A Growing Appetite of the Data State Inspectorate: The Latest Fine for GDPR Violations

According to the DSI press release dated August 29^th, 2019, the online retailer had ignored repeated requests of the data subject to erase personal data, including a mobile phone number, which was previously collected by the entrepreneur to process payment and secure delivery of the online purchases to the client. During the investigation, the DSI has established various unsuccessful attempts of the data subject to enforce "right to be forgotten" pursuant to Article 17 of the General Data Protection Regulation (GDPR). Besides failing to provide timely reply to the duly submitted requests of the data subject, the online retailer continued to send advertisement messages by SMS to the registered mobile phone number of the client. Furthermore, the entrepreneur refrained from providing information requested by the DSI, as well as ignored DSI decision ordering it to comply with the request of the data subject. In determining the amount of the fine, the DSI primarily focused on the nature and duration of the infringement, the number of the data subjects affected, the extent of cooperation with the supervisory authority displayed by the online retailer, its annual revenue during the previous financial year, as well as other relevant considerations. Although the amount of the fine apparently does not correspond entirely to the gravity of the infringement yet, it nevertheless, indicates a clear shift in the DSI practice towards raising fines for GDPR violations. 

The implications of this noticeable shift in the DSI practice are also evident in the suggestions expressed by the DSI Director in an interview aired hours before the release of the aforementioned decision. The DSI Director has acknowledged an overall commitment to follow a common institutional approach, known as “consult first”, by referring to more than 1 600 instances of written consultations and 140 cases of written recommendations addressing GDPR violations, recently established by the DSI. According to the statistics, however, the DSI has lately imposed fines ranging from EUR 200,- to EUR 2 000,- in 40 instances of GDPR violations. Moreover, it has been admitted, that cases of manifest failure to comply with the GDPR requirements shall trigger higher fines, as proven shortly after by the DSI decision on GDPR violations committed by the online retailer. In the light of the recent distressing survey results, indicating that more than 25% of the entrepreneurs consider themselves being outside the scope of GDPR application, the DSI written consultations and recommendations will undoubtedly remain one of the key instruments for raising awareness in the business community and bringing business practices in line with the GDPR requirements. Whether the DSI will continue shifting towards a more balanced approach by further strengthening its current mild practices with the growing number of decisions imposing higher fines and penalties for GDPR violations, remains to be seen.