Paper: Investigating GDPR Fines in the Light of Data Flows

Marlene Sämann, Marlene; Daniel Theis, Daniel; Tobias Urban; Martin Dägeling
June 2022, Conference: Privacy Enhancing Technologies Symposium (PETS)At: SydneyVolume: 4

“… Our analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. ”

“Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved..”

“.. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. ..”