone online, i.e. creating platforms and internet websites, applying remote working procedures, etc. Digitalization of the commercial activity usually means that the number of data subjects rises, so the businesses must ensure that the personal data is controlled and processed in accordance with General Data Protection Regulation (GDPR). Otherwise, the sanctions of personal data supervisory authorities (SA) might be imposed. In this blog post we will take a quick look on the most impressive fines imposed by SA in Lithuania, Finland, Sweden and Estonia in 2021.

In Lithuania the administrative fine in the amount of EUR 110 000 was imposed on UAB Prime Leasing, the operator of the carsharing platform CityBee, on 29 November 2021 for breach of Article 32(1)(a), (b), (d) of GDPR, which governs the obligation to ensure the security of processing of personal data. In so far it is the highest fine ever imposed by SA in Lithuania for GDPR violations.

The abovementioned fine was a result of company’s customers personal data breach (PDB), when the sensitive personal data (full name, personal identification number, driving licence number, address, telephone number, e-mail address, some details of payment card and the user identifier (token) in Braintree) of 110,302 CityBee users, stored in unprotected database backup BACPAC file (DB file) in plain text, was disclosed and made public (published in CSV files on the website RaidForums.com). SA has concluded that this PDB lasted from 27 February 2018 to 16 February 2021.

The investigation performed by SA revealed that the company failed to ensure adequate personal data management and control, such as:

  • not appointing the competent security and risk management specialist;

  • not separating the duties and responsibilities in the field of IT development and maintenance from the duties and responsibilities in the field of cyber security;

  • not ensuring access to the DB file logs to record and store entries;

  • not ensuring that actions performed on DB files are recorded, monitored and evaluated;

  • not encrypting the DB file;  

  • encrypting the passwords in the DB file with the weak and relatively insecure hashing algorithm SHA 1;

  • enabling users to use a password that did not comply the requirements for the creation of passwords set out in the company’s IT security policy.

The SA also concluded that the company did not assess, manage and could not manage the risks associated with the loss of confidentiality of personal data contained in this DB file (with appropriate organizational and technical security measures) as, according to the company, it was not aware of the existence of this DB file in the IT infrastructure it managed. This has led directly to the personal data breach and created the conditions for it to occur (sooner or later).

Also, 433 users who had provided their residential address in other countries of the EU and/or the EEA were identified, so the decision was also agreed with SA of Ireland, Germany, Austria, Italy, Portugal, Estonia, Belgium, Denmark, the Netherlands, Spain, Latvia, Sweden, Luxembourg, France, Norway, Finland, Slovakia and Slovenia.

The deadline to lodge the appeal to the court regarding this SA decision has already ended and the appeal hasn’t been lodged, so the abovementioned decision of SA is final and enforceable.  

In Finland, probably the most notable case of GDPR fines in 2021 has been the enforcement action taken against Vastaamo, a Finnish psychotherapy clinic that suffered massive data breaches involving Vastaamo’s medical database and the records of approximately 35 000 individual patients. As it was later discovered, the first breach took place as early as in 2018, and in early 2019 Vastaamo’s database was broken into for the second time. While it was established that Vastaamo had become aware of the breach in March 2019, a notification to the SA (Data Protection Ombudsman in Finland) was made as late as in September 2020 after the attacker approached Vastaamo with an extortion letter.

In its decision, the SA viewed that Vastaamo had failed to protect the processed personal data from unauthorised processing and ensure the integrity and confidentiality of patient records in accordance with Article 5(1)(f) GDPR. In addition, it was determined that Vastaamo had failed to notify the breaches without undue delay to both the SA and the data subjects in accordance with the requirements of Articles 33(1) and 34(1) GDPR. For these breaches, a total administrative fine of EUR 608,000 was imposed (EUR 316,800 for failure to protect the data and two times EUR 145,600 for failures to notify both the SA and the data subjects). The fact that in February 2021 Vastaamo was declared bankrupt did reduce the amount of the administrative fine imposed.

In addition to the Vastaamo fine, during 2021 the Data Protection Ombudsman issued some other administrative fines ranging from EUR 8,500 to 75,000.

One of the largest and most publicized incidents in Sweden was related to a medical consultation service called “1177”. A large number of recorded phone calls to “1177” had been available without protection, on the internet. Several companies were involved in the processing of personal data and the Swedish Authority for Privacy Protection (IMY) concluded that the company MedHelp AB was the Data Controller.

IMY concluded that MedHelp AB had breached several provisions of the GDPR. Most notably by:

  • transferring personal data to a company in Thailand and allowing that company to collect personal data,

  • failing to ensure an adequate level of security to protect personal data through appropriate organizational and technical measures, and

  • failing to inform callers of the data processing that was taking place.

For the collective breaches, IMY issued an administrative sanction of 12 million SEK towards MedHelp AB which at this moment amounts to roughly 1,15 million EUR.

In Estonia, it is currently not possible to impose fines for breaches of data protection rights in administrative proceedings, but these breaches qualify as offenses, most of which must be dealt with in misdemeanour proceedings. Therefore, the fines imposed for violating data protection rights have so far been rather symbolic - EUR 48 for a police officer for surfing the police database and EUR 56 for a healthcare professional for surfing the e-health database.

At present, a new type of administrative sanction, i.e. administrative fine is being planned in the Estonian legal system to transpose the financial penalties provided for in EU law, including fines for GDPR violations. Estonia's goal, similarly to other EU member states, is to fulfil the obligations arising from the EU law, which are effective, proportionate and dissuasive fines in case of violations of data protection rights.

Thus, despite the fact that there is currently no effective type of administrative sanction in force in Estonia, this does not mean that the GDPR regulation is not followed in Estonia. Estonian companies are very interested in their international reputation, which is why compliance with data protection regulations is taken very seriously. Similarly, the possibility of data subjects to make financial claims against companies for breaches of data protection rights is not underestimated.

In conclusion, it is advisable for businesses to ensure the right GDPR compliance level in order to avoid the unnecessary attention and huge fines from SA as well as show the customers and business partners transparency and respect to their privacy. Fondia operates in Finland, Sweden, Estonia and Lithuania, so you can contact the local office and our experienced privacy team will be happy to help you with data protection questions.