When we think about data protection and GDPR compliance, it’s easy to focus on Big Tech giants like Google and Meta. However, the GDPR applies to all organisations, regardless of size or industry. Businesses across sectors – from healthcare providers to energy firms – are increasingly subject to investigations and penalties. Here, we explore five recent cases where companies outside of Big Tech were fined for breaches of GDPR, showing that no one is immune from investigations and fines.

Healthcare Software Provider – France (€800,000 Fine)

• Subject Matter: A healthcare software provider was fined for mishandling sensitive patient data.
• What Went Wrong: The company extracted pseudonymised patient data from doctors’ software to perform research studies without obtaining the necessary legal consent or authorisation. Additionally, the pseudonymisation was weak, allowing re-identification of individuals, which exposed personal health information. The company failed to implement sufficient legal and security measures to protect this sensitive data, which is required under the GDPR and the French Data Protection Act when handling health information.
• Practical Advice: The data should have been fully anonymised, or explicit consent should have been obtained from patients before processing their information for studies.

Pharmacy Chain – Sweden (Approx. €3.26 Million Fine)

• Subject Matter: A major pharmacy chain in Sweden was fined for sharing sensitive customer data with Meta (Facebook) without proper consent.
• What Went Wrong: The pharmacy used Meta’s tracking pixel on its website, leading to the unauthorised sharing of customer data, including health-related information like prescriptions, to Meta without an appropriate legal basis. The customers were not informed of this data sharing, nor did they provide consent. As a result, sensitive health information was unlawfully shared with a third party.
• Practical Advice: Businesses must ensure that any data transfer to third parties, especially involving sensitive health data, is lawful and based on explicit customer consent.

Energy Provider – Spain (€2,500,000 Fine)

• Subject Matter: A Spanish energy provider was fined for improper handling of customer data through a third-party subcontractor.
• What Went Wrong: The energy company shared customer data with a third-party contractor responsible for promoting energy services. However, the company failed to ensure that the contractor complied with GDPR. Specifically, the contractor processed customer data for marketing purposes without obtaining proper consent, leading to unlawful data processing.
• Practical Advice: Businesses must ensure that contracts with third-party contractors clearly define GDPR responsibilities, particularly around customer consent, and regularly monitor their compliance.

Telecom Company – Belgium (€100,000 Fine)

• Subject Matter: A Belgian telecommunications provider was fined for taking 14 months to respond to a data subject’s access request, far exceeding the one-month deadline set by GDPR.
• What Went Wrong: The company failed to provide the requested data within the required timeframe, infringing on the individual’s right to access their personal data.
• Practical Advice: Implement efficient internal processes to ensure data access requests are handled within the one-month GDPR limit to avoid penalties.

Employer Using Biometric Data – Belgium (€45,000 Fine)

• Subject Matter: A Belgian company was investigated for using employees’ fingerprint data for time tracking without obtaining valid legal consent.
• What Went Wrong: The employer required employees to clock in using their fingerprints without offering an alternative method or ensuring that consent was freely given. This violated GDPR’s rules on the processing of sensitive biometric data, as it did not have a valid legal basis for this practice.
• Practical Advice: Employers should offer alternatives to biometric data collection and ensure that employee consent is freely given without coercion.

How we can help

These cases demonstrate that GDPR compliance is crucial for businesses of all sizes and sectors, not just Big Tech. Significant fines are imposed for violations like failing to obtain valid consent, mishandling data transfers to third parties, and lacking oversight of contractors. To avoid penalties, businesses must comply with legal requirements, such as having contracts that clearly outline data protection responsibilities, implementing proper consent mechanisms, and establishing internal policies and procedures for handling data subject requests.

Need guidance on GDPR compliance? Schedule a complimentary 20-minute call with our lawyers – we’re ready to help.