(from 2016) – Lessons from living with high privacy fines (Spain)

The GDPR introduces some very high fines for violations, and for many countries in Europe this will be a major change. – In this context, it’s interesting to have a look at Spain, where the Data Protection Authority can already enforce  fines of up to 600,000 EUR since several years.

Ricard Martinez of the Spanish Data Protection Association APEP wrote a very interesting article on the challenges that come with high privacy fines.

My key take-aways from his post are:

  • The total annual amount of fines in Spain is between 15 to 20 mio EUR in the last decade.
  • The majority of the sanctioned companies are in the telecommunications, video surveillance, and financial industries. Their relative share stays about the same year by year. – So the high fines do not appear to be a crucial deterrent.
  • The legislator had to modulate the sanctions to balance the impact on small and medium enterprises. – It’s important that the DPAs harmonize around this before the GDPR becomes effective, as the overall effect might be unfair.
  • The volume of complaints is steadily increasing from year to year. This has an impact on the ability of the DPA to take actions:  The number of actual infringement statements is staying  constant.  – Any news on DPA actions seem to increase the volume of complaints further.

There’s much more information in Ricard Martinez’ post, and I encourage you to read more at http://www.phaedra-project.eu/the-challenge-of-the-enforcement-in-the-proposal-for-a-general-data-protection-regulation-2/