The General Data Protection Regulation (GDPR), adopted on April 14, 2016, by the European Union’s institutions, started to apply on May 25, 2018.
The full effect and the reach of GDPR rules has been recently demonstrated in practice, as France imposed a monetary fine in the amount of EUR 50,000,000 on the multinational company Google for GDPR breach.
Such a decision by the French Data Protection Regulatory Authority is provoked by Google’s failure to enable its users an easy insight into the information on data collection for the purpose of ad personalization. Moreover, failing to adequately seek the users’ consent for ad personalization is another reason for penalizing Google.
For the aforementioned breaches, the French regulatory authority levied a monetary administrative fine in accordance with GDPR Article 83. In the event of GDPR breach, Article 83 provides for an administrative fine of up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year of the offender, whichever is higher.
This case serves as a great example to companies not only within the EU but also for companies in the Republic of Serbia. Namely, the new Law on Personal Data Protection entered into force on November 21, 2018, and will begin to apply after 9 months from that date. The new Law largely adopts the basic principles of GDPR, so the Serbian companies need to start revising and introducing their own personal data protection procedures, in order to avoid the adversity similar to the one Google faced.