The Controversy of Record Fines

Lilly Horn

30 October 2023

In recent years, record-breaking fines for data privacy violations have made headlines, putting companies like Google, Meta, and TikTok on the hot seat. These high-profile cases highlight the pressing need for companies to take data privacy seriously and adhere to the General Data Protection Regulation (GDPR). In this blog, we will examine two such cases, Spotify and EOS Matrix, and explore the implications of these fines. We'll also discuss whether hefty fines are the most effective way to enforce data protection or if alternative penalties may be more fitting.


A) Spotify AB: A Case of Incomplete Transparency

On June 13, 2023, Spotify AB was hit with a significant fine of 4,992,083 EUR for failing to adequately comply with the right of access enshrined in the GDPR. While Spotify did provide personal data upon request, they fell short in informing requesters about how this data was used internally. Vital information, such as the origin and recipients of personal data or details regarding international transfers, remained undisclosed. Spotify also only disclosed a partial dataset without providing data subjects with access to the rest.


Key Takeaways:

  • Transparency is key: Data subjects should easily understand how their data is used.
  • Full disclosure is vital: All information required under Article 15 of the GDPR must be provided.


B) EOS Matrix doo: Neglecting Data Security and Relevance

On October 5, 2023, EOS Matrix doo received a substantial fine of 5,470,000 EUR for multiple breaches of data protection. An anonymous tip-off alerted authorities to EOS Matrix's unauthorized processing of personal data. Shockingly, data on 181,641 debtors was found on an attached USB stick, and the lack of technical safeguards allowed unauthorized access to this information. Furthermore, EOS Matrix stored data on individuals irrelevant to their lawful business operations, including sensitive health-related data, without necessary consent or legitimate interest.

Key Takeaways:

1) Data security is non-negotiable: Robust technical safeguards are essential to protect sensitive data.

2) Collect and store only what's relevant: Ensure data pertains directly to legitimate business operations, with proper consent or legitimate interest.


Data Privacy Violations Under the Lens

As we delve into the world of record-breaking fines for data privacy violations, it becomes increasingly evident that data protection is a cornerstone of our digital age. While these fines have undoubtedly raised eyebrows and sparked discussions, it's essential to consider the broader implications.

The surge in fines, exemplified by the cumulative 4.4 billion Euros in penalties as of October 2023, underscores the growing concern for data protection. This commitment from authorities signals their determination to safeguard personal data, which is, undeniably, a crucial aspect of our digital lives.

Yet, we must question whether these substantial fines represent the most effective long-term solution for ensuring data privacy. While they do capture public attention and compel companies to adhere to the GDPR, we must ask whether there are alternative penalties that could prove equally or even more effective.

Consider, for instance, the recent ruling by the Italian data protection authority, which imposed a mandate to restrict or halt the processing of personal data. This kind of action can carry significant implications, particularly for companies reliant on data-driven business models. It challenges the status quo and forces businesses to reconsider their data practices.


How Can Kertos Help?

Kertos stands as the game-changer in data protection. Our platform empowers companies by streamlining regulatory compliance and automating data protection processes, resulting in substantial time and resource savings. Through seamless integration of data silos and systems, Kertos simplifies the complex landscape of data protection.

Our expertise lies in effortlessly connecting data silos and systems, enabling companies to merge data with ease at the click of a button. This integration not only saves valuable time but also optimizes resource allocation. With Kertos, there's no need to rely on outdated and unreliable Excel spreadsheets. We've transformed data protection compliance into a user-friendly and straightforward process, eliminating the need for a team of experts; it's as simple as a click.

Kertos also empowers end-users to request transparent and comprehensive data, providing them with clear insights into their personal information. This transparency fosters trust and aligns seamlessly with data protection regulations. Furthermore, Kertos redefines automation, tackling tasks that once consumed days or weeks of human effort. From responding to customer inquiries to managing the procedure directory and controlling personal data, everything is now fully automated, removing the need for human intervention or IT expertise.

In conclusion, while record fines have their place in the enforcement of data protection, it's crucial to maintain a balance between deterrence and proportionate punishment. As the data protection landscape evolves, we should be open to exploring innovative and multifaceted approaches to ensure the safeguarding of personal data while respecting the principles of justice and fairness.