Filter by country:
Filter by violation (Art.):
GDPR Enforcement Tracker
The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties. Please note that we do not list any fines imposed under national / non-European laws (with the exception of fines under the UK GDPR), under non-data protection laws (e.g. competition laws / electronic communication laws) and under “old” pre-GDPR-laws. We have, however, included a limited number of essential ePrivacy fines under national member state laws.
| ETid | Country | Authority | Date | Fine [€] | Controller/ Processor | Sector | Quoted Article | Type | Summary | Link |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2018-12-09 | 4,800 | Betting place | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted. | link |
| 2 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2018 | 1,800 | Kebab restaurant | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link | link |
| 3 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2018-09-27 | 300 | Private car owner | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A Dashcam was unlawfully used. | link |
| 4 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2018-12-20 | 2,200 | Private person | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated. | link |
| 5 | BELGIUM | Belgian Data Protection Authority (APD) | 2019-05-28 | 2000 | Mayor | Public Sector and Education | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. | link |
| 6 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2018-12-04 | 500 | Bank | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD.
The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client. |
link link |
| 7 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2019-02-26 | 27,100 | Telecommunication service provider | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | Repeated registration of prepaid services without the knowledge and consent of the data subject
Employees of the telecommunications provider have used personal data and registered the complainant with the company’s prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. |
link |
| 8 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2019-01-17 | 500 | Bank | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | A bank gained personal data concernign a student wihtout a legal basis. | link |
| 9 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2019-02-22 | 500 | Employer | Employment | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way. | link |
| 10 | CYPRUS | Cypriot Data Protection Commissioner | 2019 | 5,000 | State Hospital | Health Care | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital. | link |
| 11 | CYPRUS | Cypriot Data Protection Commissioner | 2019 | 10,000 | Newspaper | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator.
The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case. |
link |
| 12 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-01-10 | 388 | Employer | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee. | link |
| 13 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-02-04 | 1,165 | Car renting company | Industry and Commerce | Art. 5 (1) a) GDPR | Insufficient fulfilment of information obligations | A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine. | link |
| 14 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-02-28 | 582 | Unknown | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). | link |
| 15 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-02-04 | 1,165 | Credit brokerage | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). | link |
| 16 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2018-10-25 | 388 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | link |
| 17 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-02-26 | 776 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | link |
| 18 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-03-21 | 10,000 | Unknown | Not assigned | Art. 5 (1) GDPR | Non-compliance with general data processing principles | Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’). | link |
| 19 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | Unknown | 3,140 | UniCredit Bank Czech Republic and Slovakia, a.s. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject. | link |
| 20 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2019-05-06 | 194 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | link |
| 21 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2019 | 160,000 | Taxa 4×35 | Transportation and Energy | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual’s phone numbers.
Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. |
link |
| 22 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-02-12 | 13,450 | IDdesign A / S | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures.
Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. Update: On February 12, 2021 the Aarhus District Court decided to impose a fine against IDdesign in the amount of EUR 13,450. With regard to the calculation of the fine, the court disagreed with the proposed amount of the fine. It concluded that the amount should be calculated on the basis of the company’s own turnover and not that of the entire group. In addition, the court considered that the mitigating circumstances under Art. 83 (2) GDPR should be taken into account when calculating the fine. Such as that the company had not previously breached the GDPR, as well as that the breach concerned only general personal data. In addition, no data subject suffered damages as a result of the breach. Finally, the court considers that the negligent nature of the breach should be taken into account. |
link |
| 23 | FRANCE | French Data Protection Authority (CNIL) | 2019-01-21 | 50,000,000 | Google LLC | Media, Telecoms and Broadcasting | Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR | Insufficient legal basis for data processing | The fine was imposed on the basis of complaints from the Austrian organisation ‘None Of Your Business’ and the French NGO ‘La Quadrature du Net’. The complaints were filed on 25th and 28th of May 2018 – immediately after the GDPR became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given ‘specific’ and not ‘unambigous’ (Art. 4 nr. 11 GDPR). | link |
| 24 | FRANCE | French Data Protection Authority (CNIL) | 2019-05-28 | 400,000 | SERGIC (Real Estate) | Real Estate | Art. 5 (1) e) GDPR | Insufficient technical and organisational measures to ensure information security | The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users’ lives), the size of the company and its financial standing. | link |
| 25 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2018-11-21 | 20,000 | Knuddels.de | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed. | link |
| 26 | GERMANY | Data Protection Authority of Hamburg | 2018-12-17 | 5,000 | Kolibri Image Regina und Dirk Maass GbR |
Industry and Commerce | Art. 28 (3) GDPR | Insufficient data processing agreement | Please note: According to our information this fine has been withdrawn in the meantime.
Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor. |
link |
| 27 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2019-04-12 | 80,000 | Company in the financial sector | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In an administrative decision dated 12 April 2019, the authority imposed a fine of 80,000 euros on a medium-sized financial services company. This company had failed to take the necessary care to preserve the integrity and confidentiality of information within the meaning of Art. 5 para. 1 lit. f GDPR when disposing of documents containing personal data of two customers. Thus, without prior anonymisation, the papers were disposed of in the general waste paper recycling system, where the documents were found by a neighbour. | link |
| 28 | GERMANY | Data Protection Authority of Sachsen-Anhalt | 2019-02-05 | 2,500 | Private person | Individuals and Private Associations | Art. 6 GDPR, Art. 5 GDPR | Insufficient legal basis for data processing | The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority’s letter, between 131 and 153 personal mail addresses were identifiable in his mailing list. | link |
| 29 | GERMANY | Data Protection Authority of Hamburg | 2018 | 20,000 | Unknown | Not assigned | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | Late notification of a data breach and failure to notify the data subjects. | Page 134 of the activity report of the Data Protection Commissioner of Hamburg, accessible under link |
| 30 | GERMANY | Data Protection Authority of Saarland | Unknown | 118 | Unknown | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | Illegal disclosure of personal data relating to a third party. | link |
| 31 | GERMANY | Data Protection Authority of Hamburg | 2018 | 500 | Unknown | Not assigned | Unknown | Unknown | Unknown | link |
| 32 | GERMANY | Data Protection Authority of Berlin | 2019-03 | 50,000 | N26 | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The fine was imposed against against a bank (according to a newspaper N26) that had processed ‘personal data of all former customers’ without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had ‘not yet been legally concluded’. | Page 131 of the activity report of the Data Protection Commissioner of Berlin link link |
| 33 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-02-08 | 1,560 | Bank | Finance, Insurance and Consulting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | A bank mistakenly sent SMS messages about a subject’s credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject’s request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank. | link link |
| 34 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-02-20 | 1,560 | Debt collector | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller. | link link |
| 35 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2018-12-18 | 3,200 | Unknown | Not assigned | Art. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPR | Insufficient fulfilment of data subjects rights | The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority. | link |
| 36 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-02-28 | 3,200 | Mayor’s Office of the city of Kecdkemét | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The fine was imposed on the Mayor’s Office of the city of Kecskemét for unlawful disclosure of the personal information of a whistleblower.NAIH imposed the fine after an employee of an organisation that it supervised reported a public interest complaint directly to it against his employer. After the organisation learned of the complaint, it requested details in order to investigate, and the local government accidentally revealed the complainant’s name. The NAIH considered it an aggravating factor that as a result of the data breach, the organisation fired the person who made the report. | link link |
| 37 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-03-04 | 3,200 | Unnamed financial institution | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDPR | Insufficient fulfilment of data subjects rights | The fine was imposed in relation to a data subject’s request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company’s legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company’s annual net revenue. | link link |
| 38 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-04-05 | 34,375 | Hungarian political party | Public Sector and Education | Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party’s annual turnover and 2.65 % of its anticipated turnover for the coming year.
The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation’s webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database. |
link |
| 39 | ITALY | Italian Data Protection Authority (Garante) | 2019-04-17 | 50,000 | Italian political party Movimento 5 Stelle | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. It is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required by means of an order issued after the 25th of May 2018. Interestingly, the fine was not issued against the Movimento 5 Stelle that is the data controller of the platform, but against the Rousseau association that is the data processor. | link |
| 40 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2019-05-16 | 61,500 | Payment service provider UAB MisterTango | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 – 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 GDPR would have been necessary. The controller did not report the Data Breach. | link |
| 41 | MALTA | Data Protection Commissioner of Malta | 2019-02-18 | 5,000 | Lands Authority | Public Sector and Education | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists. | link |
| 42 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2019-03 | 170,000 | Bergen Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools.
The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate. |
link |
| 43 | POLAND | Polish National Personal Data Protection Office (UODO) | 2019-03-26 | 220,000 | Private company working with data from publicly available sources | Not assigned | Art. 14 GDPR | Insufficient fulfilment of information obligations | The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
Addendum: In the meantime, the court has cancelled the fine due to procedural errors. The amount of the fine has to be determined by the concrete number of data records concerned. However, the Office had not submitted any verifiable evidence in this regard, but had simply assumed that 6 million data sets were involved, which the data controller had denied. Therefore, important statements were missing. In particular, it was incorrect to justify the amount of the fine on the basis of general preventive considerations. Art. 58 GDPR expressly states that a fine imposed must be related to the specific facts of the case. The Polish data protection authority has already announced that the fine will be revised in a new administrative procedure. |
link |
| 44 | POLAND | Polish National Personal Data Protection Office (UODO) | 2019-04-25 | 12,950 | Sports association | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty.
When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). It concluded that although the infringement was finally removed, it was of a serious nature.However, when imposing a penalty, the President of the Office of Competition and Consumer Protection also took into account mitigating circumstances, such as good cooperation between the controller and the supervisory authority or lack of evidence that damage had been caused to the persons whose data had been disclosed. |
link link |
| 45 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2018-07-17 | 400,000 | Public Hospital | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. | link |
| 46 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 5,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy. | link |
| 47 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-06-11 | 250,000 | Professional Football League (LaLiga) | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 7 (3) GDPR | Insufficient fulfilment of information obligations | The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users’ mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent. | link |
| 48 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 60,000 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Insufficient legal basis for data processing | After the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant. | link |
| 49 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 27,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) d) GDPR | Insufficient fulfilment of data subjects rights | Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone’s statement, this happened because the complainant’s mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k. |
link |
| 50 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2019-05-09 | 1,400 | Police Officer | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone – without any official reason or consent given by the injured party.
Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. This infringement is not attributable to the police officer’s department, since he did not commit the act in the exercise of his official duties, but exclusively for private purposes. The prohibition of punishment under § 28 LDSG, according to which the sanctions of the GDPR cannot be imposed on public bodies, does not apply in the present case, since it was neither a case of misconduct attributable to the authority nor is the person concerned to be classified as a separate public body within the meaning of § 2 (1) or (2) LDSG in the case of the acts in question. |
link |
| 51 | FRANCE | French Data Protection Authority (CNIL) | 2019-06-13 | 20,000 | Employer UNIONTRAD COMPANY | Employment | Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. When determening the amount of the fine, the CNIL took into account the size (9 employees) and the financial situation of the company, which presented a negative net result in 2017 (turnover of 885,739 EUR in 2017 and a negative net result of 110,844 EUR), to retain a dissuasive but proportionate administrative fine. | link |
| 52 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-04-17 | 9,400 | Unknown | Not assigned | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A data controller used a, in the point of view of NAIH, wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims. | link |
| 53 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-04-05 | 1,900 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The data controller did not fulfil the data subject’s access request. | link |
| 54 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2019-04-08 | 510 | Medical centers | Health Care | Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 9 (2) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical centre for the purpose of changing his GP. The medical centre used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical centre, which subsequently also unlawfully processed the personal data of G.B. | link |
| 55 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2019-03-26 | 5,100 | A.P. EOOD | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison. | link |
| 56 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 60,000 | ENDESA (energy supplyer) | Transportation and Energy | Art. 5 (1) f) GDPR | Insufficient legal basis for data processing | The complainant’s bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant’s data to the third party was a severe violation of the principle of confidentiality. | link |
| 57 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-06-27 | 130,000 | UNICREDIT BANK SA | Finance, Insurance and Consulting | Art. 25 (1) GDPR, Art. 5 (1) c) GDPR | Insufficient technical and organisational measures to ensure information security | The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (interla/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018). | link |
| 58 | UNITED KINGDOM | Information Commissioner (ICO) | 2020-10-16 | 22,046,000 | British Airways | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
In the meantime, the final fine imposed on the airline has been set at £20 million (approximately EUR 22,046,000). The ICO emphasized that when setting the amount of the fine, it also took into account the economic impact of the COVID-19 (‘Coronavirus’) pandemic on the airline industry. |
link |
| 59 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-07-02 | 15,000 | WORLD TRADE CENTER BUCHAREST SA | Accomodation and Hospitalty | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel’s WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties. | link |
| 60 | UNITED KINGDOM | Information Commissioner (ICO) | 2020-10-30 | 20,450,000 | Marriott International, Inc | Accomodation and Hospitalty | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Original Summary: The ICO issued a notice of its intention to fine Marriott International Inc due to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. –> Update: On 2020/10/30, the ICO announced its final decision to impose a fine of £ 18.4 million (approximately EUR 20.4 million) on Marriott International Inc. In its decision, the ICO set forth its considerations for the calculation of the fine, which included Marriott’s absence of prior violations or omissions and the fact that Marriott had fully cooperated with the investigation and had taken steps to notify the individuals concerned. In addition, the ICO noted that it had also made an alignment with other fines already imposed on other companies – in particular also of other European data protection authorities. |
link |
| 61 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-05-23 | 92,146 | Organizer of SZIGET festival and VOLT festival | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects. | link |
| 62 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-07-05 | 3,000 | LEGAL COMPANY & TAX HUB SRL | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019.
The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links. |
link |
| 63 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2019-06-18 | 350,000 | Haga Hospital | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Original Fine Summary: The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay EUR 100,000 every two weeks, with a maximum of EUR 300,000. The Haga Hospital has meanwhile indicated to take measures. Update: The fine was reduced from EUR 460,000 to EUR 350,000 following a court ruling in 2021. | link link |
| 64 | FRANCE | French Data Protection Authority (CNIL) | 2019-07-25 | 180,000 | ACTIVE ASSURANCES (car insurer) | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Large amount of customer accounts, clients’ documents (including copies of driver’s licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication). | link |
| 65 | GREECE | Hellenic Data Protection Authority (HDPA) | 2019-07-30 | 150,000 | PWC Business Solutions | Employment | Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR | Insufficient legal basis for data processing | The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal data | link |
| 66 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-10-17 | 2,500 | UTTIS INDUSTRIES SRL | Employment | Art. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPR | Insufficient fulfilment of information obligations | The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR. | link |
| 67 | SWEDEN | Data Protection Authority of Sweden | 2019-08-20 | 18,630 | School in Skellefteå | Public Sector and Education | Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR | Insufficient legal basis for data processing | A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR. | link |
| 68 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2019-08 | 25,000 | Company in the medical sector | Health Care | Art. 13 GDPR, Art. 35 GDPR, Art. 37 GDPR | Insufficient fulfilment of information obligations | The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.
