If we ask about personal data and the importance of its protection, the answer we receive is most likely completely different today than it would have been five years ago. One of the reasons lies in the evolution of technology and the growing risks associated with the misuse of personal data (the commission of cybercrime, identity theft, deep fakes, the presence of AI…), which has led to a much greater awareness among the population.
As proof, the 2023 annual report of the Spanish Data Protection Agency (‘AEPD’) noted a 43% increase in the number of complaints received compared to the previous year.
In addition, however, the regulation of the matter has meant that the protection of personal data has become an increasingly important part of people’s daily lives. Since the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council, commonly known as the General Data Protection Regulation (‘GDPR’), there is no company (European or targeting or processing data of European citizens) that escapes the duty to comply with certain data protection obligations if it does not want to be subject to sanction by the competent data protection authorities.
The competent data protection authorities
These competent authorities are, as established in Article 51 of the GDPR, independent public authorities appointed by each EU Member State with the task of supervising the application of the Regulation (and, it should be added, of the national rules that develop and complement the GDPR in each case). These authorities are vested with the power to investigate, audit regulatory compliance and sanction the obliged parties in the event of any infringement committed. In the case of Spain, the competent authority is the aforementioned AEPD.
Legal and economic consequences of non-compliance with the GDPR
This being the case, in the event of non-compliance with data protection regulations, we could face different types of sanctions: from being subject to warnings or reprimands, to the imposition of financial penalties that can reach sums of up to millions of euros.
The AEPD is one of the most active European data protection authorities in terms of the number of sanctions imposed, having reached in 2023 a total of 367 sanctions consisting of financial penalties, which translate into an amount of €29,817,410 (an increase of 44% over the previous year).
Of the different sanctions provided for in the GDPR, the financial fine may be the most feared in practice, and not least if we take into account the amounts that this type of sanction can reach: the GDPR establishes that the maximum fine that can be imposed can reach 20 million euros or, in the case of a company, an amount equivalent to 4% of its total annual global turnover (whichever is greater).
As proof that this sanctioning regime is a reality for companies, below is a small list of the heaviest sanctions imposed by the AEPD in recent years:
Endesa: sanction of 6.1 million euros.
Caixabank: sanction of 5 million euros
Openbank: sanction of 2.5 million euros
BBVA: sanction of 1.6 million euros
The importance of protecting personal data
In view of the above, if you are wondering whether the protection of personal data should be a priority in your company, the answer could not be more emphatically yes. This is not only in your interest to avoid being subject to sanctions, but also for the well-being of all individuals whose personal data is processed, respecting their right to maintain proper control over its use, as well as to prevent them from becoming victims of the increasingly common cybercrimes.
At this point, it is undeniably important to turn to privacy and data protection professionals to help you comply with data protection regulations and the complex obligations they entail. Personal data is an invaluable asset in today’s society and as such must be protected.
Article written by
Attorney – Privacy & IP
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!