Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Threads bluesky LinkedIn FaceBook RSS Feed

GDPR 2021: A Review and Roundup
Posted On July 13, 2021
The General Data Protection Regulation (GDPR) was enacted on May 25, 2018, in response to the need for updated and uniform data protection and privacy laws in the European Union (EU) and the European Economic Area (EEA). The GDPR provides individuals with control over their personal data and streamlines international business practices.

How the GDPR Relates to Older Legislation

The 3-year-old GDPR supersedes the EU’s Data Protection Directive (Directive 95/46/EC) from 1995 and the U.K.’s Data Protection Act 1998. While these directives dealt with the protection, lawful processing, and handling of personal data, they were in accordance with the technological capabilities of yesteryear. The dated directives were no longer in line with the technological advancements of current times, prompting the need for the GDPR. Note that the U.K.’s Data Protection Act 2018 complements the GDPR.

Six Data Protection Principles

The GDPR cites six protection and accountability principles that must be complied with (Articles 5–11). Personal data must be:

  1. Processed lawfully, fairly, and transparently
  2. Collected for legitimate purposes specified to the data subject at the time of collection
  3. Limited only to what is necessary
  4. Accurate and kept up-to-date
  5. Stored only as long as necessary
  6. Processed in such a way that ensures the appropriate levels of security, integrity, and confidentiality

The data controller is responsible for compliance with the six principles.

Eight Key Rights of Data Subjects

The GDPR also assigns eight rights to data subjects (i.e., people with personal data):

  1. The right to be informed (Articles 13–14)
  2. The right of access (Article 15)
  3. The right to rectification (Article 16)
  4. The right to erasure (Article 17Article 19)
  5. The right to restrict processing (Articles 18–19)
  6. The right to data portability (Articles 19–20)
  7. The right to object (Article 21)
  8. Rights related to automated decision making and profiling (Article 22)

According to Article 3, Territorial Scope, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” When the processing of personal data of any individual is located within the EU/EEA, the GDPR is enacted and enforceable.

2021 Enforcement

2021 GDPR violations are diverse and come from businesses, municipalities, individuals, and other data controllers. The following examples show the breadth of GDPR rulings. These examples do not include international violations.

Violations by Individuals

The Romanian National Supervisory Authority for Personal Data Processing fined the general secretary for a political party in Bucharest €500 (about $605) on March 4, 2021, for violating Article 32(1)(2), Article 58 (1)(a), and Article 58 (1)(e) of the GDPR. These articles deal with measures to ensure information security. The secretary published data on a social networking site containing personally identifiable information of 10 political party supporters (including signatures) and did not adequately cooperate during the investigation.

An individual was fined €1,500 (about $1,790) on March 12, 2021, by the Spanish Data Protection Authority for noncompliance with Article 5(1)(c), lawful basis for data processing. The individual unlawfully videoed a public right-of-way that included parts of a nearby apartment complex patio. No visible signage alerting the public of the surveillance system was present.

Violations by Businesses

Spain’s Predase Servicios Integrales S.L. professional organization was fined €5,000 (about $6,049) for noncompliance with data subjects’ rights and the lack of a privacy policy on its website, a violation of Article 13. This article focuses on what information should be provided to data subjects when personal data is collected. Website privacy policies are often used to provide this information.

Vodafone España, S.A.U., a mobile communications operator, has received several substantial fines by the Spanish Data Protection Authority in 2021, including the following:

  • On Feb. 12, Vodafone was found in violation of GDPR Articles 5 and 6 and received a €120,000 (about $145,182) fine (originally €200,000, but reduced for immediate payment). The data controller continuously sent electronic bills to a data subject who objected and terminated its contract. The data controller had already received two fines for this in the past.
  • On March 11, Vodafone was found in violation of Articles 24, 28, 44, 48(1)(b), 21, and 23 and fined €8,150,000 (about $9,860,280). The Spanish Data Protection Authority received 191 complaints since 2018 for unsolicited marketing calls. Without consent, Vodafone continued to send materials, even to individuals on a data exclusion list.

To date, the largest fine in 2021 was issued on Jan. 8 by the Data Protection Authority of Niedersachsen, Germany, to the retailer for the sum of €10,400,000 (about $12,582,444) for noncompliance with GDPR Articles 5 and 6 (unlawful data processing). In short, could not provide a legal basis for 2 years’ worth of video surveillance of its employees. Also, some recordings were kept for more than 60 days (longer than the required time). In addition to staffers, customers were impacted by the surveillance, as it covered seating areas.

Violations by Municipalities

The Italian Data Protection Authority fined the municipality of Castellanza €4,000 (about $4,760) for noncompliance with data processing principles Articles 5(1)(a), 5(1)(c), 6(1)(c), 6(1)(e), 6(2), and 6(3)(b). The municipality uploaded documents containing legal proceedings, which contained the personal data of data subjects, to its public website.

Since 2018, the largest fine has been €50,000,000 (about $60,492,518) for Google, Inc., and the smallest, €28 (about $34 for an unknown party). See the GDPR Fines Tracker & Statistics from Privacy Affairs for more information.

GDPR and the COVID-19 Pandemic

COVID-19 presented new data protection challenges due to the immediate need for track-and-trace systems, contact-tracing apps, biomedical research with regard to data-sharing, and a growing remote workforce (from diverse sectors) interacting with subject data in their own home.

There is a dichotomy in thought on the usefulness of the GRPR during the pandemic. One view is that it continues to protect data as intended, while proving its adaptability. The other is that it has stalled research, necessary data processing, and sharing. The GDPR has shown its resilience in times of uncertainty, such as the pandemic and Brexit (a topic unto itself), and continues to act as a catalyst for new privacy regulations in non-EU/EEA countries. I look forward to seeing what lies ahead.

Kelly LeBlanc is a knowledge management specialist at FireOak Strategies, where she specializes in OA, open data, data management, geographic information systems (GISs), and data/information governance issues. Prior to joining FireOak, LeBlanc was with the Digital Initiatives Unit at the University of Alberta, where she worked with GISs, metadata, and spatial and research data. She served in various municipal planning and development capacities working with GISs, municipal law, planning/zoning regulations, and resource management. LeBlanc holds an M.L.I.S. from the University of Alberta and a master of letters from the University of Glasgow.

Related Articles

1/23/2024Updates for European Union-Based Meta Users From The Verge
11/29/2022Meta Runs Into Trouble From the GDPR
9/21/2021South Korea Passes 'Anti-Google Law'
8/11/2020GDPR 2020: Where Compliance Lands Now
10/1/2019diginomica Provides an Update on GDPR Compliance
6/25/2019The First Anniversary of the GDPR: Reflections on the Past Year
2/5/2019'Trends to Watch 2019: GDPR Goes Global' by Logan Finucan
12/4/2018Six Months of the GDPR's Pioneering Data Protection and Privacy
5/22/2018Europe's GDPR to Set New Standards in Data Protection and Privacy Law

Comments Add A Comment

              Back to top