Defense Against GDPR Sanctions
In the 2023 Annual Report by the Spanish Data Protection Agency (AEPD), a total of €14,788,637.08 in fines was collected for the current fiscal year. Previous reports show a quantitative and qualitative increase in public concern over data protection, as reflected in the volume of claims filed with the Agency in recent years. In particular, there was a 43% increase in claims filed in 2023 compared to the previous year, surpassing 21,000 cases.
The number of data protection claims has reached historic levels in recent years, highlighting growing concerns and disputes around privacy in an advanced technological environment. Emerging technologies like artificial intelligence, biometrics, and big data are introducing new challenges in data protection, complicating cases and leading to more frequent and substantial fines.
This situation requires constant adaptation by companies and organizations handling personal data, who must not only comply with regulations but also quickly adjust to new guidelines and data protection requirements to avoid significant penalties. To expedite responses to these claims and mitigate risks, measures such as the “transfer” mechanism have been implemented, allowing certain inquiries to be resolved without initiating a formal procedure, thus reducing response times.
The Economic Significance of GDPR Compliance
The total fines imposed in 2023 reflect the stringent sanctions regime of the GDPR, alongside the guidelines established by the European Data Protection Board (EDPB) and the directives published by the AEPD.
Regarding sanctioning procedures, the most frequent area of concern is video surveillance (with 164 procedures initiated), while the highest volume of fines pertains to cases involving personal data breaches. The largest fine imposed in 2023 was against CaixaBank, S.A., a financial sector company, for violating Articles 5.1(f), 25, and 32 of the GDPR, resulting in a fine of €5 million.
The impact of these sanctioning procedures, which serve as a deterrent for businesses, is evident in the reduced fines imposed on the internet services sector. In the previous year, a procedure against Google, LLC alone resulted in a €10 million fine.
In 2023, claims related to unsolicited advertising saw a notable increase, rising by 114% from 2022 and ranking as the primary complaint category, constituting 20% of all claims received. Other significant claims and procedures include:
- Fines of €2,000 for entities engaging in unsolicited telemarketing calls, constituting a violation of Article 6.1 of the GDPR.
- Fines of €5,000 and €3,000 for messaging applications and services that improperly disseminated personal data, sanctioned under Articles 5.1(f) and 32 of the GDPR.
- Fines of €20,000 and €40,000 for inadequate security measures, violating Articles 5.1(f) and 32 of the GDPR, with affected individuals’ data being found on the Deep Web.
- Fines of €10,000, €20,000, and €50,000 against healthcare entities involved in data breaches and ransomware-related cyber incidents, violating Articles 5.1(f), 32, and 34 of the GDPR.
- Fines of €50,000 imposed by EEA supervisory authorities, focusing on sanctions under Articles 13, 14, and 5.1(a) of the GDPR.
The Importance of Specialized Legal Advice in Data Protection
To reduce the risk of fines and inspections by the AEPD and other European authorities, it is essential to have quality legal counsel.
As a law firm specializing in data protection, we have a team of highly qualified experts in this area. Our services include:
- Managing information requests from the AEPD.
- Filing administrative appeals against unfair sanctions.
- Adapting to compliance guidelines set by the relevant authorities.
Our personalized and close approach ensures that each client receives tailored advice suited to their needs, guaranteeing the highest level of comfort and success in each process.
For more information, answers to questions, or to request our services, please do not hesitate to contact us. We would be delighted to help you protect your business from GDPR sanctions.