Teemo, a French startup, was the first company admonished by the GDPR. However, on October 11th they were cleared and avoided a GDPR fine.
The French data protection authority - the ‘Commission national de l’informatique et de libertés”, in short CNIL, gave Teemo an ultimatum in July. They could either obtain proper consent for their data processing activities, provide a disclosure and set limits for data retention.
It took 2 months before Teemo put in place all of CNIL’s requirements and the company had to toss out all R&D resources to be compliant. Now its partners have to display a banner during the app’s installation a banner that allows users to provide informed consent for data collection before data is actually collected.
Many believed it was unlikely for Teemo to receive a GDPR fine in the first place. However, their case proves that DPAs want to look at the good intentions of companies and their efforts to comply and not just hand fines as soon as there’s a chance.
Blaine Kimrey, a shareholder at Vedder Price in Chicago, says that the GDPR is
mainly intended to guide behavior, to encourage compliance, not as a vehicle for penalizing.
The potential penalties are severe under GDPR and they’re definitely there for a reason, but the people I’ve heard speak about rthe regulation, including those involved in its drafting, don’t see a GDPR fine as the standard enforcement proceeding.
Fidzup, the second company called out by CNIL at the same time with Teemo, is still making progress towards compliance by developing a consent management platform and cooperating with CNIL to test the platform. A decision has yet to be made by CNIL regarding Fizdup, but company representatives feel confident that their efforts will make a difference.