In the context of rapid technological development and the consequent institutionalization of legislation on the protection of personal data, companies and organizations are now obligated to fully comply with the regulations imposed by the EU. The General Data Protection Regulation 679/2016 (GDPR) and Greek Law No. 4624/2019 lay out detailed requirements for the collection, storage, and management of personal data by businesses. Strict adherence to the provisions of the GDPR is an obligation—not a choice—and carries severe and burdensome consequences for those who apply it inadequately or not at all.

It is a fact that, on a daily basis, thousands of citizens freely provide personal data, either through printed forms, phone calls, or online, from which their identity can be directly or indirectly determined. Companies, as data controllers, typically collect minimal contact information from data subjects (citizens), including names, addresses, telephone numbers, and email addresses, which are deemed necessary for the completion of the intended transaction (contract formation). In recent years, a substantial volume of citizens' personal data has been found to be collected by telecommunications companies and transportation service providers like taxi/Uber applications. But what happens when personal data is not processed by companies in the lawful manner mandated by the GDPR? How costly can a violation be for a company’s economy?

In Greece, a well-known case that engaged the Hellenic Data Protection Authority (HDPA) involved the unlawful processing of data by Cosmote/OTE. According to Decision No. 4/2022 (more here), the HDPA, following a notification of a personal data breach by the company, identified a massive leak of subscriber calls and a series of violations of the GDPR's provisions, such as the principle of legality, the principle of transparency, the unclear and incomplete information provided to subscribers, and the lack of security measures (Article 5(1), 13, 14). For the established violations, the HDPA imposed a hefty fine of €6,000,000 on COSMOTE and a sanction of ceasing data processing and data destruction, while a fine of €3,250,000 was imposed on OTE.

Internationally, a notable case of data breach involved Uber Technologies, which was under scrutiny by both the Italian and Dutch authorities. In 2022, following complaints and investigations, the Italian authority imposed a fine of €4,240,000 on Uber for violations concerning 1,500,000 data subjects (drivers and customers) in Italy, including lack of transparency and consent, and failure to notify the authority of a personal data breach. Subsequently, in 2024, the Dutch authority found that the same company was transferring personal data of European taxi drivers to the United States without taking the necessary measures to secure such transfers, imposing a record fine of €290,000,000 (more here). The data collected by Uber as a data controller included contact details (name, surname, telephone number, and email), account details, location data, photos, payment information, identity documents, application access credentials, and sensitive data of European drivers, which were stored on servers in the United States, including criminal or medical data of the drivers.

These imposed fines are considered strict and exhaustive for businesses. However, they are justified by the stringent nature of the GDPR. The penalty framework defined by the GDPR in Articles 82 and onwards for businesses and organizations is unyielding. The regulation aimed to create a coherent framework of fines across the European Union as a means of enforcing compliance with the data protection legal framework. Nevertheless, each member state has the discretion to adapt penalties, but always in a serious manner. Regarding businesses, the imposition of fines in recent years has become a daily practice, accompanied by enormous amounts. This occurs because fines under the GDPR are calculated based on a strict formula, depending on the violations. The first category may result in a maximum fine of €10 million or 2% of the company’s annual turnover, whichever is higher, while the second category may result in a maximum fine of €20 million or 4% of the company’s annual turnover, whichever is higher.

The above demonstrates that safeguarding and correctly processing personal data by businesses is of paramount importance and entails severe consequences for violators. Supervisory Authorities are increasingly imposing fines with the aim of ensuring that organizations and companies take the GDPR seriously and to raise awareness (awareness) regarding the value of personal data protection. The threat of financial penalties (inevitably) encourages companies to fully implement the GDPR and take appropriate measures to protect the personal data of the subjects they process. With the assistance of specialized consultants, companies must fortify themselves and comply with the Regulation's mandates. Therefore, based on the EU's guidelines, businesses and organizations must develop strategies, plans, and frameworks for regulatory compliance to avoid the overwhelming financial consequences of any GDPR violation.