One year after the introduction of GDPR regulations, the largest number of inspections and fines has been reported in highly regulated and client-facing industries, which process large volumes of personal data, according to a survey conducted by Deloitte Legal in Romania, Bulgaria, Croatia, The Czech Republic, Hungary, Lithuania, Poland and Slovakia.
Alongside telecom and financial services, the ranking of the industries with the most GDPR-related inspections is completed by the public sector, media, technology – mostly regarding mobile apps -, private healthcare and postal services. The actions of national data protection authorities were mainly related to observance of data minimization, purpose limitation and data retention principles, compliance with data subjects’ rights, video surveillance, direct marketing, profiling and cookies.
Until May 31, 2019, the eight surveyed countries counted 34 fines applied for GDPR violations, amounting to almost EUR 750,000. By far, the largest fine imposed in Central Eastern Europe was in Poland for an entity whose activity is based on processing personal data obtained from publicly available sources. For using such data for profit, the Polish Authority imposed a fine of approx. EUR 230,000. This case has a particular importance with respect to means for ensuring transparency to data subjects, while the value of the fine places Poland in top 3 of the fines in the whole Europe.
The largest number of fines applied in the time interval covered by the study was reported in Bulgaria (13), followed by Hungary (10), The Czech Republic (8), Poland (2) and Lithuania (1). As far as the amounts are concerned, Bulgaria reported the highest total (approx. EUR 250,000), followed by Poland (over EUR 230,000), Hungary (EUR 200,000), Lithuania (over EUR 60,000) and The Czech Republic (over EUR 6,000).
In Romania, until the end of May 2019, the data protection authority had performed 981 checks, imposed 57 corrective measures, issued 23 warnings and a large number of investigations are still pending.
“Romania has just reported its first fine for GDPR violations, of EUR 130,000, applied to a bank. We also see various and significant inspections across Europe and fines imposed almost each week in many jurisdictions, out of which the leader is the EUR 50 million fine imposed to Google in France,” says Georgiana Singurel, Partner at Reff & Associates, member of Deloitte Legal network, who coordinates the law firm’s team specialized in data protection.
As for the specific local legislation regarding personal data protection, the survey conducted by Deloitte Legal underlines that CEE countries have introduced the GDPR provisions in national legal orders, with particular emphasis on matters related to employment relations, surveillance systems, child consent in relation to the online services, banking and insurance laws, services processing biometric data.
When it comes to data breaches reported to national data protection authorities, Poland leads, with 2,000 notifications, followed by the Czech Republic (626), Romania (398), Hungary (380), Lithuania (93) and Bulgaria (33).
“GDPR has been a major disruptor for any entity processing personal data and Romanian companies across all industries have worked on identifying the main risk areas and on assuring the compliance with the regulation. We see amongst our clients a continued focus on setting up complex internal processes and on adjusting legal documents in order to comply with GDPR, as well as on training their employees in this area,” explains Georgiana Singurel.
With a team of over 70 lawyers, Reff & Associates is recognized as a leading law firm in Romania for the quality of services and ability to deliver solutions on complex legal matters. The areas of practice include banking & finance, competition law, employment law, energy and environment law, insolvency law, litigation, mergers & acquisitions, public sector, real estate. The firm represents in Romania Deloitte Legal, a global network with more than 2,500 lawyers in 85 countries.