Update: The original fine of EUR 50,000 was reduced to EUR 25,000 by the Austrian Federal Administrative Court. |
link link |
| 69 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2019-07 | 11,000 | Private person (soccer coach) | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years. | link |
| 70 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-08-16 | 60,000 | AVON COSMETICS | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data. | link |
| 71 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2019-08-28 | 2,600,000 | National Revenue Agency | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible. | link |
| 72 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2019-08-28 | 511,000 | DSK Bank | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data. | link |
| 73 | LATVIA | Data State Inspectorate (DSI) | 2019-08-26 | 7,000 | Online Services | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | A merchant who provides services in an online store has infringed the ‘right to be forgotten’ pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number. | link |
| 74 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-06-25 | 15,150 | Unknown | Not assigned | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The data controller did not fulfil its data breach notification obligations when a flash memory with personal data was lost. | link |
| 75 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2019-04-29 | 120,000 | Oslo Municipal Education Department | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees. The fine has meanwhile been reduced to EUR 120.000, see link | link |
| 76 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2019-02-05 | 20,000 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Denial of the right to access recorded phone calls by the Data Subject | link |
| 77 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2019-03-25 | 2000 | Unknown | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | Inexistence of signalization regarding the use of CCTV systems | link |
| 78 | GERMANY | Data Protection Authority of Berlin | 2019-09-19 | 195,407 | Delivery Hero | Accomodation and Hospitalty | Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company’s delivery service platform for years – in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened. | link |
| 79 | POLAND | Polish National Personal Data Protection Office (UODO) | 2019-09-10 | 660,000 | Morele.net | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people. | link |
| 80 | BELGIUM | Belgian Data Protection Authority (APD) | 2019-09-17 | 10,000 | Merchant | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA’s investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject’s identification number. In the meantime, the decision of the data protection authority has been annulled by a court: link | link |
| 81 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 9,600 | Restaurant (SANTI 3000, S.L.) | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600. | link |
| 82 | GREECE | Hellenic Data Protection Authority (HDPA) | 2019-10-07 | 200,000 | Telecommunication Service Provider | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors. | link |
| 83 | GREECE | Hellenic Data Protection Authority (HDPA) | 2019-10-07 | 200,000 | Telecommunication Service Provider | Media, Telecoms and Broadcasting | Art. 21 (3) GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request. | link |
| 84 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-10-09 | 15,000 | Raiffeisen Bank SA | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Original fine summary: Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform’s staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication. Update: The fine was reduced from EUR 150,000 to EUR 15,000 following a court ruling in 2021 link | link |
| 85 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-10-09 | 20,000 | Vreau Credit SRL | Finance, Insurance and Consulting | Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform’s staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication. | link |
| 86 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-10-01 | 30,000 | Vueling Airlines | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, which could be reduced to 18,000 for immediate payment. | link |
| 87 | CYPRUS | Cypriot Data Protection Commissioner | 2019 | 14,000 | Doctor | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital. | link |
| 88 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-09-26 | 9,000 | Inteligo Media SA | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | As part of the registration process on the webseite avocatnet.ro, the operator used an unfilled checkbox, by means of which users could declare that they did not wish to receive information letters via e-mail (opt-out). Without any action, the user was automatically sent information letters via e-mail. This did not fulfil the requirements for a GDPR-compliant consent. | link |
| 89 | SLOVAKIA | Slovak Data Protection Office | Unknown | Unknown | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | A Data Controller failed to comply with data subject´s request to access his/her personal data processed by audio recordings. | link |
| 90 | SLOVAKIA | Slovak Data Protection Office | Unknown | Unknown | Unknown | Not assigned | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Documents containing personal data were disposed of in the area of the municipal garbage dump. | link |
| 91 | SLOVAKIA | Slovak Data Protection Office | Unknown | Unknown | Unknown | Not assigned | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Violation of information security measures (no further information available at the moment) | link |
| 92 | SLOVAKIA | Slovak Data Protection Office | Unknown | Unknown | Unknown | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | Personal data have been unlawfully published on the website of a city within the framework of fulfilling its disclosure obligation under the Freedom of Information Act. However, the Data Protection Authority stated that the City had published the personal data in violation of the law and without the consent of the person concerned. | link |
| 93 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-10-16 | 60,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Xfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued. | link |
| 94 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-10-16 | 8,000 | Iberdrola Clientes | Transportation and Energy | Art. 31 GDPR | Insufficient cooperation with supervisory authority | Iberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provide information about the possibility of adding the person’s data to the solvency list to which the company did not respond. This lack of cooperation with the AEPD was a violation of Article 31 of the GDPR. | link |
| 95 | SLOVAKIA | Slovak Data Protection Office | Unknown | 40,000 | Slovak Telekom | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The controller did not take adequate security measures when processing personal data, thereby breaching the obligation to protect the processed personal data. | link |
| 96 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2019-10-29 | 0 | Austrian Post | Transportation and Energy | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Originial fine summary: Sending election advertising to citizens without sufficient legal basis. Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000. |
link |
| 97 | POLAND | Polish National Personal Data Protection Office (UODO) | 2019-10-18 | 9,380 | Major of Aleksandrów Kujawski | Public Sector and Education | Art. 28 GDPR | Insufficient data processing agreement | No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city. | link |
| 98 | GERMANY | Data Protection Authority of Berlin | 2021-02-23 | 0 | Deutsche Wohnen SE | Real Estate | Art. 5 GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry. *** UPDATE *** On 24 February 2021 the Berlin Regional Court has dismissed the fine against Deutsche Wohnen SE due to procedural errors, see link and link. This was based on the fact that, according to German law, a fine can only be issued to a company if the offence is attributable to a natural person, such as a managing director or employee. The case was then appealed to the Appellate Court of Berlin, which on 16 December 2022 in turn referred it to the European Court of Justice for a preliminary decision on whether the Regional Court’s decision aligned with European law. On 5 December 2023 the European Court of Justice ruled that while culpability is indeed required for a fine to be issued, it is not always necessary to attribute the offence to a natural person. If the controller is a company instead of a natural person, it shall suffice if the offence is attributable to the company itself. In light of this decision the Appellate Court of Berlin overturned the initial decision of the Regional Court of Berlin and referred the case back to the Regional Court of Berlin for a new decision which, at the time of the editorial deadline of this update, is still pending, see link | link |
| 99 | GERMANY | Data Protection Authority of Berlin | 2019-10-30 | Unknown | Deutsche Wohnen SE | Real Estate | Art. 5 GDPR | Non-compliance with general data processing principles | In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR – see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. | link |
| 100 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-10-25 | 36,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone España proceeded to providing him services and seeking payment from him, so Vodafone España had processed the claimant’s personal data without his consent. | link |
| 101 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2019 | 80,000 | Unknown | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In a digital publication, health data was accidentally published due to inadequate internal control mechanisms. | link |
| 102 | POLAND | Polish National Personal Data Protection Office (UODO) | 2019-10-16 | 47,000 | ClickQuickNow | Industry and Commerce | Art. 5 GDPR | Non-compliance with general data processing principles | The UODO imposed a fine of EUR 47000 for obstructing the exercise of the right of withdrawal for the processing of personal data. The company has not taken appropriate technical and organisational measures that allow the simple and effective withdrawal of consent to the processing of personal data and the exercise of the right to request the erasure of personal data. | link |
| 103 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-07 | 900 | TODOTECNICOS24H S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | TODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR. | link |
| 104 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 12,000 | Madrileña Red de Gas | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request. | link |
| 105 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-06 | 900 | Cerrajero Online | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR. | link |
| 106 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-10-31 | 6,000 | Jocker Premium Invex | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | After registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration. | link |
| 107 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2019-10-31 | 900,000 | UWV (Dutch employee insurance service provider) | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | As the UWV (the Dutch employee insurance service provider – ‘Uitvoeringsinstituut Werknemersverzekeringen’) did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system. | link |
| 108 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2019-03-19 | 2000 | Unknown | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | Inexistence of signalization regarding the use of CCTV systems | link |
| 109 | SLOVAKIA | Slovak Data Protection Office | Unknown | 50,000 | Social Insurance Agency | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Applications for social benefits from Slovak citizens were sent by post to foreign authorities. These were lost by post, with the result that the whereabouts of these personal data could not be clarified. | link |
| 110 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-13 | 3,000 | General Confederation of Labour (‘CGT’) | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The CGT, with the aim of convening a meeting, e-mailed personal data of the complainant, including her home address, family relationship, pregnancy status and the date of an ongoing verbal abuse and harassment case, to 400 union members without her consent. | link |
| 111 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | Unknown | 588 | Alza.cz a.s. | Industry and Commerce | Art. 6 GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | The company obtained a copy of photographic ID of the personal data subject with his consent, however did not react to his consent withdrawal and continued in processing of his personal data. | link |
| 112 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | Unknown | 980 | Individual entrepreneur – no further details published | Individuals and Private Associations | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The operator of an online game was exposed to several DDoS attacks which caused the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As part of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a ‘backdoor’ in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The Office for Personal Data Protection concluded that the operator did not take apropriate security measures. | link |
| 113 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-19 | 60,000 | Corporación radiotelevisión espanola | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment data, data about criminal convictions and health data. | link |
| 114 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-21 | 60,000 | Viaqua Xestión Integral Augas de Galicia | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | Processing (modification) of the personal data of a customer included in a contract by a third party without the consent of the customer. | link |
| 115 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-11-25 | 11,000 | FAN Courier Express SRL | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder’s address, personal identification number, serial and identity card number, bank account number, authorised credit limit) of approximately 1,100 data subjects. | link |
| 116 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-11-22 | 2000 | BNP Paribas Personal Finance S.A. | Finance, Insurance and Consulting | Art. 12 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | BNP Paribas Personal Finance did not react to a request for erasure within the period set by the GDPR. | link |
| 117 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-14 | 30,000 | Telefónica SA | Media, Telecoms and Broadcasting | Art. 5 GDPR | Non-compliance with general data processing principles | Telefónica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant’s bank account was linked to another Telefónica customer, which led to the charges being debited from the complainant’s account. According to the AEPD, this is contrary to the principle of accuracy as required by Article 5(1)(d) GDPR. | link |
| 118 | FRANCE | French Data Protection Authority (CNIL) | 2019-11-21 | 500,000 | Futura Internationale | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 31 GDPR, Art. 44 GDPR | Insufficient fulfilment of data subjects rights | Futura Internationale was fined for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted. In particular, the decision pointed out that the CNIL’s on-site investigation of Futura Internationale revealed, inter alia, that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about customers and their health and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations. | link |
| 119 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-19 | 60,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | An individual complainant had received an SMS from Xfera Móviles which was to be addressed to a third party and which allowed him to access the account and personal data of this third party on the Xfera Móviles website via the telephone number and password received by SMS. | link |
| 120 | LATVIA | Data State Inspectorate (DSI) | 2019-11 | 150,000 | Unknown | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | Unlawful data processing. No further information available yet. | link |
| 121 | SPAIN | Spanish Data Protection Authority (aepd) | Unknown | 10,000 | Ikea Ibérica | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The company installed cookies on an end users terminal device without prior consent of the data subject. | link |
| 122 | GERMANY | Data Protection Authority of Rheinland-Pfalz | 2019-12-03 | 105,000 | Hospital | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine is based on several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital’s patient management. | link |
| 123 | BELGIUM | Belgian Data Protection Authority (APD) | 2019-11-28 | 5,000 | Mayor | Public Sector and Education | Art. 6 GDPR | Insufficient legal basis for data processing | Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose. | link |
| 124 | BELGIUM | Belgian Data Protection Authority (APD) | 2019-11-28 | 5,000 | Municipal alderman | Public Sector and Education | Art. 6 GDPR | Insufficient legal basis for data processing | Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose. | link |
| 125 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-04 | 20,000 | S CNTAR TAROM SA (Airline) | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian data protection authority imposed a sanction on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) of the GDPR). This resulted in an employee having unauthorized access to the booking application and being able to photograph a list with the personal data of 22 passengers/customers to disclose this list on the Internet. | link |
| 126 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-11-28 | 0 | ING Bank N.V. | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Original Fine Summary: ING Bank has not taken appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers, resulting in double transactions being executed between 8 and 10 October. Update: The Bucharest Court of Appeal overturned the fine of EUR 80,000. | link link |
| 127 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-11-29 | 2,500 | Royal President S.R.L. | Industry and Commerce | Art. 15 GDPR, Art. 6 GDPR, Art. 32 GDPR | Insufficient fulfilment of data subjects rights | Royal President refused a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects. In addition, Royal President has not taken appropriate technical or organisational measures to ensure the security of the data processed. | link |
| 128 | GERMANY | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | 2020-11-11 | 900,000 | Telecoms provider (1&1 Telecom GmbH) | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Original Fine Summary: The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company’s customer service department simply by entering a customer’s name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 GDPR, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due to the company’s cooperation with the data protection authority, the fine imposed was at the lower end of the scale. — Update: On November 11th, 2020, after an appeal against the fine, the Bonn District Court decided that although the fine is justified in principle, it is unreasonably high. The chamber has therefore reduced the fine from originally EUR 9,55 million to EUR 900,000. One of the reasons for the reduction was that the company’s procedure for authenticating customers used for its telephone hotline (requesting only the name and date of birth of the caller) had remained unobjected for a long time and therefore the company lacked a concrete awareness of the problem which leads to the fact that the concrete culpability in this case had to be classified as rather low. Furthermore, according to the court, the violation was also rather minor, as it could not lead to a massive data leakage. | link |
| 129 | GERMANY | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | 2019-12-09 | 10,000 | Rapidata GmbH | Media, Telecoms and Broadcasting | Art. 37 GDPR | Insufficient involvement of data protection officer | Despite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer. | link |
| 130 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 21,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000. | link |
| 131 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 36,000 | VODAFONE ONO, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The company sent a marketing email to a large number of recipients (clients) without using the blind copy feature. The initial fine of EUR 60.000 was reduced to EUR 36.000. | link |
| 132 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 48,000 | VODAFONE ONO, S.A.U. | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Customers could access personal data of other customers in the customer area. The initial fine of EUR 60.000 was reduced to EUR 48.000. | link |
| 133 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 48,000 | TELEFONICA MOVILES ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The claimant’s bank account was charged by the company with two invoices for the services he had contracted, however, displaying personal data of another customer. The initial fine of EUR 60.000 was reduced to EUR 48.000. | link |
| 134 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 30,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000. | link |
| 135 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by another household which allegedly had received the claimant’s bank account and phone number from Vodafone. Since Vodafone could not prove that the claimant had consented to the conclusion of the contract concerning the Netflix services, the AEPD imposed a fine of EUR 40.000. | link |
| 136 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 20,000 | Employer | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation). | link |
| 137 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 9,000 | Employer | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation). | link |
| 138 | SPAIN | Spanish Data Protection Authority (aepd) | 2019 | 3,600 | AMADOR RECREATIVOS, S.L | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Surveillance of the public space by video surveillance cameras against violation of the principles of data minimisation. | link |
| 139 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-10 | 15,100 | Town of Kerepes | Public Sector and Education | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their tasks. The processing could not be based on another legal basis. | link |
| 140 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2019-09-03 | 28,100 | National Revenue Agency | Public Sector and Education | Art. 6 (1) GDPR, Art. 58 (2) e) GDPR | Insufficient legal basis for data processing | The pecuniary sanction of EUR 28, 121 was imposed on the National Revenue Agency for unlawful processing of the personal data of data subject G.B.I. The personal data of G.B.I. was unlawfully collected and subsequently used to form an enforcement case against her for recovery of the sum of EUR ca. 86, 569. In relation to the enforcement case formed, additional data concerning the bank accounts of G.B.I was collected by the National Revenue Agency from the register of the Bulgarian National Bank. The additional collected data was also unlawfully processed by the National Revenue Agency in sending distraint orders to the banks with which G.B.I. had bank accounts. | link |
| 141 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-28 | 75,000 | Curenergía Comercializador de último recurso | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | An individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract. | link |
| 142 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-12-03 | 1,500 | Cerrajeria Verin S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The company collected personal data without providing accurate information on their data processing activities in their privacy policy published on their website. | link |
| 143 | GERMANY | Data Protection Authority of Mecklenburg-Vorpommern | 2019 | 800 | Police Officer | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | A police officer used a witness’s personal data to contact her personally. | link |
| 144 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2019-12-16 | 35,000 | Nusvar AB | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | Nusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue. | link |
| 145 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-16 | 2000 | Globus Score SRL | Industry and Commerce | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company did not comply with measures ordered by the National Supervisory Authority. | link |
| 146 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-12-03 | 5,000 | Linea Directa Aseguradora | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The insurance company has sent advertising e-mails for the ‘Reto Nuez’ platform without the required consent. | link |
| 147 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-12-10 | 1,600 | Megastar SL | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The company operated a video surveillance system in which the observation angle of the cameras extended unnecessarily far into the public traffic area. Furthermore, no sign with data protection notices was affixed. | link |
| 148 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-11-26 | 3,000 | Modern Barber | Industry and Commerce | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company did not comply with measures ordered by the National Supervisory Authority. | link |
