GDPR Update
Since the EU’s General Data Protection Regulation launched on May 25, 2018, supervisory authorities have issued significant fines for non-compliant data processing activities. However, member states lack consensus on how to report these violations and penalties.
There is widespread recognition that uniform reporting across the EU would benefit businesses. Fines can reach up to EUR 20 million or 4% of annual worldwide turnover, aligning data protection penalties with antitrust enforcement.
GDPR After One Year
Across the EU, organizations repeatedly commit similar violations:
- Inadequate responses to data subject requests (access, deletion, information)
- Illegal video surveillance (dashcams and CCTV)
- Unlawful processing of former customer data
- Confidentiality violations through unauthorized disclosure
- Lack of information and transparency
- Insufficient security measures (technical and organizational)
The first year showed mixed results in fine assessment across authorities. Fewer penalties were issued than anticipated, yet companies should not underestimate future enforcement. German authorities indicate the initial focus was advisory; enforcement activities will intensify significantly.
Lack of a Uniform Fine-Publication System
Member states employ inconsistent approaches to publishing supervisory decisions. Austria, the UK, and Bulgaria typically publish anonymized decisions, whereas Germany lacks uniform practice across its 18 data protection authorities.
Private Sector
Businesses and legal professionals have created databases tracking GDPR violations. Germany’s surveys document over 100 fines, while the private sector maintains resources like Enforcementtracker.com to compile EU-wide enforcement data.
Companies should prioritize technical and organizational security, maintain transparency compliance, and respond promptly to all data subject requests using formalized procedures.