Fines to note…
Fines for invalid DPO
- The Belgian DPA fined a company €50,000 for improperly appointing the head of the compliance, risk management, and audit departments to serve as its DPO which violates the requirement for an independent DPO.
- The AEPD fined Glovo €25,000 for appointing a Data Protection Committee (rather than DPO) and failing to notify the relevant DPA.
- The Belgian DPA fined Proximus €50,000 for having a DPO with a conflict of interest and failing to involve the DPO in the processing of personal data breaches (see link here).
Fine for not appointing a GDPR Representative
In May 2021 a Canadian company was fined €525,000 for having failed to appoint an EU Representative, (with an additional €20,000 for each two-week period during which they remain uncompliant, up to a maximum of €120,000).
The company admitted that it had no establishment in the EU. Accordingly, the obligation under EU GDPR Article 27 – to appoint a Representative in the EU – applied.
The company was unable to rely on the “occasional processing” exemption, even though there was only a small volume of EU personal data being processed, because the regulator decided that the processing was a usual part of the website’s operation.
This decision implies that it will be difficult, in practice, for any website operator to successfully claim that its processing is only ‘occasional’ because the volume of data being process is low.