| 149 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-02 | 2000 | Nicola Medical Team 17 SRL | Health Care | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company did not comply with measures ordered by the National Supervisory Authority. | link |
| 150 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-10-24 | 7,400 | Military Hospital | Health Care | Art. 32 GDPR, Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | A military hospital did not meet the reporting deadline for data breaches. Another part of the fine relates to a lack of technical and organisational measures. | link |
| 151 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-19 | 6,000 | Sports Bar | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The sports bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area. | link |
| 152 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-11-06 | 60,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | Vodafone has sent the customer’s invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 was threatened, but was reduced to EUR 60,000 against immediate payment and waiver of appeal. | link |
| 153 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-10-23 | 60,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | Vodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an unknown third party. | link |
| 154 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2019-10-31 | 50,000 | Menzis (Health Insurance Company) | Finance, Insurance and Consulting | Art. 5 GDPR | Non-compliance with general data processing principles | Marketing staff had access to patient data. Among other things, this violated the purpose limitation principle. | link |
| 155 | GREECE | Hellenic Data Protection Authority (HDPA) | 2019-10-18 | 20,000 | Wind Hellas Telecommunications | Media, Telecoms and Broadcasting | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | Among other things, the company has ignored objections raised by affected parties against advertising calls. | link |
| 156 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-18 | 2000 | Telekom Romania Mobile Communications SA | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a clients personal data to another client. | link |
| 157 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-12-11 | 1,430 | Unknown Company | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | The employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related document. The director received no warning that his former inbox would be activated and did not have a chance to copy / delete his private data (passwords and financial information). According to NAIH, an employee or a representative should be present when the employee’s data is being accessed, even if the employment has been terminated. Employees should be able to request a copy or the deletion of their private data. Employers must record the access with minutes and photos; when the employee cannot be present, then in the presence of independent witnesses. Employers must adopt internal policies on archiving and the use of IT assets and e-mail accounts, including procedural rules such as the steps of an inspection and the officials authorised to carry it out. | link |
| 158 | UNITED KINGDOM | Information Commissioner (ICO) | 2019-12-17 | 320,000 | Doorstep Dispensaree Ltd. (Pharmacy) | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents. | link |
| 159 | BELGIUM | Belgian Data Protection Authority (APD) | 2019-12-17 | 2000 | Nursing Care Organisation | Industry and Commerce | Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The company failed to act on requests from the data subject to get access to his data and to have his data erased. | link |
| 160 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-11-29 | 500 | Homeowners Association | Real Estate | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The association used video surveillance systems without proper information according to Art. 13 GDPR and without adequate security measures regarding the persons having access to the system. | link |
| 161 | SPAIN | Spanish Data Protection Authority (aepd) | 2019-12-10 | 5,000 | Shop Macoyn, S.L. | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company has sent advertising e-mails to several recipients where the e-mail addresses of all other recipients were visible to all recipients, because the recipient addresses were inserted as CC and not as BCC. | link |
| 162 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-09-03 | 1,022 | Telecommunication service provide | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 25 (1) GDPR | Insufficient legal basis for data processing | The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent. | link |
| 163 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-09-03 | 5,113 | Telecommunication service provide | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 25 (1) GDPR | Insufficient legal basis for data processing | The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent. | link |
| 164 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-09-03 | 11,760 | Commercial representative of telecommunication service provider | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The pecuniary sanction of EUR 11, 760 was imposed on the commercial representative of telecommunications service provider for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of a contract for mobile services and leasing contracts. | link |
| 165 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-09-03 | 1,121 | Private enforcement agent | Industry and Commerce | Art. 12 (4) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The fine of EUR 1, 121 was imposed on a private enforcement agent for processing of the personal data of data subject through recording by technical means for video surveillance and for refusal to grant access to the collected data. The data subject submitted an application for access to his personal data to the private enforcement agent, who failed to inform him of the reasons for the rejection of his request. | link |
| 166 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-10-28 | 511 | Employer | Employment | Art. 12 (3) GDPR, Art. 15 (1) GDPR | Insufficient fulfilment of data subjects rights | The pecuniary sanction of EUR 511 was imposed on an employer for refusal to grant access to the personal data of a data subject who submitted an application for access to his personal data to his former employer. | link |
| 167 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-10-07 | 511 | B.D. | Health Care | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The fine of EUR 511 was imposed on B.D. for failure to provide access to information which the Commission for Personal Data Protection needed for performance of its tasks and execution of a disposition. | link |
| 168 | BULGARIA | Commission for Personal Data Protection (KZLD) | 2019-10-08 | 5,112 | The Ministry of Interior Affairs | Public Sector and Education | Art. 5 (1) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The fine of EUR 5,112 was imposed on the Ministry of Interior Affairs for unlawfully processing the personal data of data subject A.K. The Ministry of Interior sent the personal data of A.K. to the Togolese Republic (Togo). | link |
| 169 | BELGIUM | Belgian Data Protection Authority (APD) | 2019-12-17 | 15,000 | Website providing legal information | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR |
Insufficient fulfilment of information obligations | An operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics. | link |
| 170 | GERMANY | Data Protection Authority of Niedersachsen | 2019 | 294,000 | Unknown | Employment | Art. 5 GDPR | Non-compliance with general data processing principles | A company was fined EUR 294 000 for ‘unnecessarily long’ storage and retention of personnel files and for ‘excessive’ data collection in the personnel selection process, during which also health data were requested. | link |
| 171 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-01-07 | 44,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The company had sent a contract with personal data, including the applicant’s name, address and telephone number, to the wrong recipient. | link |
| 172 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-01-09 | 3,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 58 GDPR | Insufficient cooperation with supervisory authority | Failure to provide information to the AEPD within the required timeframe in violation of Article 58 | link |
| 173 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-01-07 | 75,000 | EDP España S.A.U. | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject | link |
| 174 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-01-07 | 75,000 | EDP Comercializadora, S.A.U. | Transportation and Energy | Art. 6 GDPR | Insufficient legal basis for data processing | The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier. | link |
| 175 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-01-07 | 10,000 | Asociación de Médicos Demócratas | Health Care | Art. 6 GDPR | Insufficient legal basis for data processing | The Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects. | link |
| 176 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-10 | 14,000 | Hora Credit IFN SA | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient security measures for personal data, according to art. 25 and 32 of the GDPR, so as to avoid unauthorized and accessible disclosure of personal data to third parties. At the same time, Hora Credit IFN SA did not notify the Supervisory Authority of the security incident that was brought to its notice, according to art. 33 of the GDPR, within 72 hours from the date it became aware of it. The fine consists of three partial fines of EUR 3000, EUR 10000 and EUR 1000. | link |
| 177 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-16 | 6,000 | SC Enel Energie S.A. (Electricity Distributor) | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The sanctions were imposed following a complaint alleging that Enel Energie had unlawfully processed an individual’s personal data and was unable to prove that it had obtained the individual’s consent to send e-mail notifications. In addition, the ANSPDCP pointed out that the operator had not taken the necessary measures to stop the transmission of notifications, despite the fact that the person had repeatedly exercised his right to object. The operator of SC Enel Energie SRL was sanctioned contraventionally with two fines, each amounting to 14,334.30 lei, the equivalent of the amount of 3000 EUR. | link |
| 178 | CYPRUS | Cypriot Data Protection Commissioner | 2020-01-13 | 9,000 | Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR. | link |
| 179 | CYPRUS | Cypriot Data Protection Commissioner | 2019-10-25 | 70,000 | LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd | Employment | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13. | link |
| 180 | CYPRUS | Cypriot Data Protection Commissioner | 2019-10-25 | 10,000 | LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd | Employment | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13. | link |
| 181 | CYPRUS | Cypriot Data Protection Commissioner | 2019-10-25 | 2000 | LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd | Employment | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13. | link |
| 182 | CYPRUS | Cypriot Data Protection Commissioner | 2020-01-13 | 1,000 | eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD) | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages. | link |
| 183 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-01-13 | 15,000 | Allseas Marine S.A. | Employment | Art. 5 (1) a), (2) GDPR | Non-compliance with general data processing principles | The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it. | link |
| 184 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-13 | 5,000 | Entirely Shipping & Trading S.R.L. | Employment | Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR | Non-compliance with general data processing principles | The company has excessively processed the personal data of his employees through the video cameras installed in the offices and in the places where there are cabinets where the employees store their spare clothes (changing rooms) (violation of principle of ‘data minimization’) | link |
| 185 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2019-12-13 | 5,000 | Entirely Shipping & Trading S.R.L. | Employment | Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The company processed biometric data (fingerprints) of the employees for access to certain rooms tough less intrusive means for the privacy of the data subjects could be used (violation of principle of ‘data minimization’) | link |
| 186 | ITALY | Italian Data Protection Authority (Garante) | 2019-12-11 | 8,500,000 | Eni Gas e Luce | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person’s refusal to receive promotional calls, or without triggering the special procedures for checking the public opt-out register. In addition, there was lack of technical and organisational measures to take account of the information provided by users; data was processed longer than the permitted data retention periods; and data on potential customers was collected from entities (list providers) who had not obtained consent to the disclosure of such data. | link |
| 187 | ITALY | Italian Data Protection Authority (Garante) | 2019-12-11 | 3,000,000 | Eni Gas e Luce | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The second fine of EUR 3 million concerns infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under ‘market economy’ conditions. Many persons complained to the Authority that they only learned of the conclusion of a new contract after receiving the letter of termination of the contract with the previous supplier or the first Egl invoices. In some cases, the complaints reported false information in the contracts and forged signatures. | link |
| 188 | GREECE | Hellenic Data Protection Authority (HDPA) | 2019-12-19 | 150,000 | Aegean Marine Petroleum Network Inc. | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Companies outside the Aegean Marine Petroleum Group had access to its servers containing personal data and copied the contents of the servers, since Aegean Marine Petroleum failed to take the necessary technical measures to secure the processing of large amounts of data and to keep the relevant software separate from the personal data stored on the servers. Furthermore, Aegean Marine Petroleum had not informed the data subjects of the processing of their personal data stored on the servers. | link |
| 189 | ITALY | Italian Data Protection Authority (Garante) | 2020-01-15 | 27,800,000 | TIM (telecommunications operator) | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods.
For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres. |
link |
| 190 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2019-10-24 | 100,000 | Food company | Accomodation and Hospitalty | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company had set up an applicant portal on its website where interested parties could submit their application documents online. However, the company did not offer an encrypted transmission of the data, nor did it store the applicant data in an encrypted or password-protected manner. In addition, the unsecured applicant data was linked to Google, so that anyone searching for the respective applicant names on Google could find their application documents and retrieve them without access restrictions. | link |
| 191 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-01-14 | 3,600 | Zhang Bordeta 2006, S.L. (Store and Restaurant) | Accomodation and Hospitalty | Art. 5 GDPR | Non-compliance with general data processing principles | The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization. | link |
| 192 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 60,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects. | link |
| 193 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 75,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject’s knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him. | link |
| 194 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 60,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject’s personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment. | link |
| 195 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 50,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR | Non-compliance with general data processing principles | The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour. | link |
| 196 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 20,000 | Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him. | link |
| 197 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 75,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error. | link |
| 198 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 6,670 | Banco Bilbao Vizcaya Argentaria S.L. | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data. | link |
| 199 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 5,000 | Queseria Artesenal Ameco S.L. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company processed personal data of customers without required consent. | link |
| 200 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-03 | 800 | Automoción | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800. | link |
| 201 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-04 | 1,500 | Cafetería Nagasaki | Accomodation and Hospitalty | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians. | link |
| 202 | ITALY | Italian Data Protection Authority (Garante) | 2020-01-15 | 10,000 | Community of Francavilla Fontana | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The community published on its website information about a court trial, including personal data such as health data about a data subject. | link |
| 203 | GERMANY | Data Protection Authority of Hamburg | 2019 | 51,000 | Facebook Germany GmbH | Media, Telecoms and Broadcasting | Art. 37 GDPR | Insufficient involvement of data protection officer | Whereas Facebook Ireland had appointed a data proteciton officer for all group companies located in the EU, this appontment was not notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The fine was calculated on the basis of the turnover of the German branch (EUR 35 million). Relevant factors for the calculation were i.a. that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation. | link |
| 204 | GERMANY | Data Protection Authority of Hamburg | 2019 | 20,000 | Hamburger Verkehrsverbund GmbH (HVV GmbH) | Transportation and Energy | Art. 33 GDPR, Art. 34 GDPR | Insufficient fulfilment of data breach notification obligations | On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner. | link |
| 205 | GERMANY | Data Protection Authority of Hamburg | 2019 | Unknown | Hamburger Volksbank eG | Finance, Insurance and Consulting | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The company had sent a customer a newsletter with advertising content by e-mail, although this customer had previously expressly objected to the sending of further advertising letters. | link |
| 206 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-14 | 2,500 | Grupo Valsor Y Losan, S.L. | Real Estate | Art. 5 (1) f) GDPR | Insufficient technical and organisational measures to ensure information security | The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data) | link |
| 207 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-14 | 3,000 | Colegio Arenales Carabanchel (School) | Public Sector and Education | Art. 6 GDPR | Insufficient legal basis for data processing | The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis. | link |
| 208 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-18 | 1,500 | Mymoviles Europa 2000, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself. | link |
| 209 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-14 | 80,000 | Iberdrola Clientes | Transportation and Energy | Art. 6 GDPR | Insufficient legal basis for data processing | Iberdola Clientes, an electricity company, terminated the data subject’s contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff’s personal data to a third party without legal basis. In addition to this fine the AEPD also imposed another fine in the amount of EUR 50.000 under the old Spanish Data Protection Law. | link |
| 210 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-14 | 42,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The complainant had access to third party data in his personal Vodafone profile. | link |
| 211 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-14 | 30,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The AEPD found that a third party had access to the name, telephone number and address of another customer. | link |
| 212 | ITALY | Italian Data Protection Authority (Garante) | 2020-01-23 | 30,000 | Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients’ personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care. | link |
| 213 | ITALY | Italian Data Protection Authority (Garante) | 2020-01-23 | 30,000 | Sapienza Università di Roma | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only. | link |
| 214 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-27 | 120,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone España also unlawfully disclosed the personal data of the data subject to various credit agencies. | link |
| 215 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-28 | 48,000 | Vodafone ONO, S.A.U. | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The decision was taken due to several deficiencies in information security. For example, two people were given the same security access key. | link |
| 216 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-25 | 48,000 | HM Hospitales | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject. | link |
| 217 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-25 | 6,000 | Casa Gracio Operation | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation. | link |
| 218 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-03-03 | 525,000 | Royal Dutch Tennis Association (‘KNLTB’) | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association (‘KNLTB’) with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors. | link |
| 219 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-02-28 | 3,600 | AEMA Hispánica | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party. | link |
| 220 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-03 | 1,800 | Solo Embrague | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The corporate website did not present a privacy policy or a cookie banner on its main page. | link |
| 221 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-03 | 42,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client. | link |
| 222 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-03 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company. | link |
| 223 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-03 | 24,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company. | link |
| 224 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-03-04 | 0 | School in Gdansk (Danzig) (fine imposed against town of Gdansk) | Public Sector and Education | Art. 5 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | Original summary: A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily. Update: Update: On August 7, 2020, the Provincial Administrative Court in Warsaw overturned the decision of the Polish DPA imposing a fine of EUR 4,600. |
link link |
| 225 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-04 | 60,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data. | link |
| 226 | ITALY | Italian Data Protection Authority (Garante) | 2020-03-06 | 4,000 | Liceo Artistico Statale di Napoli | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The AEPD’s decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute’s website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization. | link |
| 227 | ITALY | Italian Data Protection Authority (Garante) | 2020-03-06 | 4,000 | Liceo Scientifico Nobel di Torre del Greco | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The AEPD’s decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute’s website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization. | link |
| 228 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-06 | 4,000 | Private individual | Individuals and Private Associations | Art. 5 GDPR | Non-compliance with general data processing principles | Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization). | link |
| 229 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-09 | 15,000 | Gesthotel Activos Balagares | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees. | link |
| 230 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2020-03-10 | 7,000 | Hørsholm Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers. | link |
| 231 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2020-03-10 | 14,000 | Gladsaxe Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents. | link |
| 232 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-03-11 | 5,000,000 | Google LLC | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | Original Fine Summary: The Swedish data protection authority has fined Google LLC € 7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Integritetsskyddsmyndigheten had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google’s search engine and that Integritetsskyddsmyndigheten had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google’s practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Integritetsskyddsmyndigheten also objected to Google’s current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis.
