In the public and education sector, DPAs from 25 different countries have imposed a total of 270 fines (+27 in comparison to the 2024 ETR) on representatives of local governments (such as mayors), police officers, schools, universities and other public bodies or educational institutions amounting to a total of more than EUR 29.3 million (+EUR 1.8 million in comparison to the 2024 ETR).
In a pattern broadly consistent with the overall distribution of GDPR fines in the Enforcement Tracker, fines related to insufficient legal basis for data processing (90 fines in total) and insufficient technical and organisational measures (76 fines in total) make up the majority of fines in the public and education sector. The overall second largest type of GDPR violation (non-compliance with general data processing principles) is less relevant in the public sector and in education but has increased significantly in the recent past (53 fines in total).
Let's take a closer look
- Since the Covid-19 pandemic, the use of digital products (e.g. messenger apps or video conferences tools) by universities or schools, in particular for holding online classes and examinations, has increased significantly. In this context, numerous fines for the violation of the GDPR were issued for the use of software products/IT systems. For example, the Italian DPA (Garante) imposed a fine of EUR 200,000 on Bocconi University for the use of a remote monitoring software in online examinations (ETid-876). Although students were video monitored and snapshots were taken of them, they were not properly informed of the data processing. In other cases, fines were imposed on schools that processed special types of personal data such as biometric information (e.g. using facial recognition technology for monitoring student attendance, see ETid-67). DPAs have been especially critical of potential harm to children's data: The Icelandic DPA (Persónuvernd) imposed fines between EUR 13,300 and EUR 20,000 against five municipalities that had used a digital education system in schools but failed to provide a data processing agreement compliant with the GDPR. In these cases, particular consideration was given to the fact that children's data were affected (ETid-2139, ETid-2140, ETid-2141, ETid-2142, ETid-2153).
- The number of fines for insufficient data security measures has also increased. The UK DPA (ICO) sanctioned the Police Service of Northern Ireland (PSNI) with a fine of £750,000 (EUR 907,000) for a severe data breach that exposed personal details of all 9,483 PSNI officers and staff (ETid-2555). The breach occurred when a spreadsheet published in response to a Freedom of Information request mistakenly contained hidden data revealing surnames, initials, ranks, roles and other sensitive details, causing significant distress for PSNI officers and staff. The ICO found that the breach could have been prevented through simple-to-implement procedures. Given the security risks associated with the exposure, particularly in the context of Northern Ireland’s political environment, the DPA acknowledged the potential for intimidation and harm. Further, the Italian DPA imposed a fine of EUR 25,000 on Innova Camara, a special agency of the Rome Chamber of Commerce (ETid-2334). Innova Camara had suffered a cyber-attack during a server migration, in which a database with the personal data of 22,000 users was accessed and malicious files allowing backdoor access were inserted. The DPA found that the controller had used weakly encrypted passwords and left a backup copy of the database unsecured during the server migration. Similarly, the Cypriot DPA imposed a fine of EUR 45,000 on the Open University of Cyprus after hackers published personal data of students, alumni etc. on the dark web (ETid-2144). In both cases, the DPAs found that the controllers had failed to implement appropriate technical and organisational measures to protect personal data.
- The highest fine in the public and education sector to date was issued by the Portuguese DPA, which sanctioned the Portuguese National Statistical Institute with a fine of EUR 4.3 million for numerous violations of several general data processing principles of the GDPR in connection with the 2021 census in Portugal (ETid-1524). The controller did not inform the data subjects about the voluntary nature of providing their religious and health data. Further, the controller had failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR, and had permitted the transfer of personal data outside the EEA without providing for additional security measures besides the European Commission's SCCS, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. Finally, no data protection impact assessment was carried out for the census.
- The second highest fine was issued by the Dutch DPA (AP), which sanctioned the Dutch Tax and Customs Administration in 2022 with a fine of EUR 3.7 million (the highest fine ever imposed by AP) for processing personal data such as health, citizenship and criminal personal data of more than 270,000 individuals (including minors) in a risk-of-fraud list without a valid legal basis and appropriate technical and organisational measures to ensure adequate protection (ETid-1124). The data were stored for several years against the principle of storage limitation and contrary to the retention period established in the list. Further, a large number of individuals were falsely registered as possible fraudsters and the risk of fraud was also determined in a discriminatory manner based on the nationality and appearance of the data subject, among other factors. The processing of the data in the list had not been necessary for the proper performance of the administration's tasks. Also, the administration had violated the principle of purpose limitation.
Main takeaways
Public authorities hold a special position of trust that requires particularly strict compliance with data protection laws and an outstandingly high level of data security as they often process highly sensitive data and therefore are attractive targets for cyber-attacks and vulnerable to accidental disclosure. The same applies to schools and other educational establishments, in particular those that process personal data of minors. DPAs appear to have increased scrutiny of the public and education sector since the 2020 ETR, in particular in connection with the use of technology (e.g. online education tools used in schools and universities). It seems likely that this trend will continue in the future.
Further, the number of fines in the public sector for violations of data protection laws with regard to the processing of sensitive data in general as well as profiling and tracking or surveillance of individuals continues to grow. In this context, it is notable that the highest and the second highest fines in the public and education sector result from an extensive and systematic collection and processing of personal data (including sensitive data) of citizens, mainly for statistical and profiling purposes.
