Three years of GDPR: What actions should the companies take and the main non-conformities sanctioned so far

Firms must periodically review the compliance of their processing operations with applicable regulations (including the verification of it security measures implemented), regularly verify how persons empowered to process data on behalf of the company (third party companies) comply with the GDPR, but also that it is of particular importance that the employees of the company receive regular training on both the provisions of the GDPR and the relevant domestic legislation and on the way in which they should act in case of an ANSPCP control.

The highest fine given in the last three years is 150.000 euros, but the majority were between 1.000 and 20.000 euros.

Main non-compliance:

• the lack of appropriate technical and organizational measures;
• processing of data without a legal basis;
• failure to respect data subjects’ rights (opposition marketing communications, access, deletion);
• firms have not ensured that employees act only on instructions;
• failure to comply with the GDPR principles;
• irregularities in informing data subjects;
• the firms have not provided the requested information to the authority;
• failure to comply with corrective measures imposed by the authority;
• failure to notify the authority in the event of a security incident;
• lack of security measures under Law 506/2004,
• failure to comply with the provisions on unsolicited communications of Law 506/2004.