Update: On November 23th, 2020, after an appeal against the fine, the The Administrative Court of Stockholm announced that it had rejected Google LLC´s appeal. |
link |
| 233 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2020-03-10 | 20,600 | National Center of Addiction Medicine (‘SAA’) | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Persónuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse. | link |
| 234 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2020-03-10 | 9,000 | Breiðholt Upper Secondary School | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions. | link |
| 235 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-02-26 | Only intention to issue fine | Rælingen Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | On February 26, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Rælingen Municipality EUR 73,600 for violations of Art. 5 (1) f) GDPR and Art. 32 GDPR . This fine has been imposed in the meantime, see details at link | link |
| 236 | GERMANY | Data Protection Authority of Saarland | 2019 | 2000 | Restaurant | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Video surveillance cameras have been used in violation of principle of data minimisation (monitoring also of customer areas in restaurants). | link |
| 237 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-02-28 | Only intention to issue fine | Coop Finnmark SA | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | On February 28, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Coop Finnmark SA EUR 38,600 for violations of Art. 5 GDPR and Art. 6 GDPR . This fine has been imposed in the meantime, see details at link | link |
| 238 | GERMANY | Data Protection Authority of Nordrhein-Westfalen | 2019-08-05 | 200 | Private person (YouTube-Channel) | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The private person used a dashcam to make recordings of public road traffic and then published them on YouTube as a compilation. | link |
| 239 | CROATIA | Croatian Data Protection Authority (azop) | 2020-03-13 | Unknown | Bank (name not available at the moment) | Finance, Insurance and Consulting | Art. 15 (1), (3) GDPR | Insufficient fulfilment of data subjects rights | In the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers’ right of access. During the procedure initiated based on data subject’s complaints, the DPA ordered the bank to enable the right of access and provide copies of the requested loan documentation. When imposing the fine, the DPA took into consideration especially that the bank failed to comply with the ordered measures, that it continued with such practice for almost a year and denied the right of access to more than 2500 of its customers. The amount of the fine is now known at the moment, but as the DPA qualified the breach as “severe”, a high fine is expected. | link |
| 240 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-18 | 30,000 | Telefónica | Media, Telecoms and Broadcasting | Art. 58 GDPR | Insufficient cooperation with supervisory authority | Telefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects’ request for right of access and erasure of data. | link |
| 241 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-02-11 | 3,000 | Vodafone Romania | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Vodafone Romania had incorrectly processed personal data of an individual in order to process a complaint, which was subsequently sent to a wrong e-mail address. The reason for this was that there were insufficient security measures in place to prevent such erroneous data processing. | link |
| 242 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-02-21 | 5,000 | Public Power Corporation S.A. | Transportation and Energy | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request. | link |
| 243 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-16 | 5,000 | Centro De Estudio Dirigidos Delta, S.L. | Public Sector and Education | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | Centro De Estudio Dirigidos Delta sent a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects. This constitutes a violation of the principles of integrity and confidentiality under Article 5(1)(f) GDPR. | link |
| 244 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-16 | 4,000 | Private Person | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | On a beach, a private person secretly photographed female bathers. The incident was reported to the AEPD by the local police. | link |
| 245 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-06 | 3,200 | Retailer | Industry and Commerce | Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | Insufficient declaration of video surveillance. | link |
| 246 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-12 | 2000 | Homeowners Association | Real Estate | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance. | link |
| 247 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-16 | 6,000 | Amalfi Servicios de Restauracion S.L. | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance. | link |
| 248 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-19 | 6,000 | Oliveros Ustrell, S.L. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis. | link |
| 249 | ITALY | Italian Data Protection Authority (Garante) | 2020-02-06 | 20,000 | RTI – Reti Televisive Italiane s.p.a. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The television station broadcasted a documentary about prostitution in Switzerland, in which the persons interviewed were not made sufficiently anonymous. | link |
| 250 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-03-20 | 8,000 | Speech and Special Education Centre – Mihou Dimitra | Health Care | Art. 15 GDPR, Art. 58 GDPR | Insufficient fulfilment of data subjects rights | The complainant had requested access to his child’s data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority. | link |
| 251 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-05-21 | 286 | Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest | Public Sector and Education | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The employee of the Directorate sent by mistake 9 letters to the wrong recipient, which contained personal data of 18 data subjects (including data of children, criminal data and data related to the private life of the data subjects). The recipient informed the Directorate by telephone 5 days after the posting that it received certain letters by mistake. The Directorate notified NAIH on the data breach only weeks later. | link |
| 252 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-05-31 | 2000 | Local bank | Finance, Insurance and Consulting | Art. 12 (3), (4), (5) GDPR, Art. 15 GDPR, Art. 18 GDPR | Insufficient fulfilment of data subjects rights | Customer of a local bank requested access to telephone conversation recordings as well as to CCTV recordings. The bank provided the copies of the recordings of telephone conversations and also provided the chance of reviewing the recordings at bank but rejected to provide copies of the CCTV recordings since the recordings also contained third parties personal data. The NAIH decided in this case that the bank failed to fulfil data subjects rights since it did not respond in due time and also failed to provide copies of the requested recordings. According to the NAIH, the controller could not refer the protection of third party data since the CCTV recordings affected public space open for every customer and the bank also could have anonymised certain parts of the recordings. | link |
| 253 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-06-03 | 2,850 | Claim management company | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The complainants stated during the case that they concluded a credit agreement with the bank, which sold its claim against the complainants and transferred their respective data to a third-party company (controller). NAIH determined in the case that the controller can neither rely on the consent of the data subjects nor the performance of the credit contract as the legal basis of the data processing, since the data subjects concluded such contract with the bank, not with the controller. The appropriate legal basis for processing could have been the legitimate interest of the controller. | link |
| 254 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-06-26 | 2,850 | Unknown | Not assigned | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The individual requested the deletion of his contact data (including his telephone number), however the controller further processed his contact data for claim enforcement purposes on the basis of its legitimate interest. NAIH determined that the controller had no compelling legitimate grounds for processing the telephone number of the data subject, since his address was also at hand, which is sufficient for claim enforcement purposes and for concerning communication with the data subject. | link |
| 255 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-06-26 | 2,850 | Financial Enterprise | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | A client of a financial enterprise complained that the financial enterprise transferred his data after he objected against the processing and did not provide information on the processing of his data at his request. According to the financial enterprise, it sold its claim stemming from the contract concluded with its client to a third party, therefore such transaction necessitated the transfer of the relevant client data. NAIH highlighted that the financial enterprise sold the concerning claim and transferred the respective data after the non-fulfilment of the concerning contract by the client; this also means that the financial enterprise cannot rely on the performance of the contract concluded with the client. The relevant legal basis would have been the legitimate interest of the controller, where a balancing test is also necessary, describing its interest in transferring the claim and the relevant data to a third party. | link |
| 256 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-07-17 | 8,575 | Budapest Environs Regional Court | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The chairman of the Budapest Environs Regional Court organised a meeting for court officials, during which he stated that he quit from the Hungarian Association of Judges and requested the present court officials to persuade their colleagues to do so as well. The chairman also presented a list on the members of the Association in Pest county, which also included information on the amount of membership fees deducted from the salary of judges. The list consisted of data collected from the judges’ payroll records. NAIH determined that the Budapest Environs Regional Court may only process such data for the purpose of deduction and payroll management. NAIH also determined that the Budapest Environs Regional Court lacked a legal basis for data processing, when it provided access to data of employees regarding their membership in an association, to other persons. | link |
| 257 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-08-02 | 4,290 | Public area maintenance company | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | An ex-employee complained that his employer unlawfully monitored his work by its CCTV. The employer argued that CCTV monitoring was necessary to assess, whether the employee fulfilled his employment related duties (i.e. monitoring certain public areas and signalling any unusual event to his colleagues) and that the monitoring also served the protection of its surveillance system from unlawful access or usage. NAIH found that monitoring of the employee by CCTV is not an appropriate way of assessing his work performance and the employer relied on an inappropriate legal basis (public interest, official authority) regarding the CCTV operations. The employer could have protected its public area surveillance system by other methods (e.g. by installing firewalls or other security upgrades to its systems). The employer also placed only a brief notice sheet at the entrance of the workstation of the employee regarding the CCTV monitoring, which NAIH deemed insufficient. | link |
| 258 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-08-08 | 1,715 | Government Office Managing the Real Estate Register | Public Sector and Education | Art. 5 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | The owners of a real estate complained that the government office posted its decision on the change in the person of the lessee (which concluded a lease agreement with real estate owners) to other owners of 40 real estates contracted by the same lessee. The decision contained personal data of all the owners, who had a lease agreement with the same lessee. | link |
| 259 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2019-10-15 | 2,860 | Unknown Company | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | An employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee did not receive pre-notification and did not have the chance to copy / delete his private information (telephone numbers, messages). According to NAIH, employers must record the access with minutes and photos. Employment agreements must regulate whether employees can use work equipment for private purposes. Privacy notices must contain the reasons for employee monitoring (e.g. business continuity, internal investigation, disciplinary purposes, and the specific retention period of employee data – including the length and recurrence of backup copies. Employers must also prepare ”balancing tests” to prove their legitimate interests for general employee monitoring and specific cases. | link |
| 260 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-03-04 | 290 | Representative of a local government | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information. | link |
| 261 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-03-25 | 2000 | SOS Infertility Association | Health Care | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis. | link |
| 262 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-03-25 | 3,000 | Enel Energie | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security. | link |
| 263 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-03-25 | 4,150 | Vodafone Romania | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security. | link |
| 264 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-03-25 | 3,000 | Dante International | Industry and Commerce | Art. 6 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The company has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications. | link |
| 265 | ITALY | Italian Data Protection Authority (Garante) | 2020-02-13 | 4,000 | Comune di Urago | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The local council has published on its website information containing a person’s personal data, including health information. | link |
| 266 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-03-25 | 5,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company did not provide the data protection authority with the requested information in a timely manner. The AEPD’s request was preceded by a request from a data subject for access to its personal data. | link |
| 267 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-03-09 | 4,400 | Vis Consulting Sp. z o.o. | Finance, Insurance and Consulting | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR. | link |
| 268 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2020-02-20 | 2,560 | T.K. EOOD | Industry and Commerce | Art. 25 (1) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject. | link |
| 269 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2020-02-20 | 2,560 | L.E. EOOD | Industry and Commerce | Art. 25 (1) GDPR, Art. 32 GDPR, Art. 6 GDPR | Insufficient technical and organisational measures to ensure information security | The fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (“KZLD”) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law. | link |
| 270 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2020-01-06 | 5,110 | Utility Company | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The fine of EUR ca. 5,113 was imposed on a Bulgarian utility company for unlawful processing of the personal data of the data subject V.V. The personal data of V.V. was unlawfully processed and subsequently used for initiating an enforcement case against him for outstanding payment obligations. During the enforcement case, the bailiff seized the data subject’s salary, and the latter suffered damages as a result of the unlawful processing. | link |
| 271 | GERMANY | Data Protection Authority of Brandenburg | 2019 | 50,000 | Unknown Company | Not assigned | Art. 15 GDPR, Art. 28 GDPR | Insufficient fulfilment of data subjects rights | The data controller had engaged an external company to carry out the duties of access to data according to Art. 15 GDPR. However, the engaged company conducted the correspondence with the data subjects under its own logo and in English language, so that it was not apparent to the data subjects who was responsible for the data processing. As a result, the data controller infringed the principle of transparency laid down in Art. 12 GDPR and did not sufficiently fulfil its obligations to provide information in accordance with Art. 15 GDPR. In addition, the data protection supervisory authority found that no written contract for data processing had been concluded between the data controller and the external company, thus constituting a further breach of Art. 28 (9) GDPR. | link |
| 272 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-04-28 | 50,000 | Proximus SA | Media, Telecoms and Broadcasting | Art. 31 GDPR, Art. 58 GDPR, Art. 37 GDPR | Insufficient involvement of data protection officer | According to the data protection authority, the company’s data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company’s DPO was not able to work independently. | link |
| 273 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-04-29 | 18,700 | National Government Service Centre (NGSC) | Public Sector and Education | Art. 33 GDPR, Art. 34 GDPR | Insufficient fulfilment of data breach notification obligations | The DPA’s decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company. | link |
| 274 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-04-30 | 725,000 | Unknown Organisation | Employment | Art. 5 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing. | link |
| 275 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-05-05 | 5,000 | Banca Comercială Română SA | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers’ identification documents via WhatsApp. | link |
| 276 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-05-12 | 11,200 | Health and Medical Board of the Region of Örebro County | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Publication of personal data of a patient without sufficient legal basis. | link |
| 277 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2020-05-15 | 6,700 | JobTeam A/S DKK | Employment | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The company has deleted personal data affected by a request for access without legal reason. | link |
| 278 | IRELAND | Data Protection Authority of Ireland | 2020-05-17 | 75,000 | Tusla Child and Family Agency | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison. | link |
| 279 | FINLAND | Deputy Data Protection Ombudsman | 2020-05-22 | 100,000 | Posti Group Oyj | Transportation and Energy | Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The decision relates to complaints alleging that data subjects received direct marketing from the company although they had requested that their postal data be deleted. Investigations also revealed that the data protection information provided by the company was not transparent enough. | link |
| 280 | FINLAND | Deputy Data Protection Ombudsman | 2020-05-22 | 16,000 | Kymen Vesi Oy | Employment | Art. 35 GDPR | Non-compliance with general data processing principles | Fine for failure to carry out a data protection impact assessment (‘DPIA’) for the processing of location data of employees with a vehicle information system | link |
| 281 | FINLAND | Deputy Data Protection Ombudsman | 2020-05-22 | 12,500 | Unknown Company | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Processing of employee data without sufficient legal basis. | link |
| 282 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-05-29 | 1,000 | Non-profit organisation | Individuals and Private Associations | Art. 6 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests. | link |
| 283 | FINLAND | Deputy Data Protection Ombudsman | 2020-05-29 | 72,000 | Taksi Helsinki | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization. | link |
| 284 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-03-09 | 870 | Creditor | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Sending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid. | link |
| 285 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 5,000 | Consulting de Seguridad e Investigacion Mira Dp Madrid S.L. | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A data subject has received marketing messages without having consented. | link |
| 286 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 540 | Chenming Ye (Bazar Real) | Industry and Commerce | Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | Usage of CCTV camera in a shop without proper information. | link |
| 287 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 1,000 | Property Owner | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation. | link |
| 288 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 75,000 | Equifax Iberica, S.L. | Finance, Insurance and Consulting | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Data Subject has requested by e-mail the deletion of his data from the file of the National Association of Financial Credit Institutions (‘ASNEF’). Equifax Iberica had replied that the exercise of the complainant’s right was excessive due to an earlier request and that therefore the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws. | link |
| 289 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 39,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Insufficient legal basis for data processing | A customer claimed to have received an SMS from Xfera Móviles informing about the non-payment and the resulting suspension of the service in relation to the account of another data subject. | link |
| 290 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 25,000 | Glovoapp23 | Industry and Commerce | Art. 37 GDPR | Insufficient involvement of data protection officer | The company had not appointed a Data Protection Officer (‘DPO’) to whom requests from data subjects could be addressed, and the company’s website did not contain information about an appointed DPO. | link |
| 291 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-04 | 4,000 | Iberdrola Clientes | Transportation and Energy | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR. | link |
| 292 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-09-03 | 276,000 | Bergen Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In October 2019, the Data Protection Authority was informed by the Municipality of Bergen about a data breach in connection with the municipality’s tool for communication between school and home called ‘Vigilo’. This tool contained a module that allowed school and parents to communicate via a portal or app but that had not been secured properly to ensure the protection of personal data against security threats. | link |
| 293 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 40,000 | TELEFONICA MOVILES ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name. | link |
| 294 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-05-03 | 134,000 | Telenor Norge AS | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Fines for security breaches in a voice mailbox function. | link |
| 295 | BULGARIA | Data Protection Commision of Bulgaria (KZLD) | 2020-04-14 | 2000 | Political Party | Public Sector and Education | Art. 6 GDPR | Insufficient legal basis for data processing | Forging signatures on a voters’ list. | link |
| 296 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-05-14 | 50,000 | Social Media Provider | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis. | link |
| 297 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-04-23 | 3,000 | Estee Lauder Romania | Industry and Commerce | Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | Processing of personal data without sufficient legal basis including health data. | link |
| 298 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 3,000 | Salad Market S.L. (Catering Company) | Industry and Commerce | Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website. | link |
| 299 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 2000 | Attorney | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties. | link |
| 300 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-09 | 2000 | Property Owner | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation. | link |
| 301 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-04-23 | 3,000 | Telekom Romania Communications SA | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects | link |
| 302 | ESTONIA | Estonian Data Protection Authority (AKI) | 2020-04-30 | 500 | Housing Association | Real Estate | Art. 6 GDPR | Insufficient legal basis for data processing | Fine of EUR 500 against a housing association for publishing photos showing members of the association without their consent. | link |
| 303 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-03-26 | 2,890 | Bank | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Due to an administrative error, the personal data of the data subject were registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement. | link |
| 304 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-03-19 | 5,800 | Unknown Company | Not assigned | Art. 6 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws. | link |
| 305 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-01-24 | 1,450 | Accounting firm | Finance, Insurance and Consulting | Art. 24 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A printed customer list of an accounting firm, which also contained personal data, could be accessed by unauthorized persons. | link |
| 306 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2020-06-30 | 1,240,000 | Allgemeine Ortskrankenkasse (‘AOK’) (health insurance company) | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | From 2015 to 2019, AOK Baden-Württemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Württemberg stopped all marketing measures in order to thoroughly examine all processes. | link |
| 307 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-23 | 7,500 | Miraclia (telecommunications company) | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case. | link |
| 308 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-22 | 2000 | Comunidad de propietarios demelza beach | Real Estate | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | Illegal use of CCTV cameras due to coverage of public space and recording of passing pedestrians. Furthermore, insufficient fulfilment of information obligations. | link |
| 309 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-16 | 2000 | Café Bar | Accomodation and Hospitalty | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | Illegal use of CCTV cameras (recording of third parties) and insufficient fulfilment of information obligations. | link |
