5 notable examples of fines for non-compliance with Art 32 of GDPR

Article 32 of the General Data Protection Regulation (GDPR) lays down the obligation for controllers to implement technical and organizational measures with regard to the processing of personal data in such a way as to ensure a level of security appropriate to the risks associated with the processing and the nature of the personal data involved. These measures must ensure the confidentiality, integrity and availability of the data, as they would say, the holy trinity in information security or CIA.

Examples of technical and organizational measures that companies must implement to comply with Article 32 of the GDPR include:

  1. Encrypting personal data in the rest and during transmission to prevent unauthorized access.
  2. Implementing a user authentication process with strong passwords and measures to automatically lock accounts in case of misuse of passwords.
  3. Implement access controls and restrictions to ensure that only authorized persons have access to personal data.
  4. Conduct a risk assessment to identify and assess the risks associated with the processing of personal data and implement appropriate security measures.
  5. Conduct regular security testing and verification of security systems and procedures to ensure their effectiveness.
  6. Implement appropriate security policies and internal procedures to ensure compliance, including training staff on these policies and procedures.
  7. Ensuring the availability and resilience of systems and data, through back-up and recovery plans in case of security incidents.
  8. Ensuring prompt and effective communication in the event of a security incident, both to data protection authorities and affected individuals.

Here are a few notable examples of fines issued by Data Protection Authorities (DPAs) in Europe for non-compliance with Article 32 of the GDPR (Personal Data Processing Security Measures):

  1. H&M – Fined €35.3 million by the Data Protection Authority in Hamburg, Germany, in 2021 for violating data protection rules by unlawfully monitoring employees in the absence of adequate security measures.
  2. TIM – Fined €27.8 million by Italy’s Data Protection Authority in 2020 for violating data protection rules in connection with a cybersecurity breach that led to the compromise of customers’ personal data.
  3. Marriott International – Fined £20 million by the UK Data Protection Authority in 2020 for breaching data protection rules in relation to a cybersecurity breach that led to the compromise of customers’ personal data.
  4. British Airways – Fined £20 million by the UK Data Protection Authority in 2020 for breaching data protection rules in connection with a cybersecurity breach that led to the compromise of customers’ personal data.
  5. Ticketmaster – Fined £1.25 million by the UK Data Protection Authority in 2020 for breaching data protection rules in relation to a cybersecurity breach that led to the compromise of customers’ personal data.

These are just a few examples of fines handed out by the DPA in Europe for non-compliance with Article 32 of the GDPR. Companies must take appropriate steps to protect personal data and ensure adequate security measures to prevent GDPR breaches.

You can always contact us to assess your company’s GDPR compliance.