Article published in Postimees
Last Friday, a record-breaking GDPR fine reached Estonia – namely, the Estonian Data Protection Inspectorate (AKI) imposed a fine of 3 million euros on the customer data manager of Apotheka and PetCity for violating the security requirements for processing personal data.
Immediately before that, the case of the Asper Biogene cyber attack and the resulting data leak, which was widely reported in the media, reached a court decision in Estonia. AKI initially imposed a fine of 85,000 euros on the company for violating the requirements for processing personal data, but the fine was fully annulled by a court decision that has now entered into force.
The Asper Biogene case has sparked a debate about what should be the fair amount of the fine for violating the General Data Protection Regulation (GDPR). Namely, the GDPR prescribes that the fine imposed must be effective, proportionate and dissuasive. In other words, the amount of the fine to be imposed must be adjusted according to the infringement committed, taking into account, inter alia, aggravating and mitigating circumstances and the turnover of the company. At the same time, the purpose of GDPR fines should not only be to punish, but first and foremost to ensure compliance with data protection requirements and to motivate companies to take data processing compliance seriously and consistently. At the same time, the sanction should not be so burdensome that it leads the company into financial difficulties or bankruptcy, as such a result would not support the objectives of the GDPR or promote sustainable data protection practices.
For example, in Finland, a psychotherapy clinic in Vastaamo was fined 608,000 euros in 2021 for leaking patients’ personal data. The fine amounted to nearly 4.2% of the company’s annual turnover and led to the company’s bankruptcy. In the case of Asper Biogene, the amount of the fine initially imposed amounted to nearly 13% of the company’s turnover in 2024. Had the now-annulled fine remained in force, it would have caused significant financial hardship for the company and placed it under serious risk of bankruptcy. Such cases demonstrate how large fines can lead to serious economic consequences for companies and pose significant risks to their future sustainability.
Although the GDPR allows for record-high fines, the company’s economic indicators must also be considered when imposing a proportionate fine, as the fine should not fatally break the economic viability of the company. Record-high fines should be justified in particular in cases where the breach is systemic and the company’s business model is based on a deliberate and widespread disregard for personal data protection requirements.
In summary, we believe that a fine should not drive a company into bankruptcy but should serve as an incentive for effective compliance with data protection. Therefore, to ensure better compliance with data protection requirements more widely, proportionate GDPR fines must also be determined on the basis of the company’s financial indicators, as the fine should not break the company’s backbone.
Here you can read more about the successful representation of Asper Biogene by the data protection and legal team of NJORD Law Firm, which resulted in the annulment of a fine of 85,000 euros.
NJORD Law Firm’s data protection team advises clients on all aspects of data protection, including preparation of the necessary documentation, communication with supervisory authorities and data subjects, and litigation. If you need support with data protection matters, please contact us at sille.eerik@njordlaw.ee or liis.leedo@njordlaw.ee.
