Fines under the GDPR – Lessons from Italy
On the 10th March 2017, the Italian Data Protection Authority – The Garante – fined five companies in excess of 11 million euros for unlawful processing of personal data. This decision from the Italian Data Protection Authority demonstrates a willingness from at least one EU data protection agency to levy fines that appear consistent with the GDPR, although not yet in force. This decision hints at a tougher approach by EU data protection bodies under the GDPR for breach of consent, a topic we have been talking a lot about in recent times! (Please click on the following links to view: Getting it right under the new rules; Part 1: What is consent? Part 2: What does this mean for your business; Part 3: Do we always need consent?; Part 4: Recording and Managing Consent).
Under the GDPR, companies can be sanctioned for a breach with fines of up to 20 million euros or 4% of their annual worldwide turnover, whichever is higher. Therefore the GDPR is not to be brushed aside as non-compliance could be extremely costly for organisations.
In the Italian case, the companies were making money transfers to China on behalf of individuals without their knowledge or agreement to hide the identity of the real transferors, therefore they did not have the individuals’ consent to process their data in this way. This will become more important under the GDPR as consent is one of the lawful bases of data processing and companies must ensure they have valid consent in order to process data in this way. If they do not have consent, and cannot rely on another lawful basis of processing, the company will be unable to process data legally.
The Garante has shown with this decision that it is already moving towards a GDPR sanctions regime although not in force until May 2018. This is good news for the GDPR as an enforcement mechanism, however not for companies who choose to ignore and understand the importance of consent under the GDPR!