On the 10^th March 2017, the Italian Data Protection Authority – The Garante – fined five companies more than 11 million euros for unlawful processing of personal data.

This decision from the Italian Data Protection Authority demonstrates a willingness from at least one EU data protection agency to levy fines that appear consistent with the GDPR, although not yet in force.

In this case, the companies were making money transfers to China on behalf of individuals without their knowledge or agreement to hide the identity of the real transferors. Therefore they did not have the individuals’ consent to process their data in this way.

Then future

The Garante has shown with this decision that it is already moving towards a GDPR sanctions regime although not in force until May 2018. This is good news for the GDPR as an enforcement mechanism, however not for companies who choose to ignore and understand the importance of consent under the GDPR!

This will become more important under the GDPR as consent is one of the lawful bases of data processing and companies must ensure they have valid consent to process data in this way. If they do not have consent, and cannot rely on another lawful basis of processing, the company will be unable to process data legally.

This decision hints at a tougher approach by EU data protection bodies under the GDPR for breach of consent, a topic we have been talking a lot about in recent times!

Under the GDPR, companies can be sanctioned for a breach with fines of up to 20 million euros or 4% of their annual worldwide turnover, whichever is higher.

Therefore the GDPR is not to be brushed aside as non-compliance could be extremely costly for organisations.