Investigating GDPR Fines in the Light of Data Flows.

While GDPR related fines to big companies like Amazon or Google have seen widespread media attention, data protection authorities have issued several hundred more penalties since 2018. This work analyzes 856 fines and their summaries provided by the CMS Law GDPR Enforcement Tracker. We extend the methodology of previous work that evaluated GDPR fines and, in particular, explore the fines in the light of data flows and we perform a detailed categorization. Our analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. We cluster the most frequent words and analyze relations to understand where data controllers put personal data at risk. The results confirm that access management is a common problem that results in the unintended disclosure of data.