GDPR fines are starting to come.

GDPR finesShortly after I posted about the Austrian GDPR fine, another fine was issued by the regulatory authority in Portugal. Late last week the German regulatory authority imposed another fine on an App maker. So the GDPR fines are beginning to come. Let’s take a quick look at these three cases and then see what you can do.



Austrian surveillance cost €4.8K

Just to recap, a business owner had CCTV installed outside their premises. One camera was recording a large portion of the public footpath. This was judged to be too invasive and there was poor signage. The regulatory authority hit them with a modest €4,800 fine. The Austrian data protection authority had 36 other proceedings pending at that time.

Portuguese hospital with too many doctor’s accounts hit for €400K

An unnamed hospital in Portugal had 985 doctor’s accounts on it’s IT system and only 296 doctors on staff. It seems that non-Doctor types (e.g. psychologists and dietitians) used doctor accounts to access patient data. What is most troubling is that a doctor account has unrestricted access to every single patient’s data.

You might not think this is a big deal, but you’re dealing with sensitive personal data here. There should be some controls on access to it, including audit logs of any and all access made by authorised personnel.

The regulator has imposed a €400,000 fine on the hospital, which is appealing the judgement. The Portuguese Government have not yet fully implemented the GDPR, but the regulator is acting as if it was in place.

App maker who cooperated, still fined €20K

A German chat platform, had a breach in which 330,000 e-mail addresses (in German) and their account passwords were stolen by hackers. The passwords were in plain text (no hashing or encrypting was applied). It was the screw-up with the password that caused the fine. They hadn’t applied appropriate technical or organisational controls to protect the data.

The regulatory authority acknowledged that Knuddles were very proactive in reporting the breach and the subsequent follow up. They have implemented stronger security controls in a very short time. In consultation with the regulator they have more measures coming in due course.

The regulator also looked at the financial  strength of the company in determining the fine, not wanting to place the business under any financial burden. So the fine was proportionate. I would hate to think what might have been the case if they hadn’t cooperated.

To avoid GDPR fines, budget now to prepare early in 2019

If your business hasn’t put in place any policies or procedures to address the requirements of the GDPR, you should look at addressing this soon. Most annual budgets will have been exhausted by now, so put in place a sensible sum for GDPR preparation work, early next year.

  • If you haven’t attended a GDPR awareness event, then seek one out or give us a call on 087-436-2675.
  • We are now offering Practical GDPR Training, which can give you virtually everything you need to be as compliant as possible. Being “100% GDPR compliant” is not something that can be stated presently, as there is no certification available to support such a declaration.
  • Or if you prefer to keep making money for your business and not be distracted, then we can do the work for you. Send us an e-mail to and we’ll get in touch.