GDPR and sanctions, what they are and what companies risk: the H&M case
Il 25 May 2018 the web has changed once and for all. At least in Europe. Even if many didn't realize it at the time, it has been since that day GDPR entered into force, the regulation desired by the European Commission to standardize the rules relating to the processing of citizens' data throughout the Old Continent (including Switzerland). The GDPR, in particular, transposes, "incorporates" and replaces all national regulations on the processing of personal data and the protection of privacy.
Exactly, however, what has changed compared to the past and what companies need to do to avoid violating the GDPR? AND What are the penalties for those who violate the GDPR? Let's understand everything by analyzing a practical case.
What is the GDPR
Acronym for General Data Protection Regulation, General Data Protection Regulation in Italian, the GDPR is the set of rules and regulations that all subjects who process web user data must comply with. In particular, the GDPR deals with the processing of users' personal data by the companies, their conservation by the latter and the possibility, for the users themselves, to be able to manage them in a simple and immediate way.
GDPR: what it provides
The key points around which the entire structure of the GDPR revolves are essentially two:
- Simplify the regulatory framework in which companies find themselves moving in the European Union market (and other countries that have a treaty with the EU);
- Give users greater control over their data, from the moment it is acquired by the company until it is deleted.
For this to be possible, the GDPR requires companies that requests for consent must be clearer and "readable" by users; limits to the processing and use of data are established; imposition of sanctions on companies that violate the provisions of data processing regulations. Furthermore, in the event of a data breach (a loss of data, usually resulting from a theft carried out by criminals), the data controller (a professional within the company, called (Data Protection Officer or DPO)) is required to notify the authorities and legitimate owners as soon as possible. If this does not happen, the penalties provided for by the GDPR they would become even more salty.
In mid-2020, a novelty arrived regarding the Consent to the processing of data that companies collect through web tools. In the previous two years, in fact, it was sufficient for the user to scroll part of a web page to consider consent to treatment as acquired. A ruling by the European Court of Justice establishes that consent must be active and unambiguous. This means that the user, to accept cookies, must click on the banner to request consent, choosing whether to authorize the use of strictly necessary technical cookies or all cookies. For this reason, for example, you happen to see the consent banner more and more often, even if it is a site that you visit frequently.
What those who violate the GDPR risk: the sanctions
The GDPR also provides sanctions quite heavy in the event that the processing of data by a company does not comply with the provisions contained therein or is in default on the communications front.
Sanctions are of two types, depending on the seriousness of the violation committed. For minor violations (such as lack of data processing register, failure to appoint a data controller, failure to notify data breach) the penalty comes up to 10 million euros or 2% of worldwide turnover if higher than this figure. For serious violations (such as lack of consent to treatment, violation of the rights of the interested party, missing or unsuitable privacy information and violation of the provisions regarding data transfer) the fine is up to 20 million euros or 4% of turnover world.
For example, Alphabet, the holding company that controls Google and all the companies in the orbit of the Mountain View giant, has an annual turnover of 46 billion dollars and, in the event of a serious violation, could be forced to pay up to 1,9 billion dollar fine.
GDPR sanctions: the H&M case
The management of data and their protection, however, does not only concern customers and users of the site. Employee data must also be acquired, processed and archived with reference to the provisions of the General Data Processing Regulation. One example is H&M, fined over 35 million euros because it was discovered illegally profiling its employees. A data breach has in fact uncovered a real case of internal espionage: at least since 2014, H&M has been recording data, information and conversations of its employees, archiving everything (without authorization) on private servers.
A particularly invasive profiling activity, which obviously had a negative impact on the working relationship between the Swedish fashion giant and its employees. The Hamburg data protection authority thus fined H&M in the amount of 35,3 million euros. For its part, the company apologized to the employees involved in the scandal, radically reorganizing the office.
A sanction that also serves as a warning for all other companies: the state authorities (in this case the German one, but the sanctions are the same throughout the European Union and also concern companies based outside the borders of the EU) do not allow data breaches or data processing that does not comply with the provisions of the GDPR. Anyone caught in the act of committing a crime will pay heavily for their behavior.
You may also be interested in:
“I'm selling, but I'm staying”: the new trend of the small entrepreneur
The story of Francesco Schittini and Emotec's entry into the MCP fund is exemplary of frequent changes of ownership without organizational shocks
by Alberto NicoliniEditor of districtbiomedicale.it, BioMed News and Radio Pico
AI Tools for Businesses, the course dedicated to artificial intelligence
The Swiss start-up navAI developed it with the aim of providing all the tools necessary to implement the new technology in its sector
There was a backdoor to infect them all, but one genius saved the web
Here's how the expertise of a developer, and a little... providence, just prevented the sabotage of Linux and the entire Internet
The protection of the seas in Greece and the issue of the Hellenic Trench…
"Our Ocean Conference", Athens will create two new National Marine Parks and ban trawling, but there is a problem between the Aegean and the Ionian