21 November 2019
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) entered into force. GDPR is a strong tool for securing the rights of people in Europe to so-called “informational self-determination.” The Regulation includes rules protecting the rights of natural persons (meaning: not companies, which are considered “legal persons”) when their personal data are processed. Among other rights, the Regulation provides natural persons the right to access any personal data held about them by an organization (Article 15 GDPR), and the right to have inaccurate data corrected (Article 16 GDPR). The data protection authorities may punish violations of the Regulation with significant fines: up to 20 million euro or 4% of the worldwide annual revenue of the violating organization – whichever is higher (Article 83 GDPR).
Delivery Hero Germany GmbH is one of the organizations to discover in 2019 that these punishments are not empty threats. Delivery Hero, a food delivery company, took over the brands Lieferheld (“Delivery Hero” in German), Pizza.de, and Foodora from the Dutch company Takeaway.com. In August 2019, the Data Protection Authority in Berlin announced a fine of 195,407 euro against Delivery Hero for GDPR violations (announcement in German). Delivery Hero had not deleted the accounts of former customers, even though these customers were no longer active users; in one case, the customer’s most recent activity was in 2008. Eight former customers had additionally complained that the company had sent them unwanted advertising emails. One of these had explicitly requested that his personal data not be used for advertising purposes, but still received 15 further advertising emails. In five other cases, the company did not provide information about personal data they had stored, or did so only after the Data Protection Authority intervened.
Delivery Hero attempted to argue to the Berlin Data Protection Authority that the issues reported in the complaints were caused by technical problems or errors made by employees. The Data Protection Authority did not, however, accept this argument. There were too many complaints over too long a period of time for this to be plausible, according to the Data Protection Authority. In their view, the numerous complaints were evidence of “fundamental structural problems in the organization.”
The same Berlin Data Protection Authority announced in October 2019 a fine of 14.5 million euro against Deutsche Wohnen SE, a major holder of real estate property in Germany (announcement in German). Deutsche Wohnen had developed a data archiving system in which it was possible to delete data that was no longer needed – including in some cases sensitive personal data such as salary information, excerpts from employment contracts and bank statements, and tax data. After a first inspection in June 2017, the data protection officials announced that Deutsche Wohnen would be required to redesign their archiving system. By March 2019, however, the company had not changed its data storage practices. Nor could it come up with a legal justification for the continued storage of the old data.
Other European data protection authorities have also announced substantial fines for GDPR violations. A running list can be seen at enforcementtracker.com.
The fines, which are in some cases quite high, show that the “grace period” many people expected for GDPR violators after the entry into force is over – and that the punishments for violations are increasing. In May 2019, the German news service “Welt” surveyed the 16 regional German data protection authorities and found that in the year since GDPR entered into force, the 16 authorities together had issued fines totaling 485,490 euro for a total of 75 violations. The fines for violators since May 2019 are significantly higher.
Berlin Data Protection Officer Maja Smoltczyk has made public that the Data Protection Authority’s decisions should have an “educational” character. “I hope that these fines serve as a warning to other companies,” she said after the decision in the case of Delivery Hero. “Whoever works with personal data needs functioning data protection,” she warned. She advised customers of Deutsche Wohnen to “go directly to the company and ensure that the rights of access provided for by law are implemented.”
YouTube managers would be well advised to take note of these developments. The classifications of videos uploaded by individuals in the European Union are personal data under GDPR. Given that violations of GDPR can carry fines of up to 4% of global yearly revenue, GDPR violations by YouTube – a part of Google, with 2018 revenues of over 136 billion US dollars – could be extremely expensive.