| 310 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-06-18 | 4,000 | Enel Energie | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Failure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail. | link |
| 311 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-15 | 75,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The data subject received a notice from a debt collection company demanding payments in connection with Xfera Móviles’ services, even though the claimant had not been a customer of Xfera Móviles since September 2017. Furthermore, the resolution states that Xfera Móviles carried out the processing of the personal data of the plaintiff without his consent, which constitutes a violation of Article 6 of the GDPR. | link |
| 312 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-06-11 | 3,000 | Telekom Romania | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR. | link |
| 313 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-06-12 | 288,000 | Digi Távközlési Szolgáltató Kft. (‘Digi’) (electronic communication service provider) | Media, Telecoms and Broadcasting | Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms. | link |
| 314 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-06-16 | 1,900 | Housing Association | Real Estate | Art. 5 GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | Unlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance. | link |
| 315 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-06-19 | 10,000 | Unknown | Not assigned | Art. 5 GDPR, Art. 6 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The company sent an e-mail to the person concerned without his consent. Thereupon the person concerned requested timely information about the entries in the database concerning his person, which remained unanswered. | link |
| 316 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-06-16 | 1,000 | Unknown | Not assigned | Art. 17 GDPR, Art. 21 GDPR, Art. 31 GDPR | Insufficient fulfilment of data subjects rights | The data subject repeatedly received e-mails with advertising content from a company, although the data subject had objected to the processing of his personal data and requested the deletion of his data. In addition, the company did not respond to any inquiries from the data protection authority in this regard. | link |
| 317 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-06-08 | 5,000 | Municipal employee | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access. | link |
| 318 | ISLE OF MAN | Information Commissioner of Isle of Man | 2020-06-25 | 13,500 | Department of Home Affairs | Public Sector and Education | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR – although it is not an EU state – to be applicable. | link |
| 319 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2020-06-30 | 6,700 | Lejre Municipality | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 33 GDPR, Art. 34 GDPR | Non-compliance with general data processing principles | The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach. | link |
| 320 | IRELAND | Data Protection Authority of Ireland | 2020-06-30 | 40,000 | Tusla Child and Family Agency | Public Sector and Education | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks. | link |
| 321 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-06-22 | 112,000 | Østfold HF Hospital | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | It was found that Østfold HF Hospital had stored patient data, including sensitive data such as the reason for hospitalisation, during the period 2013-2019 without controlling access to the folders where the data was stored. Datatilsynet therefore decided that the hospital had not taken sufficient technical and organisational measures to protect personal data and was therefore in breach of the GDPR and the Patient Records Act. | link |
| 322 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-06-19 | Only intention to issue fine | Aquateknikk AS | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | On June 19, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Aquateknikk AS EUR 28,000 for violations of Art. 5 GDPR and Art. 6 GDPR . This fine has been imposed in the meantime, see details at link | link |
| 323 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-06-19 | 6,000 | National Police Brigade | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Making copies of a company’s business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing. | link |
| 324 | ITALY | Italian Data Protection Authority (Garante) | 2020-01-30 | 4,000 | Comune di Colledara | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Publication of documents relating to a public tender with personal data on a website | link |
| 325 | ITALY | Italian Data Protection Authority (Garante) | 2020-03-05 | 3,000 | San Giorgio Jonico | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | Publication of a citizen’s personal data on a website and failure to comply with requests for deletion. | link |
| 326 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-02 | 24,000 | Iberdrola Clientes | Transportation and Energy | Art. 5 GDPR | Non-compliance with general data processing principles | A third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of €40,000 has been reduced to €24,000 due to voluntary payment. | link |
| 327 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-02 | 4,000 | De Vere Spain S.L. | Industry and Commerce | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The company did not respond to the data subject’s request to stop processing his or her data, and therefore data subject continued to receive commercial calls. | link |
| 328 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-07-02 | Only intention to issue fine | Odin Flissenter AS | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | On July 2, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Odin Flissenter AS EUR 28,000 for violations of Art. 5 GDPR and Art. 6 GDPR. This fine has been imposed in the meantime, see details at link | link |
| 329 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-02 | 3,600 | Saunier-Tec Mantenimientos de Calor y Frio, SL. | Industry and Commerce | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment. | link |
| 330 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-02 | 5,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company had not cooperated sufficiently with the data protection authority. | link |
| 331 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-07-09 | 15,000 | Proleasing Motors SRL | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company had failed to take adequate technical and organisational measures to ensure data security, which led to the publication on Facebook of a document containing a password for access to personal data of 436 customers. | link |
| 332 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-07-10 | 3,400 | East Power Sp. z o.o. | Transportation and Energy | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | After three subpoenas to East Power, in which the latter failed to provide sufficient explanations on a direct marketing complaint, the data protection authority found that East Power had deliberately obstructed the course of the procedure or at least failed to comply with its obligations to cooperate with the supervisory authority. | link |
| 333 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-07-10 | 46,660 | Municipality of Rælingen | Public Sector and Education | Art. 32 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | Fine for the processing of children’s health data in connection with disability through the digital learning platform ‘Showbie’. The Municipality had failed to carry out a Data Protection Impact Assessment (‘DPIA’) in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils. | link |
| 334 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-07-06 | 830,000 | Bureau Krediet Registration (‘BKR’) | Finance, Insurance and Consulting | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post. | link |
| 335 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-13 | 200,000 | Merlini s.r.l. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 28 GDPR, Art. 29 GDPR | Insufficient legal basis for data processing | The company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third party provider as data processor without sufficient legal basis fpr data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third party provider. | link |
| 336 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-13 | 16,700,000 | Wind Tre S.p.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 24 GDPR, Art. 25 GDPR | Insufficient legal basis for data processing | Fines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details. Furthermore, the data protection authority stated that the data of the data subjects were published on public telephone lists despite their objection. In addition, several apps distributed by the company were set up in such a way that the user had to give his consent to various processing activities each time he accessed them, with the possibility of withdrawing consent given only after 24 hours. | link |
| 337 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-13 | 800,000 | Iliad Italia S.p.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | The fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its website. | link |
| 338 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-10 | 1,500 | Auto Desguaces Iglesias S.L. | Industry and Commerce | Art. 5 GDPR | Non-compliance with general data processing principles | The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization. | link |
| 339 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-10 | 1,000 | Centro Internacional De Crecimiento Laboral Y Profesional S.L. | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Sending commercial messages without consent and without the possibility to object. | link |
| 340 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-10 | 12,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR | Non-compliance with general data processing principles | Fines for violation of Art. 5 (1) d) GDPR for changing the customer’s master data into the name of a third party, the ex-spouse of the customer. | link |
| 341 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-10 | 5,000 | Global Business Travel Spain SLU | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The fine was preceded by an employee’s access to health data of a person concerned. In the course of its investigations, the Data Protection Authority found that Global Business Travel Spain, as data controller, had infringed Article 32(2) and (4) of the GDPR by failing to take adequate technical and organisational measures to protect the data from unauthorised disclosure. | link |
| 342 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-10 | 5,000 | School Fitness Holiday & Franchising S.L. | Industry and Commerce | Art. 5 GDPR | Non-compliance with general data processing principles | Breach of transparency principle. No further information available at the moment. | link |
| 343 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-10 | 55,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company had changed a contract for a mobile phone connection to a new owner, whereby the personal data of a data subject such as his address and telephone numbers were freely accessible. This constituted a violation of the principles of confidentiality and integrity. | link |
| 344 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-07-14 | 600,000 | Google Belgium SA | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR, Art. 17 (1) a) GDPR, Art. 12 GDPR | Insufficient fulfilment of data subjects rights | The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google’s form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google’s rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: €500,000). In addition, a further €100,000 was imposed for breach of the principle of transparency, as Google’s rejection of the request for deletion was not sufficiently justified | link |
| 345 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-20 | 24,000 | Banco Bilbao Vizcaya Argentaria, SA | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | BBVA had no legitimate basis for processing the data of the data subject and had therefore infringed Article 6(1) of the GDPR, since the company processed solvency and credit information files without a prior contractual relationship with the data subject. | link |
| 346 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-20 | 40,000 | Iberia Lae SA Operadora Unipersonal | Transportation and Energy | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company did not grant the data subject access to telephone records. The applicant’s request for access did not receive a reply, despite the prior order of the AEPD. | link |
| 347 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-20 | 1,500 | Comercial Vigobrandy, SL | Industry and Commerce | Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | Installation of CCTV surveillance without adequate information by using a sign | link |
| 348 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-06-29 | 5,000 | New York College S.A. | Public Sector and Education | Art. 5 GDPR | Non-compliance with general data processing principles | The College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner. | link |
| 349 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-20 | 80,000 | Orange Espagne S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company had unlawfully activated several telephone line contracts using the personal data of a data subject. This constituted an unlawful processing operation, since the data of the data subject was entered into the company’s database and processed there without a legitimate legal basis. | link |
| 350 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-20 | 70,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR | Non-compliance with general data processing principles | A data subject had received a call from another Xfera Móviles customer who stated that the company had charged his bank account with an invoice, disclosing the personal details of the other data subject. This was due to an error on the part of Xfera Móviles and was therefore a violation of the principles of integrity and confidentiality. | link |
| 351 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-23 | 10,000 | El Periódico de Catalunya, S.L.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Following a request for erasure addressed to the company, the data subject received another newsletter from the newspaper, although El Periódico de Catalunya claimed to have granted the request. This was due to a failure of an external service provider of the company. | link |
| 352 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-23 | 55,000 | Telefónica Móviles España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Telefónica Móviles España has processed the personal data of a data subject, such as first and last name and bank details, in order to activate three telephone lines that were never requested. This constitutes a breach of the principle of lawfulness of the processing. | link |
| 353 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-23 | 70,000 | Telefónica Móviles España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The data subject’s account was debited for two telephone lines that he had never ordered or approved. This constituted unlawful processing of personal data, since the data subject’s information was stored in the information systems of Telefónica Móviles España without a legal basis for invoicing. | link |
| 354 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-23 | 75,000 | Telefónica Móviles España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefónica Móviles España in order to change the ownership of the telephone line without sufficient legal basis. | link |
| 355 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-23 | 5,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 58 GDPR | Insufficient cooperation with supervisory authority | Following a complaint, Xfera Móviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit. | link |
| 356 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-23 | 5,000 | El Real Sporting de Gijón S.A.D. | Individuals and Private Associations | Art. 6 GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | Fines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in). | link |
| 357 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-07-14 | 5,000 | Operator of CCTV of a residential building | Industry and Commerce | Art. 6 GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts. | link |
| 358 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-07-30 | 2000 | SC Viva Credit IFN SA | Finance, Insurance and Consulting | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data. | link |
| 359 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-07-30 | 2000 | Romanian Post National Company | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Processing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation. | link |
| 360 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-07-27 | 5,000 | SC Cntar Tarom SA | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Unauthorised disclosure of the data of five Tarom passengers due to inadequate technical and organisational measures for secure data processing. Among other things, the company was required to take corrective action, including training its employees and conducting risk assessment procedures. | link |
| 361 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2020-07-28 | 147,800 | Arp Hansen Hotel Group A/S | Accomodation and Hospitalty | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself. | link |
| 362 | FRANCE | French Data Protection Authority (CNIL) | 2020-08-05 | 250,000 | Spartoo | Industry and Commerce | Art. 5 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company’s data protection information was partially incorrect. | link |
| 363 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2020-08-04 | 20,100 | PrivatBo A.M.B.A. | Real Estate | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data. | link |
| 364 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-06 | 3,000 | GROW BEATS SL | Industry and Commerce | Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user’s terminal equipment. | link |
| 365 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-04 | 60,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The data subject received confirmation from Vodafone of a number porting, which the latter had never commissioned. | link |
| 366 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-10 | 10,000 | Cavauto S.R.L. | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | Access to personal data of a former employee (containing his browser history) on his work computer. | link |
| 367 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-10 | 10,000 | Community of Baronissi | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc. | link |
| 368 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-06 | 3,000 | GTL S.R.L. | Industry and Commerce | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to graint access to personal data of a data subject according to Art. 15 GDPR. | link |
| 369 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-06 | 3,000 | Just Landed S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Just Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language). | link |
| 370 | FINLAND | Deputy Data Protection Ombudsman | 2020-08-05 | 7,000 | Acc Consulting Varsinais-Suomi | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Unsolicited marketing SMS without prior consent | link |
| 371 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-05 | 3,000 | Restaurant | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | Installation of CCTV surveillance cameras that were also monitoring the public space and without proper information. | link |
| 372 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2020-08-05 | 100 | Bank | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above. | link |
| 373 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-05 | 2000 | School | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Placing personal data of pupils on a public notice board. | link |
| 374 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-04 | 15,000 | Mapei S.p.A. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure. | link |
| 375 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-04 | 5,000 | National Institute for Social Security – Department of the Province of Brescia | Public Sector and Education | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to graint access to personal health data of a data subject according to Art. 15 GDPR. | link |
| 376 | ITALY | Italian Data Protection Authority (Garante) | 2020-08-04 | 1,000 | Supermarket | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket. | link |
| 377 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-30 | 2000 | Community of Manduria | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The community transmitted personal data of a community employee to the press without sufficient legal basis. | link |
| 378 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-29 | 3,000 | Community of San Giorgio Jonico | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Publication of personal data on the municipal website with regard to legal proceedings. | link |
| 379 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-29 | 4,000 | Region of Campania | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Publication of an enforcement order in civil proceedings on the Region’s website. The document listed the names and place of residence and the amount of the claim. | link |
| 380 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-07-28 | 3,000 | Communal political association | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | A local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR. | link |
| 381 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-07-15 | 22,300 | Office for geodesy and cartography | Public Sector and Education | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | Refusal of access to the premises by the supervisory authority in the course of an audit. | link |
| 382 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-31 | 45,000 | Vodafone España SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Unlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasure | link |
| 383 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-17 | 5,000 | Party of the Socialists of Catalonia | Public Sector and Education | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant’s relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation. | link |
| 384 | ESTONIA | Estonian Data Protection Authority (AKI) | 2020-08-17 | 48 | Police Officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Acess to personal data in a police database for private research activities. | link |
| 385 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-28 | 50,000 | Bankia S.A. | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation. | link |
| 386 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-08-28 | 5,000 | Basketball Federation of Castilla and Leon | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Basketball Association transmitted personal data to third parties, which were subsequently published on the Internet without consent of the data subjects. In addition, the data protection authority found that the Basketball Federation also disclosed personal data to a newspaper, violating – in addition – the principle of integrity and confidentiality (Art. 5 (1) f) GDPR). | link |
| 387 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-08-31 | 22,700 | Surveyor General of Poland (‘GKK’) | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Processing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis. | link |
| 388 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-07-31 | 1,500 | Tour & People Max S.L. | Industry and Commerce | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | Unsolicited marketing calls though data subjects had expressed their objection to data processing. In addition to the GDPR, this was also seen as a violation of Article 48(1)(b) of General Law 9/2014 (Spanish national law). | link |
| 389 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-01 | 75,000 | Telefónica Móviles España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | According to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages. | link |
| 390 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-07 | 3,000 | Barcelona Airport Security Guard Association (‘AVSAB’) | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | A member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing. | link |
| 391 | ITALY | Italian Data Protection Authority (Garante) | 2020-07-02 | 15,000 | Mapei S.p.A. | Industry and Commerce | Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Mapei failed to respond to the request for access to personal data of the data subject. In addition, Mapei had left the e-mail account of the person concerned active even after the termination of the contract. | link |
| 392 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-09-08 | 11,200 | Warsaw University of Life Sciences | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Theft of a private notebook belonging to a university employee who also used this device for business purposes and on which personal data of candidates for study at SGGW was contained for recruitment activities. | link |
| 393 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-08-03 | 3,000 | Candidate for parliamentary elections | Public Sector and Education | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The data subject received telephone calls regarding a candidacy for parliamentary elections. When the data subject made use of its right to access according to Art. 15 GDPR, it did not receive any such information. | link |
| 394 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-07-23 | 560 | Forbes Hungary | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Fine imposed on Forbes Hungary for publishing a list of the 50 wealthiest Hungarians and a list of the largest family businesses without a sufficient balance of interests (Art. 6 (1) f) GDPR). | link |
| 395 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-09-01 | 500 | Apartment building owners association | Real Estate | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | Export of a still image from a video surveillance system and posting of the image on the billboard of the building without sufficient legal basis. In addition, violation of the information obligations under Art. 12, 13 GDPR and violation of Art. 25 and 32 GDPR, because no sufficient information about the CCTV was given and because no sufficient technical and organizational security measures were taken to protect the personal data collected by the video surveillance system. | link |
| 396 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-17 | 60,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A former customer had received e-mails containing electronic bills even after he had terminated his contract with the company resulting in a processing of personal data without sufficient legal basis. | link |
| 397 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-17 | 3,000 | Grupo Carolizan | Industry and Commerce | Art. 5 GDPR | Non-compliance with general data processing principles | Operation of CCTV camera systems in an arcade area in front of a building, i.e. also covering public space. This violated the principles of data minimization, as the surveillance cameras could have been operated in a way that would not have affected the public space. | link |
