Sometimes you don't even know what to think. Is there a reason why so many people are interested in not doing things right? Really, is it easier to just jump in and improvise and ignore all kinds of regulations, really? This issue comes after a report that indicates that Spain leads the way in non-compliance with the GDPR with 594 fines imposed in five years, more than double that of Italy, the second-ranked country with 246 sanctions. The General Data Protection Regulation (GDPR) came into force in May 2016 and became mandatory, just over five years ago, in May 2018.
Despite being a regulation that allows a lot of autonomy to those who process personal data, it also has clear limits, recommendations and criteria. There are always exceptions, especially with emerging issues such as artificial intelligence, obviously. Even in the sanctions section, it is clear. That is why it is surprising that after five years of application of the GDPR, trends such as the one indicated for Spain are being observed.
During this period, around 1,700 fines were imposed on organisations in both the public and private sectors. These penalties total around 2.5 billion euros. On 71 occasions, the fines exceeded one million euros, demonstrating the severity of the penalties applied. It should come as no surprise that there can be high penalties.
In terms of the highest fines, the case of Amazon in Luxembourg stands out, sanctioned in 2021 with 746 million euros. However, this record was recently surpassed by Ireland, which imposed a fine of 1.2 billion euros on Facebook, raising the total to 3.7 billion. Ireland has been characterized by issuing some of the most severe sanctions, including one of 405 million euros, another of 265 million euros and a third of 225 million euros.
In this context, Spain has stood out not so much for the amount of fines but for the number of sanctions imposed. Spain is credited with a total of 594 fines, placing it at the top in terms of number of infringements compared to other EU countries. Italy ranks second with 246 fines, well below the Spanish figure.
What is going wrong here? When analyzing the reasons for the sanctions, it is observed that the most common infringement is related to Article 5 of the GDPR, which refers to the processing of personal data. Almost 60% of the sanctions imposed have been linked to how the appropriate processing and protection of private information is guaranteed. Another reading can also be made: is the Spanish authority more rigorous when it comes to monitoring the protection of citizens' privacy and information security?
