Investigating GDPR Fines in the Light of Data Flows

Authors: Marlene Saemann (Bosch), Daniel Theis (Institute for Internet Security), Tobias Urban (Institute for Internet Security & secunet Security Networks AG), Martin Degeling (Ruhr University Bochum)

Volume: 2022
Issue: 4
Pages: 314–331
DOI: https://doi.org/10.56553/popets-2022-0111

Download PDF

Abstract: While GDPR related fines to big companies like Amazon or Google have seen widespread media attention, data protection authorities have issued several hundred more penalties since 2018. This work analyzes 856 fines and their summaries provided by the CMS Law GDPR Enforcement Tracker. We extend the methodology of previous work that evaluated GDPR fines and, in particular, explore the fines in the light of data flows and we perform a detailed categorization. Our analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. We cluster the most frequent words and analyze relations to understand where data controllers put personal data at risk. The results confirm that access management is a common problem that results in the unintended disclosure of data.

Keywords: data protection, privacy, GDPR fines, personal data life cycle, word frequency analysis, NLP, access management, health related data

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.