| 398 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-16 | 10,000 | Property owners community | Real Estate | Art. 5 GDPR | Non-compliance with general data processing principles | Publication of a document containing personal data (information about identity of the data subject as well as about debts) on a community notice billboard. | link |
| 399 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-11 | 1,500 | Political Party | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Sending of an e-mail to a former party member who had since resigned, with the request to act as an election representative without sufficient legal basis to process the personal data required for this purpose | link |
| 400 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-09-11 | 8,000 | Private Person | Individuals and Private Associations | Art. 5 GDPR | Non-compliance with general data processing principles | Operation of a CCTV camera that also monitored public space outside the premises of the data controller. | link |
| 401 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-09-08 | 2000 | Sanatatea Press Group S.R.L. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Sending the personal data collected for the registration for an online course to other participants due to a technical failure. | link |
| 402 | ITALY | Italian Data Protection Authority (Garante) | 2020-09-07 | 2000 | Istituto Comprensivo Statale Crucoli Torretta | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Publication of personal data of students on the website of the Institute with, inter alia, notes about health and progress in school due to technical failure. | link |
| 403 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-09-07 | 5,000 | Former mayor of a community | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Originial fine summary: Sending election advertising to citizens without sufficient legal basis. Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000. |
link |
| 404 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-22 | 60,000 | GLP Instalaciones 86, SL | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | In order to obtain assistance for the installation of an air conditioning system, the data subject had contacted Naturgy Energy Group S.A. Subsequently, he was contacted by two different companies, one of which was GLP Instalaciones 86, who pretended to be Naturgy employees. Naturgy denied this and claimed that the companies were neither authorized installers nor employees of Naturgy resulting in the processing of personal data of the data subject, including his/her name, surname, telephone number, bank details and e-mail, without a valid legal basis. | link |
| 405 | GERMANY | Data Protection Authority of Hamburg | 2020-10-01 | 35,258,708 | H&M Hennes & Mauritz Online Shop A.B. & Co. KG | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The fashion company with seat in Hamburg operates a service center in Nuremberg. Here, according to the findings of the Hamburg data protection officer, since at least 2014 private life circumstances of some of the employees have been comprehensively recorded and this information stored on a network drive. For example, the company conducted a ‘Welcome Back Talk’ after employees returned to work after vacation or illness. The information that became known in this context – including information on the symptoms of illness and diagnoses of the employees – was recorded and stored. In addition, according to the Hamburg data protection authority, some supervisors also used the ‘Flurfunk’ [meaning to hear something through the grapevine] to acquire a broad knowledge of individual employees, for example about family problems and religious beliefs. The information stored on the network drive was accessible to up to 50 managers of the company and was used, among other things, to evaluate the work performance of the employees and to make employment decisions.The data collection became known due to a technical configuration error in October 2019, according to which the data stored on the network drive was accessible company-wide for several hours. After the violation became known, the management apologized to the employees and offered monetary compensation. In addition, also further protective measures were introduced together with the data protection authority. [Note: Concrete legal basis of the fine not yet published – we assume this will mainly be Art. 5 and 6 GDPR] | link |
| 406 | ITALY | Italian Data Protection Authority (Garante) | 2020-09-30 | 80,000 | Azienda Ospedaliera di Rilievo Nazionale ‘Antonio Cardarelli’ (Private Hospital) | Health Care | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 28 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security. In addition, the data protection authority found that the information obligations were also not complied with and that the hospital had also not provided a sufficient data processing agreement with the data processor [which was also fined, see fine for ‘Scanshare’] in accordance with Art. 28 GDPR. | link |
| 407 | ITALY | Italian Data Protection Authority (Garante) | 2020-09-30 | 60,000 | Scanshare s.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security for which Scanshare – which was the processor of the data on behalf of the controller ‘Azienda Ospedaliera di Rilievo Nazionale ‘Antonio Cardarelli” (a private hospital) – had been fined with EUR 60.000. [Also see the main fine on the hospital!] | link |
| 408 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-25 | 60,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Failure to remove the data subject’s personal data at the time of cancellation of his/her telephone services contract and sending a warning to the data subject after cancellation resulting in the processing of his/her personal data without sufficient legal basis. | link |
| 409 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-07-16 | 28 | Google Ireland Ltd. | Media, Telecoms and Broadcasting | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to a data subjects request to access information (Art. 15 GDPR – here: about data processed in the context of Google AdWords) in due time. | link |
| 410 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-06-03 | 1,168 | Entrepreneur running a non-public nursery and pre-school | Individuals and Private Associations | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | Fine for not answering requests for further information of the supervisory authority in due time following a data breach. | link |
| 411 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-06 | 60,000 | Lycamobile | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Fine for processing of personal data without sufficient legal basis due to incorrect information about the owners of prepaid phone cards (mismatch between the registered owners in the company’s business register and the actual owners of the cards). | link |
| 412 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-10-01 | 3,000 | Megareduceri TV S.R.L. | Industry and Commerce | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | Fine for failure to comply with an order of the supervisory authority. | link |
| 413 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-10-01 | 2000 | Asociația de proprietari Militari R | Real Estate | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | Fine for failure to comply with an order of the supervisory authority. | link |
| 414 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-30 | 3,000 | Venu Sanz Chef, S.L. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Use of personal data for advertising purposes without sufficient legal basis. | link |
| 415 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-09 | 900 | Café Restaurante B.B.B | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The cafe used CCTV cameras which also captured the public space outside resulting in a violation of the so called principle of data minimisation. | link |
| 416 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-09-25 | 13,900 | Odin Flissenter AS | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so. | link |
| 417 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-09 | 2000 | Private Person | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | Usage of CCTV camera that was also capturing foreign private space of a neighbour. | link |
| 418 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-09 | 50,000 | Centro de Investigación y Estudio para la Obesidad, SL | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Fines for the transfer of the data subject’s personal data to Evo Finance EFC, SA in the course of processing a health insurance application, without a sufficient legal basis for the transfer of data, as the medical treatment in question has never been carried out. | link |
| 419 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-09 | 5,000 | Caja Rural San José de Nules S. Cooperativa de Crédito | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The company published information with the names and surnames of its employees, which led to the disclosure of the data subject’s financial situation. | link |
| 420 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-10-15 | 3,000 | S.C. Marsorom S.R.L. | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Disclosure of personal data of customers on the companies website due to inadequate technical and organisational measures to ensure information security. | link |
| 421 | CYPRUS | Cypriot Data Protection Commissioner | 2020-10-19 | 1,000 | Grant Ideas Ltd | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Sending emails to data subjects without sufficient legal basis. | link |
| 422 | CYPRUS | Cypriot Data Protection Commissioner | 2020-10-19 | 15,000 | Bank of Cyprus Public Company Ltd | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 15 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The data subject made a claim for access to information according to Art. 15 GDPR, which could not be answered, since the insurance contract of the data subject could not be found and has been lost. This constituted a violation of the rights of the data subject under Art. 15 GDPR as well as a violation of the obligations to protect personal data according to Art. 5 (1) f) GDPR and Art. 32 GDPR. In addition, the Data Breach Notification Obligations pursuant to Art. 33 f. GDPR have also been violated, as the data subject was not informed about the security incident in due time. | link |
| 423 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-03 | 3,000 | Avata Hispania, S.L. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 28 (3) g) GDPR | Insufficient legal basis for data processing | Infringement of Art. 28 (3) g) GDPR, since personal data were further processed after the controller had terminated the contractual relationship with the processor. | link |
| 424 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-06 | 4,000 | Callesgarcia, S.L. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Usage of a photo of the data subjects for commercial purposes without sufficient legal basis. | link |
| 425 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-10-20 | 2000 | Globus Score SRL | Industry and Commerce | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The company had not provided the ANSPDCP with requested information. | link |
| 426 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-09-22 | 7,800 | Iweb Internet Learning, S.L. | Industry and Commerce | Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | Lack of information in the privacy policy (information on the data controller) as well as inadequate obtaining of consent, as only a general consent could be given without distinguishing between different data processing purposes. | link |
| 427 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-07-23 | 1,700 | Employer | Employment | Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | Failure to change the private address of an employee to his new address and to delete the old address as well as insufficient enabling of the employer to exercise his/her rights. | link |
| 428 | ITALY | Italian Data Protection Authority (Garante) | 2020-09-03 | 2000 | Comune di Casaloldo | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Publication of personal data on the website of the community. | link |
| 429 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2020-10-21 | 15,000 | Vilnius City Municipality Administration | Public Sector and Education | Art. 5 (1) d) GDPR, Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | During the data synchronization of the Population Information System of the Municipal Administration with the databases of the State Centre for Business Registers, the personal data of an applicant for the fostering of an adopted child was replaced, due to an error, with the personal data of the biological parents, which were subsequently accessible in the Population Register of the Republic of Lithuania. This constituted a violation of the principles of integrity and confidentiality of personal data processing (Art. 5 (1) f) GDPR) and a violation of the principle of accuracy. | link link |
| 430 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-10-23 | 54,800 | Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaságnak | Industry and Commerce | Art. 12 GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 25 GDPR | Insufficient fulfilment of data subjects rights | The data controller denied the data subject access to the video material recorded by CCTV in a local store, with which the data subject wanted to prove that he or she had not received any money back after paying in the store. The company not only denied the data subject access to the data according to Art. 15 GDPR (with the argument that this would require an official order), but also deleted the video recordings after a certain period of time, although the data subject had requested the company to not delete the data in advance according to Art. 18 (1) c) GDPR. | link |
| 431 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-28 | 36,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts. | link |
| 432 | CYPRUS | Cypriot Data Protection Commissioner | 2020-10-22 | 6,000 | Cyprus Police | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A police officer had unauthorized access to a database holding personal data about vehicle owners and used the database for non-official purposes to pass information from the database to a third party. In this respect, the organizational and technical measures taken by the police to prevent unauthorized access to the database were insufficient to prevent the unauthorized disclosure of personal data to third parties. | link |
| 433 | ITALY | Italian Data Protection Authority (Garante) | 2020-10-26 | 20,000 | Università Campus Bio-medico di Roma (Polyclinic) | Public Sector and Education | Art. 5 (2) a), f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | In a data breach notification pursuant to Art. 33 GDPR, the data protection authority found that patients accessing their online medical reports via their smartphones could also access personal health data of 74 other patients. According to the polyclinic, the reason for this was a human error in the integration of two IT systems. | link |
| 434 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-28 | 4,000 | Play Orenes, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The company used CCTV cameras outside its premises which also captured the public space resulting in a violation of the principle of data minimisation. | link |
| 435 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-03 | 30,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts. In this case, Vodafone demanded a debt from a data subject due to a mixing up of customers. | link |
| 436 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-05 | 75,000 | Telefonica Moviles Espana, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Processing of personal data of the data subject without sufficient legal basis. The company had issued several invoices to the data subject and collected invoice amounts from his bank account without him being a customer of the company. Complaints against the company by the data subject remained unsuccessful. | link |
| 437 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-19 | 36,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Processing of personal data of a data subject without sufficient legal basis. The company had sent an invoice to a data subject without being able to prove that it had a contract with the data subject. | link |
| 438 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-12 | 12,251,601 | Vodafone Italia S.p.A. | Media, Telecoms and Broadcasting | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 15 (1) GDPR, Art. 16 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR | Non-compliance with general data processing principles | The company was fined EUR 12,251,601 for unlawfully processing personal data of millions of customers for telemarketing purposes. The proceedings were preceded by hundreds of complaints from data subjects about unsolicited telephone calls, which led to an investigation by the data protection authority. This investigation revealed several violations of the data protection law, including the violation of consent requirements and the violation of general data protection obligations such as accountability. One of the main criticisms made by the Data Protection Agency was the use of fake numbers to make promotional calls by the contracted call centers (i.e. phone numbers not registered with the National Consolidated Registry of Communication Operators). Furthermore, further violations could be found in the handling of contact lists purchased from external providers. Finally, security measures for the management of customer data were also considered inadequate. | link |
| 439 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-06 | 20,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 31 GDPR | Insufficient legal basis for data processing | Xfera Móviles had failed to cooperate with the AEPD in the investigation of privacy violations. Xfera Móviles had neither responded to the request for information nor provided any required documentation. | link |
| 440 | UNITED KINGDOM | Information Commissioner (ICO) | 2020-11-13 | 1,405,000 | Ticketmaster UK Limited | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Ticketmaster UK Limited has been fined GBP 1.25 million (approximately EUR 1.405 million) for failing to protect the personal data of its customers with adequate security measures. Potentially 9.4 million European customers could have been affected by a cyber attack between February 2018 and June 23, 2018 due to the use of an insufficiently secured chat bot hosted by a third party in its online payment site which allowed an attacker to gain access to customers’ financial information. According to the Data Protection Agency, personal data such as names, full payment card numbers, Ticketmaster usernames and passwords, expiration dates and Card Verification Value (CVV) numbers were affected. The DPA also found that 60,000 payment cards belonging to Barclays Bank customers were subject to fraud, and several international banks also reported fraudulent activity to Ticketmaster. | link |
| 441 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-10 | 3,000 | Miguel Ibáñez Bezanilla, S.L. | Industry and Commerce | Art. 13 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The company’s website (license plate seller) requested personal information such as first and last name, copy of ID card and driver’s license, and the car’s VIN number, but offered neither an encrypted transport protocol (‘link instead of ‘link nor an updated data processing policy in accordance with the GDPR. | link |
| 442 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-26 | 4,000 | Organic Natur 03 S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Use of a membership contract containing pre-defined privacy clauses, which prevents effective negotiation and the express consent of the signing client. | link |
| 443 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-10-26 | 50,000 | Conseguridad SL | Industry and Commerce | Art. 37 GDPR | Insufficient involvement of data protection officer | The company (private security company for video surveillance systems) did not have a data protection officer in breach of Art. 37 GDPR. | link |
| 444 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-11 | 42,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The company ported a telephone number of the data subject without their consent (missing signature on the porting contract). | link |
| 445 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-16 | 1,600 | Homeowners Association | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization). | link |
| 446 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-16 | 42,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | In 2019, after an arbitration procedure, the company agreed to the early termination of a contract with the data subject and to the deletion of the personal data concerned. Nevertheless, the data subject continued to receive e-mails from the company, which constituted processing of personal data without a sufficient legal basis. | link |
| 447 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-17 | 30,000 | Provincial Health Authority of Cosenza | Public Sector and Education | Art. 9 GDPR | Insufficient legal basis for data processing | Publication of personal data (including first and last name, address, tax ID) on the website of the authority about persons who have claims for damages against the authority, without sufficient legal basis | link |
| 448 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-17 | 2000 | Comune di Collegno | Public Sector and Education | Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of data subjects rights | Fine for non-compliance with the right of the data subject to access to information because the municipality refused the data subjects’ request for access to data from a camera surveillance system. | link |
| 449 | IRELAND | Data Protection Authority of Ireland | 2020-08-18 | 65,000 | Cork University Maternity Hospital | Health Care | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The „Data Protection Authority of Ireland“ imposed a fine on Cork University Maternity Hospital (CUMH) after the personal data of 78 patients was discovered disposed of in a public recycling center. Among the documents disposed of, some contain special category personal data of six patients. It is believed that the breach at CUMH involves sensitive patient health data such as the medical history and future planned care programs. | link |
| 450 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-23 | 12,000 | Recambios Villalegre S.L. | Industry and Commerce | Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) fined the company for posting photos of a person on Facebook and WhatsApp and accusing the individual of theft in related posts. The photos were obtained through the company’s video surveillance system. The company further encouraged other users to share both the photos and the postings. The postings resulted in hundreds of humiliating, insulting and even threatening comments. The AEPD imposed a fine of EUR 10,000 for publishing the photos and EUR 2,000 for not installing the sign required for video surveillance of the store. |
link |
| 451 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-11-23 | 4,000 | Vodafone România SA | Media, Telecoms and Broadcasting | Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA (ANSPDCP) imposed a fine in the amount of EUR 4,000 on Vodafone România SA. The fine was imposed as a result of complaints alleging that the operator failed to respond to requests for access and erasure of data. The operator could not provide any evidence for exonaration. |
link |
| 452 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-18 | 2000 | Anmavas 61, S.L. | Industry and Commerce | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA (AEPD) imposed a fine on Anmavas 61, S.L. for neither granting nor justifiably denying the right to erasure to the data subject, even after receiving a warning issued by the AEPD. | link |
| 453 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-11-24 | 5,000 | Dada Creation S.R.L. | Industry and Commerce | Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | Due to inadequate technical and organizational measures, the company disclosed the order, delivery and personal data of over 1000 customers via its web store. The data was displayed on a document in the web store that could be downloaded without access protection. In addition, the operator had failed to report the security leak to the data protection authority. | link |
| 454 | FRANCE | French Data Protection Authority (CNIL) | 2020-11-18 | 800,000 | Carrefour Banque | Finance, Insurance and Consulting | Art. 5 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) imposed a fine on Carrefour Banque for violation of its obligation to process data fairly (Article 5 (1) GDPR). If a person who subscribed to the Pass card (a credit card that can be attached to a loyalty account) also wanted to participate in the loyalty program, he or she had to tick a box in which he or she agreed to Carrefour Banque sending his or her surname, first name and e-mail address to ‘Carrefour fidélité’. Carrefour Banque expressly indicated that no further data would be transmitted. However, the CNIL noted that other data such as postal address, telephone number and the number of children had been transmitted, although the company undertook not to transmit any further data. |
link |
| 455 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-11-24 | 394,000 | City of Stockholm | Public Sector and Education | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA imposed a fine on the City of Stockholm for data breaches on a school education platform. The platform consists of different subsystems, including a system for monitoring school attendance, a student administration system, an interface for parents and an administration interface for teachers. In one of the subsystems, a lack of ability to restrict user access to the data has allowed a significant number of staff to access information about students using a protected identity. In another sub-system, parents could access information about other students, such as grades relatively easily. Via Google’s search engine, it was possible to find links to enter an administrative interface where information about teachers with a protected identity was accessible. | link |
| 456 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-11-25 | 19,500 | Gnosjö Municipality | Health Care | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 35 GDPR, Art. 36 GDPR | Insufficient legal basis for data processing | The Swedish DPA imposed a fine on the municipality of Gnosjö for illegal video surveillance in a care home for persons with certain functional disabilities. | link |
| 457 | FRANCE | French Data Protection Authority (CNIL) | 2020-11-18 | 2,250,000 | Carrefour France | Industry and Commerce | Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPR, Art. 33 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) fined Carrefour France EUR 2,250,000 for several violations of data protection regulations, including the GPDR.
