GDPR and sanctions, what they are and what companies risk: the H&M case

Il 25 May 2018 the web has changed once and for all. At least in Europe. Even if many didn't realize it at the time, it has been since that day GDPR entered into force, the regulation desired by the European Commission to standardize the rules relating to the processing of citizens' data throughout the Old Continent (including Switzerland). The GDPR, in particular, transposes, "incorporates" and replaces all national regulations on the processing of personal data and the protection of privacy.

Exactly, however, what has changed compared to the past and what companies need to do to avoid violating the GDPR? AND What are the penalties for those who violate the GDPR? Let's understand everything by analyzing a practical case.

What is the GDPR

Acronym for General Data Protection Regulation, General Data Protection Regulation in Italian, the GDPR is the set of rules and regulations that all subjects who process web user data must comply with. In particular, the GDPR deals with the processing of users' personal data by the companies, their conservation by the latter and the possibility, for the users themselves, to be able to manage them in a simple and immediate way.

GDPR: what it provides

The key points around which the entire structure of the GDPR revolves are essentially two:

  • Simplify the regulatory framework in which companies find themselves moving in the European Union market (and other countries that have a treaty with the EU);
  • Give users greater control over their data, from the moment it is acquired by the company until it is deleted.

For this to be possible, the GDPR requires companies that requests for consent must be clearer and "readable" by users; limits to the processing and use of data are established; imposition of sanctions on companies that violate the provisions of data processing regulations. Furthermore, in the event of a data breach (a loss of data, usually resulting from a theft carried out by criminals), the data controller (a professional within the company, called (Data Protection Officer or DPO)) is required to notify the authorities and legitimate owners as soon as possible. If this does not happen, the penalties provided for by the GDPR they would become even more salty.

In mid-2020, a novelty arrived regarding the Consent to the processing of data that companies collect through web tools. In the previous two years, in fact, it was sufficient for the user to scroll part of a web page to consider consent to treatment as acquired. A ruling by the European Court of Justice establishes that consent must be active and unambiguous. This means that the user, to accept cookies, must click on the banner to request consent, choosing whether to authorize the use of strictly necessary technical cookies or all cookies. For this reason, for example, you happen to see the consent banner more and more often, even if it is a site that you visit frequently.

What those who violate the GDPR risk: the sanctions

The GDPR also provides sanctions quite heavy in the event that the processing of data by a company does not comply with the provisions contained therein or is in default on the communications front.

Sanctions are of two types, depending on the seriousness of the violation committed. For minor violations (such as lack of data processing register, failure to appoint a data controller, failure to notify data breach) the penalty comes up to 10 million euros or 2% of worldwide turnover if higher than this figure. For serious violations (such as lack of consent to treatment, violation of the rights of the interested party, missing or unsuitable privacy information and violation of the provisions regarding data transfer) the fine is up to 20 million euros or 4% of turnover world.

For example, Alphabet, the holding company that controls Google and all the companies in the orbit of the Mountain View giant, has an annual turnover of 46 billion dollars and, in the event of a serious violation, could be forced to pay up to 1,9 billion dollar fine.

GDPR sanctions: the H&M case

The management of data and their protection, however, does not only concern customers and users of the site. Employee data must also be acquired, processed and archived with reference to the provisions of the General Data Processing Regulation. One example is H&M, fined over 35 million euros because it was discovered illegally profiling its employees. A data breach has in fact uncovered a real case of internal espionage: at least since 2014, H&M has been recording data, information and conversations of its employees, archiving everything (without authorization) on private servers.

A particularly invasive profiling activity, which obviously had a negative impact on the working relationship between the Swedish fashion giant and its employees. The Hamburg data protection authority thus fined H&M in the amount of 35,3 million euros. For its part, the company apologized to the employees involved in the scandal, radically reorganizing the office.

A sanction that also serves as a warning for all other companies: the state authorities (in this case the German one, but the sanctions are the same throughout the European Union and also concern companies based outside the borders of the EU) do not allow data breaches or data processing that does not comply with the provisions of the GDPR. Anyone caught in the act of committing a crime will pay heavily for their behavior.