Implementation of the GDPR: initial findings and penalties running to thousands of euros!

The EU’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. As we explained previously here, this Regulation may also apply to Swiss companies.

Businesses concerned, both European and Swiss, were required to take various measures by 25 May last. These included, for instance, appointing a data protection officer (DPO), adding a banner to company websites, reviewing confidentiality policies and general terms and conditions of use, creating a cookies page, adapting their contact forms, informing recipients of their newsletters, ensuring computer system security, training staff and adopting internal rules, analysing existing contracts, and adding supplementary clauses where necessary.

In the course of our work, we have found that a great many businesses had not yet put appropriate measures in place by 25 May 2018. Some have so far simply taken action that we would describe as “urgent”, i.e. inserting a banner, creating a cookies page and reviewing their confidentiality policies.

However, we should point out that merely adopting these “urgent” measures is not enough to comply with the GDPR. Hefty penalties may be imposed, even going as far as a definitive limitation on data processing and/or an administrative fine of up to EUR 20 million or 4% of annual worldwide sales (GDPR Art. 83).

That makes it imperative for companies concerned to continue the long-term task of assuring compliance if its activities fall within the scope of the GDPR.

The first penalties have in fact already been imposed. In France, the Restricted Committee of the CNIL (France’s national data-protection authority) recently imposed a penalty of EUR 75,000 on the Association pour le Développement des Foyers (ADEF – the French housing development association) because of a failure to protect the data of its website users. The Restricted Committee also imposed a penalty of EUR 250,000 on the OPTICAL CENTER company on the grounds of failure to fulfil its obligation to ensure the security of personal data. Modifying URL parameters in fact made it possible for hundreds of invoices to the company’s clients to be accessed; these invoices contained particulars such as surnames, first names, postal addresses, healthcare data (ophthalmological correction) and, in some cases, even the social-security numbers of those concerned.

In both cases, given the scale of the data involved and their highly personal and detailed nature, the Restricted Committee decided to make its ruling public. However, it is important to point out that, before making these rulings, the CNIL had alerted the relevant parties to the non-compliance of their systems and asked them – unsuccessfully – to put matters right.

WILHELM Avocats SA – 2.7.2018