GDPR decisions – October 2020

Holst, Advokater | View firm profile

All-time high fine of GBP 20 million imposed on British Airways for data breach

The Information Commissioner’s Office (the ICO) has given a penalty notice of GBP 20 million (about EUR 22 million) to British Airways (BA) for infringements of the GDPR in 2018 affecting more than 400,000 of the company’s customers.

Although the fine constitutes the highest fine amount ever imposed by the ICO on a company, the amount is considerably less than the fine of GBP 183 million originally notified in 2019 by the ICO against BA. However, in its decision, the ICO stated that the general economic consequences of the Covid-19 pandemic played a role in determining the size of the fine.

Between 21 August 2018 and 5 September 2018, hackers were successful in gaining access to BA’s systems through the company’s website and app, and installed malware enabling them to copy names, travel information, email addresses, credit card data and numbers, expiry dates and CVV codes of customers entering such data on the website or in the app.

BA only became aware of the attack about two months later, upon which the company immediately notified the ICO of the incident.

A review of the company’s safety procedures found that BA had not activated multi-factor authentication, even though such was technically possible to do on the platform held by BA at the time.

The size of the penalty shall be seen in the light of the fact that BA did not efficiently protect its website and app – and thereby also its customers – against a hacker attack and subsequently did not discover that an attack had been made which entailed substantial consequences to more than 400,000 customers.

The whole decision is available here:

H&M is given maximum GDPR fine yet in Germany of EUR 35 million for illegal surveillance of employees

The German DPA in Hamburg, Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, has imposed Swedish clothing giant H&M a fine of approx. EUR 35 million for illegal surveillance of its employees at the company’s service centre in Nuremberg, Germany.

Since 2014, a large number of employees had been subject to substantial registration of details about their private life. Following absence from work such as holidays and illness, the company’s team managers conducted so-called ‘welcome-back conversations’ with their employees. Not only the employees’ specific holiday experiences were registered, but also symptoms of illness and diagnoses.

In addition, several managers had obtained knowledge about the employees’ private life, which included both general harmless information, but also information about family problems and religious beliefs, which are characterized as sensitive personal data in the GDPR and thus particularly worthy of protection.

Due to a technical error, the company’s registration of personal data was revealed in October 2019, when the data became available to the entire company for several hours.

H&M has since apologised towards those employees affected in Nuremberg.

The fine is the highest GDPR fine ever issued in Germany since the GDPR came into force on 25 May 2018 and the second highest issued in the whole of Europe.

Google remains the company that has been fined the highest penalty when fined EUR 50 million by the French DPA for illegally targeted ads in 2019 (see Holst, Advokater’s coverage of the French decision here:


The press release regarding H&M can be read in full here (in German):


SDC A/S criticized for inadequate risk assessment

In connection with a planned written inspection at Danish company SDC A/S (which provides IT platforms and solutions for Nordic banks) about the company’s use of data on physical individuals in test environments and the company’s use of sub-data processors, the Danish DPA looked into whether SDC A/S had performed the necessary risk assessment regarding the data subjects’ rights when using data on physical individuals for tests.

According to the GDPR, data controllers and data processors must ensure, on the basis of a risk assessment regarding the rights of the individuals concerned, that appropriate security measures are established. According to the Danish DPA, such an assessment must at least address:

  • relevant threats to the confidentiality, availability and integrity of the data processed about the individuals concerned;
  • assess whether it is likely that a threat will actually affect the processing activity in question; and
  • for each threat assess any possible consequences for the individuals.

On the basis of the likelihood and consequences of each threat, the risk may be assessed, including taking into account any existing measures that may have been taken.

Following a review of the material submitted by SDC A/S to the DPA, the supervisory authority considered that the company’s risk assessment did not contain the above-mentioned elements.

The DPA found that SDC A/S had not taken any risk-based approach to secure processing of data, and hence criticised the company for this.

The decision can be read here (in Danish):




Henrik Christian Strand, Associated Partner


M, +45 3010 2186


Pernille Kristensen, Attorney


M, +45 3010 2224



More from Holst, Advokater