24 comments

[ 3.2 ms ] story [ 59.0 ms ] thread
130.000€ fine for a bank with 320M€ of revenue in 2015 (see [0]) doesn't seem too much...

[0] https://en.wikipedia.org/wiki/UniCredit_Bank_Romania

It's a start. You've got to start somewhere.
But if you start that low is gonna be hard to fine later on for more.

e.g. Why I have to pay 10kk when Unicredit Bank pay only 130k?

Because the fines are not arbitrary, but progressively larger after each offense :)
That puts an incetive to crime an industry early, before the first small fines.
it's not a global counter, it's a per-infringer counter.
>Why I have to pay 10kk when Unicredit Bank pay only 130k?

Grandparent comment implies otherwise.

The general advice leading up/immediately after was that the fines would start relatively small, and then progressively grow to 10% of global revenue if they kept violating the law
As long as it's enough for them to fix whatever they were doing wrong, I'd say the fine doesn't necessarily have to be punitive
My understanding is that the first fine is a shot across the bow. Now that they've been found in violation, any future violation will hold a harsher penalty.
also: the collaboration of the party is accounted for when applying the fine. The regulation attempts to get parties to behave well, not just to punish them.
Notice there are some differences though:

* google was found in violation of 7 different articles

* it was considered to not have done anything to stop the problem and had reiterated the offense

* the issue affected a significantly larger amount of users (e.g. all android users in france)

The fundamental role of the regulator is to ensure compliance with the regulations. Regulators must consider a number of factors before deciding whether to issue a fine and the size of that fine. The regulations provide for a very high maximum fine, but that would only be appropriate where the regulations have been intentionally, grievously and repeatedly breached. In the case of an unintentional breach with relatively minor consequences that is swiftly addressed by the controller, a small fine (or no fine at all) would be entirely appropriate.

https://gdpr-info.eu/art-83-gdpr/

It's easier to fine them 1.3 million for the next offense after this fine for the first. And so on.
Note this seems to be the first fine in Romania. It's far from the first fine ever: http://www.enforcementtracker.com/
There are two firsts here:

1) The first fine by the Romanian supervisory authority; and

2) The first fine for breach of Article 25.

That's why I chose first Art. 25 fine as the original submission title.

> The sanction was imposed following an intimation addressed to the National Supervisory Authority

Can anybody just shoot them an e-mail to start an investigation?

I'm in the UK, and yes you can just send an email to ICO here. I contacted them about an issue with Amazon using their order update system for marketing purposes despite having opted out of marketing communicatoins, they weren't very helpful.
I have an outstanding complaint about illegal collection of biometric information and they have proved less than helpful also. The ICO doesn't really function, it never did enforce the data protection act before and so far there appears to be little change with GDPR.

Justice is not just about the law as written but also whether it can be enforced, the GDPR is not enforced in any meaningful way in the UK and companies know that.

Having a lot of experience with Romanian authorities, that's a resounding no. You can be sure a reasonably powerful political player pulled the strings on this.
Romanian here - can confirm your statement is accurate. The person in charge of Romania's GDPR enforcement agency is politically nominated by Romania's leading party - the party which made corruption semi legal. She is under investigation by Romania's Anti Corruption Directorate for illegal land restitution, and is reported to have made anti EU and anti US statements. She also threatened an enormous fine, using the GDPR regulation, for those who exposed the illegal activity of Romania's former defacto leader, imprisoned 4 months ago.

So yeah, this case raises eyebrows, given most foreign banks in Romania are proteges of corrupt politicians and the GDPR agency is lead by members of an infamously corrupt party. Perhaps this bank did something right, to actually get the fine.

Notice that in a free market economy people who want to retain privacy wouldn't provide their address to the bank in the first place. And banking services would be safer and cheaper.

But thanks to the overreaching governments, banks must collect that info.

And because government bureaucracy can only grow bigger, instead of eliminating Stalinist data gathering (privacy by design doesn't apply in this case!), the morons impose additional laws, workloads and costs on top of an already heavily regulated sector.

Finally, when TSHTF it is the guilty party and root cause of these problems that fines those who can't (or justifiably won't) cope with their nonsense.

Do you know some case of a foreign company outside Europe being fined about GDPR?