During its investigation, the CNIL found that the information on personal data provided to users of the carrefour.fr websites and those wishing to join the loyalty program was neither easily accessible nor easily comprehensible. The CNIL also found that the information regarding the transfer of data to countries outside the EU and regarding the duration of data storage was incomplete. |
link |
| 458 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-25 | 40,000 | Miraclia Telecomunicaciones S.L. | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Miraclia Telecomunicaciones S.L. for violating Articles 6, 13 and 14 of the GDPR. Miraclia Telecomunicaciones S.L. is the operator of a phone prank app where you can select a ‘prank’ and enter the phone number of the recipient. The recipient is then called on a suppressed number and the prank is executed. The AEPD notes that the operator violated the obligation to provide information regarding the collection of personal data of the data subject. Furthermore, it notes that Miraclia, through this application, does not at any time inform the data subject (the person who answers the prank call and is recorded) of his or her right to consent in accordance with the provisions of the GDPR. |
link |
| 459 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-23 | 20,000 | Burgo Group S.p.A | Employment | Art. 5 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 20,000 on the company for non-compliant practices. Thus, for example, the personnel director forwarded an e-mail conversation between the data subject and a work colleague containing personal data (information relating to physical and mental discomfort in the workplace) to four people in the company. | link |
| 460 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-11-25 | 1,500 | Private Individual | Individuals and Private Associations | Art. 6 GDPR, Art. 25 GDPR | Insufficient legal basis for data processing | The Belgian DPA (APD) imposed a fine against private individuals. The controllers installed video cameras on their private property, two of which were positioned in a way that they could capture images of the public space and the neighbor’s private property. Also the controllers forwarded the images to a third party. |
link |
| 461 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2020-10-19 | 600 | Private Individual | Health Care | Art. 5 (1) a) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | Between February and June 2020, a private individual published information about patients on his personal Facebook page. The information included health data in terms of Art. 4 (15) GDPR. In detail, the published data comprised patient names, diagnostic findings, medical diagnoses, medication data, data on hospital admissions and discharges, patients’ social security numbers and the names of the treating physicians. | link |
| 462 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2020-10-19 | 150 | Private Individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The private individual recorded a female person while she was using one of the WC cabins by placing a cell phone (smartphone with camera function) under the WC cabin partition wall, with the screen pointing upwards and the front camera of the cell phone being active during the entire process. | link |
| 463 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-02 | 6,000 | Servicio de Alojamientos Responsables, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine in the amount of EUR 6,000 against the controller for unauthorized conclusion of a contract in the name of the data subject without his/her consent. The data subject only learned about this when a complaint for breach of the contract was filed against him or her. The AEPD decided that by this act the controller unlawfully processed the personal data of the data subject. | link |
| 464 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-02 | 3,000 | Comercio Online Levante, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A woman filed a complaint with the Spanish DPA (AEPD) against Comercio Online Levante, S.L. due to the fact that she was shown the personal data of another user when trying to access her user account of the online store perfumespremium.es operated by the controller. | link |
| 465 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-02 | 5,000 | Asociación de Víctimas por Arbitrariedades Judiciales, (JAVA) | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on the association for publishing the personal data of the data subjects on its website. The data had been unlawfully recorded without their consent in the course of another legal proceeding and had been forwarded by the recording party to the association. | link |
| 466 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 1,463,000 | Aleris Sjukvård AB | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvård AB SEK 15,000,000 (EUR 1,463,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. | link |
| 467 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 1,168,000 | Aleris Sjukvård AB | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvård AB SEK 12,000,000 (EUR 1,168,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Nationell patientöversikt (NPÖ) were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. | link |
| 468 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-03 | 2,400 | Dr Marín Cirugia Plástica, S.L.P. | Health Care | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (aepd) imposed a fine of EUR 4,000 on the doctor due to the lack of a privacy policy on his website, thus violating Art. 13 GDPR. The original fine of EUR 4,000 was reduced for both immediate payment and admission of responsibility by each 20% to EUR 2,400. | link |
| 469 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 243,800 | Östergötland Region | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Östergötland Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Cosmic were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. | link |
| 470 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 243,800 | Västerbotten Region | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Västerbotten Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the medical record system NCS Cross were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. | link |
| 471 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 341,300 | Sahlgrenska University Hospital | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Sahlgrenska University Hospital SEK 3,500,000 (EUR 341,300) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Melior and Nationell patientöversikt were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. In addition, the Melior hospital information system did not keep records of when and for what purpose patient data was accessed. | link |
| 472 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 390,100 | Karolinska University Hospital of Solna | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Karolinska University Hospital of Solna SEK 4,000,000 (EUR 390,100) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. | link |
| 473 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-03 | 2,900,000 | Capio St. Göran AB | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Capio St. Göran AB SEK 30,000,000 (EUR 2,900,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Cosmic, Nationell patientöversikt and TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. | link |
| 474 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2020-12-03 | 18,840 | Municipality of Indre Østfold | Public Sector and Education | Art. 6 GDPR, Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA (Datatilsynet) imposed a fine in the amount of NOK 200,000 (EUR 18,840) on the municipality of Indre Østfold. Datatilsynet found that a student file containing personal data was published on the municipality’s website. | link |
| 475 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-11-27 | 1,200 | Private Individual | Individuals and Private Associations | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine in the amount of EUR 1,200 on a private individual for impersonating a third party on the social networks Tinder and WhatsApp by using images of the third party on their profile. The pictures were used without the consent of the data subject. | link |
| 476 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-02 | 10,000 | Losada Advocats S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) imposed a fine on Losada Advocats S.L. for sending an e-mail to dozens of recipients without putting them on the Blind Carbon Copy (BCC) list, thus violating Art. 32 GDPR and Art. 5 (1) f) GDPR. | link |
| 477 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-09 | 40,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Xfera Móviles, S.A. due to insufficient legal basis for data processing. The data subject states that two telephone and internet connections were registered in his/her name with a charge account. However, the data subject had never signed contracts with the company for any of these connections. In fact, the contracts in question were concluded by fraudsters using the personal data of the data subject. Nevertheless, the personal data were entered into the company’s information systems without verifying whether the contracts had been lawfully and actually concluded by the data subject, whether he/she had given his/her consent to the collection and subsequent processing of his/her personal data or whether there was any other reason justifying the processing. | link |
| 478 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-09 | 10,000 | Unknown | Not assigned | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of 10,000 EUR on a company for violating Art. 5 GDPR. The company sent an e-mail to a third party with the dismissal and settlement document of the data subject, disclosing their personal data without their consent. | link |
| 479 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-11-13 | 1,500 | Unknown | Real Estate | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 30 GDPR, Art. 37 (5) GDPR, Art. 37 (7) GDPR | Non-compliance with general data processing principles | The Belgian DPA (APD/GBA) imposed a fine of EUR 1,500 on a social housing company for non-compliance with several principles of the GDPR such as data processing as well as the principles of legality and transparency (e.g. insufficient privacy policy, lack of information on camera surveillance). | link |
| 480 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-10 | 4,000 | Borjamotor, S.A. | Industry and Commerce | Art. 7 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 4,000 on Borjamotor, S.A. The company kept sending commercial advertisements to the data subject via email and SMS, even though the data subject had previously revoked his/her consent to receive advertisements and submitted a request to delete his/her data. Although the company had confirmed this, the data subject continued to receive advertising. | link |
| 481 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-11 | 5,000,000 | Banco Bilbao Vizcaya Argentaria, S.A. | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined Banco Bilbao Vizcaya Argentaria, S.A. EUR 5,000,000 for violating Art. 6 GDPR (EUR 3,000,000) and Art. 13 GDPR (EUR 2,000,000). The bank had not implemented a specific mechanism to obtain the consent of the customers to process their data. Furthermore, it did not use precise terminology in its privacy policy, nor did it provide adequate information about the type of personal data that might be processed. In particular the AEPD notes that the purpose and legal basis for data processing are not sufficiently identifiable in the privacy statement. |
link |
| 482 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-11 | 54,000 | Umeå University | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Swedish DPA (Integritetsskyddsmyndigheten) fined Umeå University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data. As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives, alongside information about the suspected crime. The DPA notes that the storage in that cloud does not adequately protect such particularly sensitive data. In addition, one of the investigation reports was sent unencrypted to the Swedish police via email. However, the controller had neither documented the incident nor reported it to the DPA. |
link |
| 483 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-12-14 | 443,000 | Virgin Mobile Polska | Media, Telecoms and Broadcasting | Art. 5 (1) f), (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR |
Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) fined Virgin Mobile Polska EUR 443,000 due to a data leak that allowed unauthorized third parties to access personal data stored by Virgin Mobile Polska as a result of inadequate security measures. The DPA notes that the company did not conduct regular and extensive tests on the effectiveness of the measures applied to ensure data security. Indeed, activities in this regard were conducted only in the event of a suspected security leak. | link |
| 484 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-10-29 | 1,000 | American College of Greece | Public Sector and Education | Art. 12 (3), (4) GDPR | Insufficient fulfilment of information obligations | The Hellenic DPA (HDPA) imposed a fine of EUR 1,000 against the American College of Greece for violations of the right of access and the right to erasure of personal data. | link |
| 485 | IRELAND | Data Protection Authority of Ireland | 2020-12-15 | 450,000 | Twitter International Company | Media, Telecoms and Broadcasting | Art. 33 (1), (5) GDPR | Insufficient fulfilment of data breach notification obligations | The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach. The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while public posts are visible to the public. A programming bug in Twitter’s Android app resulted in some private posts being visible to the public. The DPA found that Twitter had not properly fulfilled its reporting and documentation obligations. Twitter’s legal team became aware of the error on January 2nd, 2019, and it was not until January 8th that the company informed the DPC. Consequently, the company failed to inform the DPC within the 72-hour period required by Art. 33 (1) GDPR. Furthermore, it had failed to adequately document the incident in accordance with Art. 33 (5) GDPR. |
link |
| 486 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2020-12-15 | 29,500 | Uppsalahem AB | Real Estate | Art. 5 GDPR, Art. 6 (1) f) GDPR |
Insufficient legal basis for data processing | The Swedish DPA (Integritetsskyddsmyndigheten) fined the housing company Uppsalahem AB SEK 300,000 (EUR 29,500). The housing company had installed surveillance cameras in an apartment building to monitor one floor after disturbances and security incidents occurred. The cameras not only monitored the staircase, but also the front door of a resident. Therefore, when the door was opened, the inside of the apartment was also captured by the video surveillance. While the company may have had a legitimate interest in the video surveillance, this is outweighed by the residents’ right to privacy. | link |
| 487 | LATVIA | Data State Inspectorate (DSI) | 2020-12-15 | 15,000 | HH Invest SIA | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Latvian DPA (DSI) fined the online store HH Invest SIA EUR 15,000. The information provided on the company’s website regarding the privacy policy was found not to be easily understandable. This constitutes a violation of Art. 13 GDPR. | link |
| 488 | LATVIA | Data State Inspectorate (DSI) | 2020-12-15 | 6,250 | Unknown | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Latvian DPA (DSI) fined an employer EUR 6,250 for sending personal data of an employee, including health data, to fellow employees by email. The DSI found that the data subject’s personal data had been processed without a proper legal basis and thus this processing was unlawful. | link |
| 489 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-12-17 | 100,000 | Banca Transilvania SA | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) fined Banca Transilvania SA EUR 100,000 for violations of Art. 5 (1) f) GDPR, Art. 32 (1) GDPR and Art. 32 (2) GDPR. It was found that the bank requested a declaration from a customer about the intended use of a certain amount of money wished to withdraw from its account. This statement was submitted to the bank online and forwarded to several employees of the bank. One employee photographed the declaration with his cell phone and spread it via WhatsApp. Subsequently, the document was posted on the social network Facebook and on a website. This situation led to the disclosure and unauthorized access of certain personal data concerning four data subjects, despite the Bank’s commitment to respect the principle of integrity and confidentiality of personal data as required by Art. 5 (1) f) GDPR. The DPA notes that the occurred disclosure of the data also proves the ineffectiveness of the internal training of the Bank’s employees regarding compliance with the standards for data protection. These trainings are, however, an integral part of the technical and organizational measures that the Bank was obliged to implement, Art. 32 GDPR. |
link |
| 490 | FRANCE | French Data Protection Authority (CNIL) | 2020-12-17 | 3,000 | Doctor | Health Care | Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA (CNIL) fined a doctor EUR 3,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data as MRI and X-ray images as well as personal data such as the names, dates of birth and treatment data of his patients on his computer. The controller had not taken appropriate technical measures to ensure the security of the data, and as a consequence, access to his patients’ data was possible for anyone without access protection. The data protection authority notes that the data had been exposed for about four months. | link link |
| 491 | FRANCE | French Data Protection Authority (CNIL) | 2020-12-17 | 6,000 | Doctor | Health Care | Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA (CNIL) fined a doctor EUR 6,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data such as MRI and X-ray images as well as personal data such as names, dates of birth and treatment data of his patients on a server in order to be able to access them from his home computer. A review of the controller’s systems had revealed that access to the server was not properly secured. This would have allowed anyone to access his patients’ data. Furthermore, the data leak had existed for about five years. The data protection authority therefore found that the doctor had failed to take adequate technical and organisational measures to ensure data security. | link |
| 492 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-15 | 10,000 | Online Services | Industry and Commerce | Art. 13 GDPR, Art. 8 (1) GDPR, Art. 6 (1) a) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined the operator of the online store banderacatalana.cat. EUR 10,000 for a violation of Art. 13 GDPR. The operator stated on its website privacy notices that a minimum age of 13 or sufficient legal capacity was required to subscribe to the newsletter. It was also stated that filling out the newsletter subscription form would be considered as consent to the processing of personal data. This constitutes a violation of the GDPR, as according to Art. 8 GDPR, the processing of personal data of under-16-year-olds requires the consent of the holder of parental responsibility over the child. | link |
