Menu Close

In Perspective: Important and recent enforcement cases across Europe

UK data protection regulator fines company for sending spam texts during the pandemic

What happened

Why it matters

  • H&L Business Consulting Limited have recently been fined £80,000 for sending thousands of text messages to people who had not consented to receive them.

  • The contents of the text messages related to the offer to have debt written off during the lockdown (which was imposed on people during the Covid-19 pandemic).

  • The messages also stated that the debt management scheme was government-backed – this was untrue.

  • Despite numerous attempts to evade regulatory action, the ICO fined the business for noncompliance of data protection law.

  • Direct marketing rules fall within a set of obligations placed on businesses that are contained within the Privacy and Electronic Communications Regulations 2003 (PECR).

  • PECR states that for most forms of direct digital marketing involving customers (e.g. the sending of texts that advertise goods or services) – prior informed consent is required from the recipient.

  • H&L Business Consulting Limited did not do this and additionally used the pandemic as a way to convince individuals to sign up to their debt management scheme.

Airport fined in Belgium for unlawfully carrying out temperature checks on passengers

What happened

Why it matters

  • The Belgium data protection regulator has recently fined an airport €100,000 for unlawfully conducting temperature checks using thermal imaging cameras on passengers.

  • Thermal imaging cameras were in force between June 2020 and March 2021. Passengers suspected to be infected by Covid-19 were asked to leave the airport and not allowed to board a plane.

  • The Belgium data protection regulator confirmed that there was no specific legal obligation for the airport to be doing these temperature checks and that individuals were not being properly informed that thermal imaging cameras were being used upon entering the airport.

  • The completion of a Data Protection Impact Assessment is recommended whenever the business plans to process special categories of personal data on a large scale (such as in cases like these).

  • Data Protection by Design and by Default should also be considered so that principles such as transparency and fairness are accounted for from the outset and do not result in the unlawful processing of personal data.

  • Given the high-risk nature of remotely recording someone’s body temperature, the airport should have consulted with the Belgian data protection regulator beforehand in order to review the processing activities and any associated remediation.

Icelandic university is reprimanded for not being transparent with students

What happened

Why it matters

  • The Icelandic data protection regulator has recently reprimanded a university for not providing students with sufficient information regarding the processing of their personal data when remotely monitoring exams taken via the Zoom platform during the Covid-19 pandemic.

  • The information that should have been provided to students would include details on the lawful basis for processing, security measures and data subject rights (such as the right to access and rectify one’s personal data).

  • The university was reprimanded instead of receiving a fine.

  • Transparency is an important principle of data protection law and is inherently linked to fairness.

  • Organisations should be clear, open and honest with people about how and why their personal data is being processed.

  • This is especially the case when there is an inherent imbalance of power (such as between a student and their teacher).

  • If individuals know from the start how their data will be used, they can make a more informed decision on how their personal data should be used.

  • In most cases, the principle of transparency is met by publishing a Privacy Notice. However, other approaches are also recommended such as posters on public noticeboards.


Lindsey Domingo

Senior Director

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7826


Lindsey has a strong track record in providing risk advisory services with a focus on governance, regulatory compliance, conduct and culture, data protection, and third-party assurance. He helps organisations successfully address governance, risk management and compliance challenges.

To discuss how the areas highlighted, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.



Stay in control of
your inbox

Register your details to receive our featured insights, news and analysis covered ‘In Perspective’ from our Data Protection team.

Stay up to date and discover how the requirements impact your business.