February Enforcement Statistics

1292744a.jpg

Top 3 Most Active Regulators by Number of Fines

  • Agencia Española de Protección de Datos (Spain)
  • Garante per la protezione dei dati personali (Italy)
  • Hungarian National Authority for Data Protection and Freedom of Information

February Enforcement Statistics

1292744b.jpg

Top 3 Most Active Regulators by Value of Fines

  • Garante per la protezione dei dati personali (Italy)
  • Datatilsynet (Norway)
  • Commission Nationale de l'Informatique et des Libertés – CNIL (France)

YTD Enforcement Statistics

1292744c.jpg

Top 3 Most Active Regulators by Number of Fines

  • Agencia Española de Protección de Datos (Spain)
  • Garante per la protezione dei dati personali (Italy)
  • The National Supervisory Authority for Personal Data Processing (Romania)

YTD Enforcement Statistics

1292744d.jpg

Top 3 Most Active Regulators by Value of Fines

  • Data Protection Commission (Ireland)
  • Garante per la protezione dei dati personali (Italy)
  • Datatilsynet (Norway)

Top Fines

  • The largest fine was €4.9 million against Edison Energia (a subsidiary of EDF) by the Italian DPA.
  • The Italian DPA concluded that Edison Energia had: (i) conducted telephone calls without consent; (ii) failed to respond to requests to object; and (iii) failed to allow data subjects to express free and specific consent for promotional or profiling purposes.
  • Edison Energia opted to settle the dispute for half the total fine value (i.e., €2.45 million).
  • The second largest fine was €900,000 against SATS ASA (a fitness centre chain) by the Norwegian DPA (Datatilsynet).
  • The Norwegian DPA concluded that SATS: (i) failed to comply with two separate DSARs; (ii) failed to comply promptly with three separate erasure requests; (iii) failed to inform data subjects about its data retention policy; and (iv) failed to rely on a valid lawful basis to process the training history of its members.
  • The Norwegian DPA observed that the fine imposed represented approximately 5% of the maximum applicable fine and 0.3% of SATS' annual turnover for 2021.

Key Takeaways

  • In February 2023, European Privacy Regulators imposed fines totalling at least €6.5 million.
  • This was an increase when compared to January 2023 if the two fines issued by the Irish Data Protection Authority (DPA) against Meta (totalling €395.5 million) are excluded.
  • Norway, Spain and Ireland continue to be the most active privacy regulators.
  • Regulators continue to fine businesses for failing to inform people of video surveillance systems. In February, the Spanish and Italian regulators imposed fines on retailers and a hotel for these breaches.
  • Healthcare and educational institutions are increasingly being targeted by privacy regulators. The French, Italian and Irish regulators all imposed fines on these types of businesses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.