According to a survey conducted by Deloitte Legal in Romania, Bulgaria, Croatia, the Czech Republic, Hungary, Lithuania, Poland and Slovakia, the largest number of controls and fines for possible violations of the GDPR provisions has been reported in highly regulated and client-facing industries, which process large volumes of personal data. The study covers the period since the GDPR entered into force until May 31, 2019. Alongside telecom and financial services, the ranking of the industries with the most GDPR-related controls is completed by the public sector, media, technology – mostly regarding mobile apps -, private healthcare and postal services. The national data protection authorities’ actions were mainly related to observance of data minimization, purpose limitation and data retention principles, compliance with data subjects’ rights, video surveillance, direct marketing, profiling and cookies.
Until May 31, 2019, the eight surveyed countries count 34 fines applied for GDPR violations, amounting to almost EUR 750,000. By far, the largest fine imposed in Central Eastern Europe was in Poland for an entity whose object of activity is based on processing personal data obtained from publicly available sources. For using such data for profit, the Polish Authority imposed a fine of approx. 230,000 EUR. This case has a particular importance with respect to means for ensuring transparency to data subjects, while the value of the fine places Poland in top 3 of the fines in the whole Europe.
The largest number of fines applied in the time interval covered by the study was reported in Bulgaria (13), followed by Hungary (10), The Czech Republic (8), Poland (2) and Lithuania (1). As far as the amounts are concerned, Bulgaria reported the highest total (approx. EUR 250,000), followed by Poland (over EUR 230,000), Hungary (EUR 200,000), Lithuania (over EUR 60,000) and The Czech Republic (over EUR 6,000).
In Romania, until the end of May 2019, the data protection authority performed 981 controls, imposed 57 corrective measures, issued 23 warnings and a large number of investigations is still pending.
“Romania has just reported its first fine for GDPR violations, of EUR 130,000, applied to a bank. We also see various and significant controls across Europe and fines imposed almost each week in many jurisdictions, out of which the leader is the EUR 50 million fine imposed to Google in France,” says Georgiana Singurel, Partner at Reff & Associates, member of Deloitte Legal network, which coordinates the law firms’ team specialized in data protection.
As for the specific local legislation regarding personal data protection, the survey conducted by Deloitte Legal underlines that CEE countries have introduced the GDPR provisions in national legal orders, with particular emphasis on matters related to employment relations, surveillance systems, child consent in relation to the online services, banking and insurance laws, services processing biometric data.
When it comes to data breaches reported to national data protection authorities, Poland leads, with 2,000 notifications, followed by the Czech Republic (626), Romania (398), Hungary (380), Lithuania (93) and Bulgaria (33).
“GDPR has been a major disruptor for any entity processing personal data and Romanian companies across all industries have worked on identifying the main risk areas and on assuring the compliance with the regulation. We see amongst our clients a continued focus on setting up complex internal processes and on adjusting legal documents in order to comply with GDPR, as well as on training their employees in this area,” explains Georgiana Singurel.