Skip to main content

In 2020,
The value and number of GDPR fines have shown a dramatic increase

February 23, 2021

Before Covid-19 became the most important topic of 2020, data protection was a major concern for most companies (and still is today at the beginning of 2021).

Recently, the international law firm CMS published statistics showing that it would be imprudent for companies still operating in the EEA and beyond its borders to be complacent about compliance with regulations and the way they collect, process and store personal data.

CMS examined the level of fines issued within the EU in its latest annual report on fines and data breaches under the General Data Protection Regulation (GDPR). Fines and the number of infractions continue to increase. European regulators have shown their willingness to use their enforcement powers. In addition, some are adopting a strict interpretation of the GDPR.

Health sector

The report ranks this sector as the sixth most affected, with 38 fines for a total of €9,021,521, largely due to:

  • Insufficient legal basis for data processing
  • Insufficient technical and organizational measures to ensure information security
  • Non-compliance with general data processing principles
  • Insufficient fulfilment of data subjects’ rights

Under GDPR, non-compliant organizations could suffer fines of 4% of their annual turnover or €20m, whichever is highest.

Healthcare facilities have not been exempted from these fines: the first GDPR fine issued was a €400,000 fine against a Portuguese hospital, for three violations of the GDPR.
But fines are not just for hospitals: in 2019, the Office of the Commissioner for Personal Data Protection (‘The Commissioner’) in Cyprus fined a doctor €14,000 for posting a patient’s personal data on social media without the patient’s consent.
More recently, in December 2020, the CNIL’s restricted formation has imposed two fines of €3,000 and €6,000 on two private doctors for failing to adequately protect their patients’ personal data and failing to notify a data breach.

To avoid these fines, we advise you to train your staff in GDPR as soon as possible. GDPR training should be continued for any new data processing processes.

To raise GDPR awareness in the company, we built a package of 3 Trainings:

  • Introduction to the GDPR
  • Introduction to Data Security
  • GDPR’s Concepts & Procedures

Based on these key principles included in the GDPR, MyData-TRUST, specialized in data protection and security, has set up a new 100% online operational tool that supports GDPR requirements in terms of awareness-raising and training of staff involved in processing operations: The GDPR e-Learning.
The GDPR e-learning is an online training tool exclusively dedicated to the General Data Protection Regulation (GDPR). On the tool’s website, you will find 10 complete trainings sessions lasting from 20min to 1h30. Each training focuses on a specific aspect of the GDPR, you will just have to choose the one(s) that correspond to your needs and interests!

It is important to note that CMS.Law’s data is not necessarily a complete picture of the situation regarding GDPR enforcement – not all member states within the European Economic Area make details of breach notification statistics publicly available, and several others provide either incomplete statistics, or numbers covering only part of the period.

If you want to contact us

Contact us