GDPR at the End of 2020

When it comes to processing personal data, 2020 was quite an eventful year. The effort to reduce the spread of COVID-19 had a direct impact on businesses in all industries.

The implementation of emergency measures to ensure the health and safety of employees and contractors has led to a massive increase of collecting and processing special categories of data (such as health data). However, the obligations of companies as data controllers or data processors to comply with the GDPR (General Data Protection Regulation) remained the same.

The Data Protection Authorities (DPAs), responsible for supervising the application of data privacy laws, including the GDPR, have issued numerous sanctions in their on-going efforts to protect personal data. As you will see from the information that follows, violating the regulations even if unintentional or due to ignorance does not relieve a company’s responsibilities under the law. In additional to fines, companies also risk significant damage to their brand reputation and losing the trust of their clients.

Fines from 2020 with some important lessons about GDPR  

€50 million and € 100 million fines for the giant company Google

On the 21st of January 2019, CNIL (Commission Nationale de l’informatique et des Libertés) fined Google with €50 million for the lack of transparency towards data subjects, for the lack of valid consent on ads personalization and for not offering proper and clear information to the users.

On the 12th of June 2020, the company loses the appealing being forced to pay the large amount established by the CNIL.

On the 7th of December 2020, the French Authority imposed a penalty of €60 million on Google LLC and €40 million for Google Ireland for placing advertising cookies in the users’ computers without obtaining their consent. Is one of the biggest fines imposed for such data breach.

Vodafone Italy fined with over €12 million for abusive telemarketing

The Italian Supervisory Authority demonstrated through its investigation that Vodafone was illegally processing users’ personal data for commercial purposes.

‘’Several complaints and alerts had been submitted to the Garante by customers who had been contacted by operators purporting to be acting on Vodafone’s behalf and requesting IDs to be sent to them via WhatsApp – quite likely for purposes related to spamming, phishing or other fraudulent activities.’’

Massive data breach by Marriot International Inc fined with £18.4 million

Approximately 339 million guests worldwide were affected by a cyber-attack which took place in 2014 on Starwood Hotels, acquired by Marriott in 2016. According to the ICO’s report, Marriot did not detect the attack when acquiring Starwood even after the GDPR was enforced, the attacker continuing to access personal data of the guests.

The attacker installed a code known as ‘’web shell’’ through which he had authorized, unrestricted access to several devices. Moreover, he managed to get in possession of several login credentials and accessed the database storing reservation data and exported it.

The breach took place before the UK left EU, specifically on the 28th of May 2018, therefore the decision to sanction Marriot was taken by ICO and approved by all the other EU DPAs.

According to ICO, Marriot reacted as soon as it discovered the attack and contacted its customers and the supervisory authority. It has also taken the necessary measures to ensure greater security of the systems and tools used.

H&M fined with over €30 million unlawfully storing and collecting personal data of their employees

On the 1st of October 2020, The Swedish clothing company H&M (Hennes & Mauritz) has been fined €35.5 million by the German Data Protection Authority after a data leak from a service center from Nuremberg Germany, which revealed the illegal collection of personal data of the employees by the managers.

The monitoring activity targeted several hundred employees at the service center. Since 2014, H&M managers have been gathering information related to employees’ privacy, such as medical diagnoses, family issues and religious beliefs.

The collected data was digitally recorded and stored in a system that could be accessed by 50 managers from across the company.

H&M admitted that there were deficiencies in the service center, claiming that they took measures to correct these situations.

Additional Fines and Regulatory Actions

The GDPR did not take a break even in the last days of the year. For the companies and businesses that may have thought that data protection authorities are ‘’on vacation’’, they were mistaken.

TUiR Warta S.A., a consulting company from Poland was fined on the 28th of December 2020 with €18,930 for insufficient fulfilment of data breach notification obligations.

On the 30th of December 2020, ING Bank N.V. Amsterdam from Romania was fined with €3,000 for insufficient legal basis for data processing.

Fines were imposed in the new year as well, the largest was granted to a German electronics company on the 8th of January, AG, accused of monitoring its employees through surveillance cameras for two years without any legal basis. For this reason, the State Commissioner for Data Protection (LfD) Lower Saxony has imposed a fine of €10.4 million.

On the 4th of January, 11 companies from Czech Republic were fined with a total of €118,500 for misusing data to spread unsolicited messages that appeared in citizens’ data boxes. On the same day, Vodafone Spain has been sanctioned with a €54,000 fine for non-compliance with general data processing principles and Innovation Norway (a state-owned company and a national development bank) was fined with €95,500 for insufficient legal basis for data processing.



The impact of the COVID-19 pandemic included significant increases in levels of data processing. Data controllers and data processors must ensure, especially in times like these, that they are compliant with the current law and remain up to date with any changes that may occur to the regulations


Sovy can help you get compliant and stay compliant using our on-line tools, including:

  • Walk through a data mapping exercise and build your data inventory.
  • Build all the policies you need under the GDPR, including a privacy policy, data protection policy, and data breach response forms.
  • Train your employees with industry-standard eLearning courses.
  • Maintain your compliance program in the cloud
  • Manage cookie consent and data rights

We also offer advisory services in compliance, governance risk, adverse event and remediation.

Find out how the Sovy GDPR Privacy Essentials can help you or- Get in touch with us for more information.