€2.9 Million Issued in Fines in Q2 2020 Under GDPR

€2.9 Million Issued in Fines in Q2 2020 Under GDPR

The COVID-19 pandemic brought on many problems for organizations from all industries across the world. Organizations that were able to operate by shifting to working from home were struggling to establish secure infrastructure for staff. This exposed many employees to cybersecurity risks, considering the increase in attacks by cybercriminals exploiting the pandemic. The combination of these factors has likely led to an increase in data breaches in the past few months.  

In the second quarter of 2020, the European data protection authorities issued at least 46 administrative fines under the GDPR (General Data Protection Regulation). All these fines resulting in nearly €2.9 million (£2.6 million).  



Compliance Advisory 

LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX. 



European Countries that are Issuing Fines 

At the top of the list was the Spanish Data Protection Authority, issuing 16 fines for this quarter. The Nordic countries Finland, Norway, Sweden, Finland, and Denmark, as well as Belgium, largely contributed to the quarter’s totals. The list also noted southeastern countries like Romania with four fines, and Bulgaria with one fine.  


The most common types of GDPR breach from the 46 fines in Q2 2020 include: 

  • 23 breaches of Article 6 (lawfulness of processing)  
  • 20 breaches of Article 5 (data processing principles) 
  • 9 breaches of Article 32 (security of processing) 
  • 5 breaches of Article 13 (information to be provided where personal data are controlled from the data subject) 
  • 5 breaches of Article 14 (information to be provided where personal data have not been obtained from the data subject) 


Notable Fines 

The GDPR Fines Quarterly Report: Q2 2020 listed several fines that stood out in this quarter. Some of these penalties include: 

  • Ireland’s Data Protection Commission issued GDPR fines this quarter for Tusla, the Child and Family Agency. An investigation had resulted in findings of three instances of children’s information being wrongly disclosed to unauthorized individuals. Another case dealt with the disclosure of contact details and location of a mother and child to an alleged abuser. Another case mentioned the agency delivering a letter containing allegations of abuse to a third party, who posted it on social media. Both fines totaled to €115,000.  
  • Several fines were issues in the second quarter for the unlawful use of CCTV. Under the GDPR, CCTV footage that allows individuals to be identified is considered as personal data.