Throughout 2021 many things have happened in companies and in many aspects there are issues that have been left in the background. We could say that data protection has been one of them if we take into account the number of changes in many organizations with teleworking, for example. That is why 2021 has been a record year for fines and we are going to see the 11 highest penalties established for data protection in the past year.
It is interesting not to repeat mistakes and learn from some of those made by larger companies, which in the case of SMEs may not require so many obligations due to the fact that they do not have such a high level of risk.
In SMEs and Self-Employed Telework in Spain: everything you need to know to control security and data protection1. Vodafone Spain, 8,150,000 euros fine
This is one of the highest sanctions imposed by the Spanish Agency for Data Protection (AEPD), where the reiteration and lack of collaboration of the company are added to the sanctioned acts.
The use of data processing for commercial actions without the consent of the clients and the non-deletion of their data despite exercising their right of opposition and withdrawal have led to this point. As the sentence says:
justifies a sanction of this caliber.
2. Caixabank, 6 million penalty
In this case, due to a change in the conditions and the obligation to accept the new conditions regarding the protection of personal data, specifically that relating to the transfer of your personal data to all the companies of the group, as stated in section II of the "new LOPD conditions" established by the entity. To cancel said transfer, the client must write a letter to each of the companies.
In this case, the penalties are so high because the defects observed affect all the entity's individual clients, which in this case performs massive data processing.
How to import an image sequence in Adobe Premiere Pro: Adobe Premiere Pro can import a series of single images... http://t.co/6GxgukSfL9
— Someonee Sat Apr 04 13:44:35 +0000 2015
3. Banco Bilbao Vizcaya Argentaria sanctioned with 5 million
In the case of BBVA, the sanction imposed has to do with articles 6 and 13 of the GDPR, with the sending of unauthorized advertising or transfer of data to third parties when it is already activated by default by having to accept the conditions of a page or application. mobile. And this is one of the issues that SMEs have to take care of.
4. CAIXABANK PAYMENTS penalty of 3 million
In this case, it is a claim for the use of data by a consumer who was not a client of the entity. The asset solvency files were used in order to create a profile and offer you a financial service, without requesting your consent, which is why a very serious sanction is imposed for an infringement of Article 6.1 of the RGPD.
In SMEs and Self-EmployedI am going to take my company's data to the cloud, what should I take into account to comply with the RGPD?5. Mercadona fine of 2,520,000 euros
This has perhaps been one of the most media sanctions imposed, of great repercussion and that has to do with the implantation of facial recognition systems in its supermarkets. Video surveillance is traditionally one of the biggest sources of sanctions for companies.
6. EDP Energía one and a half million
In this case, the sanction is imposed due to the processing of personal data without the consent of the interested party. These treatments occur within the framework of the contracting of electricity services supposedly carried out by a representative of the client, without said entity being able to prove the existence of such representation. In this case, the amount rises due to the large volume of data and processing that constitutes the object of the file.
7. EDP Comercializadora, one and a half million
In this case, the same type of sanction but for the processing of personal data without the consent of the interested party. These treatments occur within the framework of the contracting of gas services supposedly carried out by a representative of the client.
8. Equifax Iberica SL one million
In this case it is an inclusion in files of delinquent data of people without their consent obtained from official bulletins. According to the AEPD
9. Air Europa Lineas Aereas, SA. €600,000
In the case of Air Europa, the events occurred in 2018 but it was finally sanctioned in 2021 with 600,000 euros. The problem is that it did not properly protect the banking details of almost half a million customers and a cybercriminal was able to access them. The sentence considers as aggravating the high volume of data that could be accessed.
In SMEs and Self-EmployedI have suffered a ransomware attack and thus have had to notify my clients that their data has been exposed10. Laiga, €250,000
In the case of LaLiga, it is sanctioned for using the microphone of the mobile phones of customers who had downloaded its mobile application without their consent, activating the microphone every minute when there are broadcasts.
11. I-DE Smart Electrical Networks 200,000 euros
This last case is interesting since the complainants are two other companies that transferred data from their clients and saw how this entity contacted them for commercial purposes for which said data had not been transferred. For this, he received a fine of 200,000 euros from the AEPD for breach of articles 5 and 6 of the RGPD.
Image | viarami on Pixabay