17 May 2021


During 2020, the total fines imposed on different infringements throughout the EU member states, as well as the UK, Norway, Iceland and Liechtenstein was of €272.5 million. This was reported in the DLA Piper GDPR fines and data breach survey for 2020.

With €69.3 million in fines, the Italian regulator topped the list for the total fines imposed since GDPR came into force in May 2018. Italy was followed by Germany and France who totalled an aggregate of €69.1 million and €54.4 million respectively.

The highest fine last year was imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG. for illegally storing employees’ personal data. The company suffered a fine of €35,258,708.

As announced during last year’s GDPR conference, the office of the Information and Data Protection Commissioner started publishing the local legally binding decisions. While the highest fines in Malta were imposed for an ill addressed Subject Access Request and the unsolicited sending of direct marketing communications, most of the local cases were investigated following a complaint while only 37% of the cases were as a result of a personal data breach. 29% of the investigated controllers were landed with a fine while only one case ended up with no corrective action against the controller. In most of the other cases the controllers were reprimanded.

Most of the case in Malta dealt with disclosure of data to the wrong data subjects, followed by CCTV cameras issues. In the first case most of the errors seem to have been caused through emails, while in the CCTV revolved around the capturing of public access areas and, or spaces.

During the coming week’s GDPR conference organised by Advisory 21 we will bring you more in-depth details of a number of local and international cases were Dr Roselyn Borg and Dr Sarah Cannatci will highlight the shortcomings as well as suggest mitigation measures to avoid similar irregularities.

During the last year,  the European Court of Justice (ECJ) struck down the validity of the EU – US Privacy Shield data flow agreement, which had provided for the safe transfer of data between the EU and the USA. We will investigate cases where companies still transferred data to the US without taking the appropriate measures following the ECJ decision, including a case involving the widely used email marketing software mailchimp.

Angelito Sciberras will be asking the Information and Data Protection Commissioner, Mr Ian Deguara, those questions which you might have brought up with us during our meetings and events. We will go into international cases and understand the local implications. Has the data privacy awareness campaign among the general public left an impact?

The conference will be addressed by the Legal and Policy officer at DG JUST of the European Commission, Dr David Ciliberti as well as Mr Axel Voss, Member of the European Parliament and considered to be one of the fathers of the GDPR who has recently launched an EU wide appeal for input, from citizens and businesses, on the Regulation.

This half day conference is being held online from a TV studio, starting at 9.30hrs. More information.