According to the European Commission’s second report on the application of the GDPR, the accumulated amount of penalties as of July 2024 stands at €4.2 billion, with over 6,680 fines imposed1.
GDPR enforcement
Despite more than half a decade of implementation, GDPR compliance and enforcement-related issues still require considerable effort to guarantee the adequate and harmonized protection of data subjects across the EU. Against this backdrop, the topic has stayed in the EU’s agenda throughout the past years. When it comes to 2024, in April, the European Parliament voted to strengthen GDPR enforcement through amendments to the GDPR Enforcement Procedures Regulation. On the other hand, the European Commission’s Second Report on the application of the GDPR came out recently (pursuant Art. 97 GDPR). This important document highlights increased enforcement and the imposition of significant fines, especially against ‘big tech’ companies. Another important development was the publication of the EDBP’s Strategy 2024-2027, which reinforces the need for a common enforcement culture and effective cooperation.
Recently, the Dutch Data Protection Authority (DPA) has taken significant action against two companies, imposing hefty fines for serious GDPR infringements. The first fine, which has reached the amount of €290 million, was a product of the violation of third country data transfers’ requirements. The second high profile sanctioning case, also issued by the Dutch DPA, resulted in a €30.5 million fine due to the violation of GDPR principles. Find out more about recent GDPR fines.
The role of compliance tools in mitigating GDPR risks
These recent fines demonstrate that, even after years of experience with GDPR application, companies still face ongoing challenges in building and maintaining adequate compliance programs. These difficulties are a significant pain point for data-driven industries, particularly in areas involving new technologies. However, they are not limited to this sphere and raise concerns that often hinder European businesses from embracing digitalization.
Since regulators anticipated many of the implementation hurdles seen today, the GDPR itself includes tools that, when well-designed, can significantly help businesses implement appropriate safeguards and mitigate the risk of fines. One such tool is the use of codes of conduct (pursuant Art. 40 GDPR). A pioneering example of this is the EU Cloud Code of Conduct, which offers a structured framework to ensure compliance with GDPR requirements for cloud providers acting as processors (Art. 28 GDPR) and is subject to oversight by an accredited monitoring body (Art. 41 GDPR).
By adhering to the EU Cloud CoC, cloud service providers obtain legal proof of compliance, meaningfully reducing legal uncertainty and mitigating the risk of fines. Successfully passing the assessment by the Code’s monitoring body allows cloud providers to demonstrate their commitment to transparency and the implementation of robust data protection standards. Consequently, cloud users can more effectively perform their risk assessments by selecting providers that have adhered to the EU Cloud CoC, as listed in its official Public Register.
Conclusion
Alongside others, the recent actions by the Dutch DPA serve as a stark reminder of the serious consequences of non-compliance with the GDPR. As enforcement intensifies, it is crucial for companies to leverage all available tools, including codes of conduct and certifications, to ensure data subjects’ rights are respected and the EU's digital transition progresses.
For more information on how the EU Cloud Code of Conduct can help your organization enhance its GDPR compliance and reduce the risk of fines, visit the Code’s website.
1 Communication from the Commission to the European Parliament and the Council: Second Report on the application of the General Data Protection Regulation, 25.7.2024