| 493 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-12-16 | 1,940 | Unknown | Employment | Art. 5 (1) b), c) GDPR, Art. 13 (1) GDPR | Insufficient fulfilment of information obligations | The Hungarian DPA (NAIH) imposed a fine of HUF 700,000 (EUR 1,940) against a construction company. The controller had installed a video surveillance system at a construction site to protect its property and the physical integrity of the employees. The cameras were aligned in a way that they were able to record a part of the recreation room and thus also the activities of his employees beyond a required extent. The data subjects were not sufficiently informed about this at the time their contract was concluded. | link |
| 494 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-12-16 | 55,400 | Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.) | Industry and Commerce | Art. 25 (1), (2) GDPR, Art. 32 (1) b) GDPR, Art. 34 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Hungarian DPA (NAIH) imposed a fine of HUF 20,500,000 (EUR 55,400) on Robinson Tours Idegenforgalmi és Szolgáltató Kft. (Robinson Tours Ltd.) The travel agent’s reservation system contained unprotected data of customers, which could be viewed by anyone and found via Google. The data contained, among others, names, contact and address data, copies of personal IDs and passport numbers. During the DPA’s investigation, it turned out that the data in question was from a test database created by Next Time Media Agency Ltd, the web agency contracted to develop and operate the database, which was supplemented not only with test data but also with real data of Robinson Tours’ customers. In total, the data of 781 individuals was affected, which was accessible by anyone in the period from November 13, 2019 to February 4, 2020. The NAIH also notes that Robinson Tours did not conduct regular security risk screenings. Robinson Tours also failed to notify the data subjects about the data breach. |
link |
| 495 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-12-16 | 1,385 | Next Time Media Agency Ltd. (Next Time Media Ügynökség Kft.) | Media, Telecoms and Broadcasting | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Hungarian DPA (NAIH) imposed a fine of HUF 50,000 (EUR 1,385) on Next Time Media Ügynökség Kft. (Next Time Media Agency Ltd.). The web agency had been contracted by the travel agency Robinson Tours Idegenforgalmi és Szolgáltató Kft. (Robinson Tours Ltd.) to develop and operate the travel agency’s online reservation system. However, the database was not only supplemented with test data, but also with real data of Robinson Tours’ customers. In total, the data of 781 people was compromised. During the period from November 13, 2019, to February 4, 2020, these data were accessible to anyone and could be found via Google. The DPA found that Next Time Media Agency Ltd. did not take adequate technical and organizational measures to ensure the security of the personal data. | link |
| 496 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-21 | 36,000 | Banco Bilbao Vizcaya Argentaria, S.A. | Finance, Insurance and Consulting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined the financial and credit institution Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) with a fine in the amount of EUR 36,000. The BBVA asked the data subject to settle debts with the BBVA, although the data subject did not have any debts with the bank. As a result, BBVA had transmitted the personal data of the data subject to the debt collection company Multigestión Iberia, S.L., which, over a period of several months, contacted the data subject by telephone and e-mail on behalf of BBVA and requested the payment. The data subject then demanded the erasure of his/her data from BBVA. However, the controller refused to do so. | link |
| 497 | SPAIN | Spanish Data Protection Authority (aepd) | 2020-12-22 | 6,000 | Iberdrola Clientes, SAU | Transportation and Energy | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) fined Iberdrola Clientes, SAU EUR 6,000. The data subject had received promotional calls from two different telephone numbers of the controller although the data subject was registered in the Robinson list. The company attributes the incident to a human error, as the telephone numbers from which the data subject was called were not regularly used for advertising purposes. | link |
| 498 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-12-22 | 2000 | S.C. C&V Water Control S.A. | Industry and Commerce | Art. 58 (1) a), e) GDPR, Art. 58 (2) i) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) fined S.C. C&V Water Control S.A. EUR 2,000 for failure to comply with the data protection authority’s request for information in the course of an investigation, thus violating Art. 58 (1) a), e) GDPR and Art. 58 (2) i) GDPR. | link |
| 499 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-12-23 | 50,000 | Unknown | Industry and Commerce | Art. 14 (1), (2) GDPR, Art. 12 (1), (2), (3) GDPR, Art. 15 (1) GDPR, Art. 5 (1) c), (2) GDPR, Art. 24 (1), (2) GDPR | Insufficient fulfilment of data subjects rights | The Belgian DPA (APD) imposed a fine of EUR 50,000 on a company for several violations of the GDPR. The controller is a company that carries out parking ticket controls. The controller controller had issued the data subject a fine for illegal parking. However, the data subject states that he or she did not receive the fine ticket. Instead, the data subject only found out about it when he or she received an official reminder letter from a law firm commissioned with debt collection, which then demanded payment of the reminder fee in addition to the original fine. The data subject then contacted the company and demanded, among others, information about which of his/her personal data had been processed. After this request was not properly fulfilled in a timely manner, the data subject filed a complaint against the controller
During its investigations the DPA discovered that the controller violated several GDPR provisions. Firstly the DPA found that the controller failed to provide a proper privacy policy. The privacy policy on the controller´s website did not contain any information regarding the processing of personal data nor any contact information of the company. Secondly, the controller violated the data subject’s right to information by failing to comply with the data subject’s request for information on data processing. Lastly the controller infringed the principle of minimasation by processing the data subject’s data for the purpose of sending a payment reminder only one day after the ticket had been issued even though the data subject had the opportunity to pay the fine without such a reminder at that time. |
link |
| 500 | BELGIUM | Belgian Data Protection Authority (APD) | 2020-12-23 | 15,000 | Unknown | Industry and Commerce | Art. 14 (1), (2) GDPR, Art. 12 (3) GDPR, Art. 6 GDPR, Art. 5 (1) c), (2) GDPR, Art. 24 (1), (2) GDPR | Insufficient fulfilment of data subjects rights | The Belgian DPA (APD) imposed a fine of EUR 15,000 on a company due to insufficient fulfilment of data subject rights. The controller is a debt collection agency which was commissioned by another company to collect debts owed to it. The data subject was issued a fine for illegal parking by the last-mentioned company. However, the data subject states that he/she did not receive the fine notice. Instead, the data subject only learned about it when he/she received an official reminder letter from the controller, which then demanded payment of the reminder fees in addition to the original fine. The data subject then contacted the controller and requested, among other things, information about which of his/her personal data had been processed. After this request was not fulfilled in a timely manner, the data subject filed a complaint against the controller . During its investigation, the DPA found that the controller had violated provisions of the GDPR, for example, by failing to comply with the data subject’s request for information on the data processing. |
link |
| 501 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-12-28 | 18,930 | Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. | Finance, Insurance and Consulting | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) fined Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR. In May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first names, residential addresses and information on the subject of the insurance policy. As a result, the supervisory authority asked the controller to clarify whether, regarding the sending of the electronic correspondence to an unauthorized addressee, a risk analysis on the data security of natural persons had been carried out, which is necessary to evaluate whether a data breach had occurred. Such a breach requires notification to the DPA and the individuals affected by the breach. In the letter, the supervisory authority advised the controller how to notify the breach and asked for explanations. Despite the letter requesting explanations, the controller did not report the data breach nor did it inform the data subjects about the incident. The DPA therefore initiated administrative proceedings. Only as a result of the initiation of the procedure did the controller report the personal data breach and inform two individuals affected by the breach. |
link |
| 502 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-26 | 10,000 | Reti Televisive Italiane S.p.a. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The television station broadcasted a documentary about the link between emissions from a local ceramics plant and health problems in the population, in which the person interviewed was not made sufficiently anonymous. | link |
| 503 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-26 | 20,000 | Concentrix Cvg Italy s.r.l. | Employment | Art. 5 (1) a), c) GDPR, Art. 6 (1) b), c) GDPR, Art. 9 (1) b) GDPR | Insufficient legal basis for data processing | The union UILCOM Sardegna filed a complaint with the Italian DPA (garante) against the call center operator Concentrix Cvg Italy s.r.l. regarding an internal regulation of the controller. Under the terms of a ‘clean desk policy,’ the company had prohibited employees from keeping certain items, such as smartphones, on their desks, which was intended to ensure confidentiality in the processing of customers’ personal data. Exceptions were made for medication, which the data subjects proved they needed to take during their shift. These had to be placed visibly on the desk, making it indirectly possible for other employees to obtain information on the health status of the data subjects. The controller had indeed informed the data subjects about the rules of procedure and obtained their consents. However, this did not contain any information on the processing of their health data. |
link |
| 504 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-12-29 | 1,000 | Qualitance QBS SA | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) fined Qualitance QBS SA EUR 1,000 for a violation of Art. 32 GDPR. The company had sent information by email to 295 individuals, disclosing the email addresses of the other recipients. The ANSPDCP noted that the company had not taken sufficient security measures to ensure the confidentiality of the personal data of the data subjects. | link |
| 505 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2020-12-30 | 3,000 | ING Bank N.V. Amsterdam – Bucharest office | Finance, Insurance and Consulting | Art. 5 (1) a) – d) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Romanian DPA (ANSPDCP) fined ING Bank N.V. Amsterdam – Bucharest office in the amount of EUR 3,000. The bank had contacted the data subject by e-mail for the purpose of updating his data. At that time, however, the data subject had already terminated his account with the bank, so that the contractual relationship had been terminated. As a result, the data controller had unlawfully processed personal data of the former customer without his consent such as the e-mail address and the name and of the data subject. | link |
| 506 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-01-04 | 54,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) d), f) GDPR | Non-compliance with general data processing principles | The data subject had concluded a contract with the controller (Vodafone España, S.A.U.). However, the products provided under this contract were not delivered in the name of the data subject, but in the name of a third party. Subsequently, the data subject contacted the company’s data protection officer by e-mail in order to restore the accuracy of his/her data stored at Vodafone. However, no response was received to this request. When the data subject finally contacted the telecommunications company by telephone, he/she was addressed by the name of the third party. His/her inquiry was answered with a response that did not refer to his/her inquiry, but to the inquiry of the third party. According to the telecommunications company, the incident was caused by a defect in their system due to a system migration. The Spanish DPA (AEPD) initially fined Vodafone España, S.A.U. EUR 90,000, but the original fine was reduced to EUR 54,000 due to the timely payment and admission of guilt. | link |
| 507 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-01-04 | 95,500 | Innovasjon Norge | Finance, Insurance and Consulting | Art. 5 (1) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out four credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject over a period of three months without the data subject’s consent. | link |
| 508 | FRANCE | French Data Protection Authority (CNIL) | 2020-12-07 | 7,300 | Perfomeclic | Industry and Commerce | Art. 5 (1) c), e) GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | The French DPA (CNIL) imposed a fine of EUR 7,300 on the company Perfomeclic. The company had sent commercial advertising emails without a proof of prior consent and without sufficient information. | link link |
| 509 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-12-17 | 235,300 | ID Finance Poland Sp. z o.o. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) imposed a fine of EUR 235,300 on ID Finance Poland Sp. z o.o. Due to an error while restarting a server, the settings of the software responsible for the server’s security were reset, making the personal data of 140 699 customers publicly available. These data contained, for example, information about the first and last name, address, nationality or even marital status of the data subjects. The database located on this server was downloaded and deleted by an unspecified third party, who demanded a fee from the company for the return of the database. The DPA noted that the controller had taken insufficient technical and organizational measures to ensure the protection of the processing, even though there was a high risk for the data subjects due to the nature of the data processed. | link |
| 510 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-12-09 | 18,850 | TUiR Warta S.A. | Finance, Insurance and Consulting | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | An insurance agent hired by the controller had sent an email to unauthorized third parties in regard to insurance policies that contained personal data of two of the company’s customers after they had mistakenly provided false email addresses. The leaked data included data such as the names, email adresses and postal addresses of the data subjects. The controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. The controller believed that there was no breach requiring notification because the data subjects themselves had mistakenly provided incorrect e-mail addresses. The Polish DPA states that this circumstance does not release the controller from its obligation to report this data breach in a timely manner. | link |
| 511 | FRANCE | French Data Protection Authority (CNIL) | 2021-01-05 | 20,000 | Nestor SAS | Industry and Commerce | Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The French DPA (CNIL) fined the company Nestor EUR 20,000. The CNIL notes that the privacy policy provided during the registration process on the company´s website did not contain the necessary information required by the GDPR. In addition, the controller provided insufficient information on data processing during app registration. |
link link |
| 512 | POLAND | Polish National Personal Data Protection Office (UODO) | 2019-11 | 1,770 | L. Sp. z o.o. | Real Estate | Art. 5 (1) a), f) GDPR | Non-compliance with general data processing principles | The Polish DPA (UODO) imposed a fine of EUR 1,770 on L. Sp. z o.o. for the video surveillance of a residential community, which was not in compliance with the provisions of the GDPR. | link |
| 513 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2021-01-04 | 118,500 | Unknown | Industry and Commerce | Art. 6 (1) GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Czech DPA (UOOU) fined 11 companies a total of EUR 118,500 for sending unrequested postal advertising messages to the mailboxes of various citizens. Based on a decision by the government of the Czech Republic at the end of October, there was introduced the possibility to send postal data messages at no charge until the end of the Covid-19 pandemic. The fined companies misused this possibility. The DPA finds that the companies had no legal ground for sending offers for goods and services, constituting a breach of Art. 6 (1) GDPR. The DPA furthermore finds that a violation of Art. 14 GDPR has also occurred, as the companies did not provide the data subjects with information about the commercial use of their data when they first contacted them. | link |
| 514 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-01-06 | 9,700 | Lindstrand Trading AS | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has fined Lindstrand Trading AS EUR 9,700. The controller had carried out four credit checks on individuals and individual companies, although there was no legal basis for doing so. | link |
| 515 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-01-07 | 7,250 | Gveik AS | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined Gveik AS EUR 7,250. The controller had carried out a credit check on an individual, although there was no legal basis for doing so. | link |
| 516 | ESTONIA | Estonian Data Protection Authority (AKI) | 2020-12-01 | 100,000 | Apotheka e-apteek | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person’s current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily. | link |
| 517 | ESTONIA | Estonian Data Protection Authority (AKI) | 2020-12-01 | 100,000 | Südameapteegi e-apteek | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person’s current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily. | link |
| 518 | ESTONIA | Estonian Data Protection Authority (AKI) | 2020-12-01 | 100,000 | Azeta.ee e-apteek | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person’s current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily. | link |
| 519 | GERMANY | Data Protection Authority of Niedersachsen | 2021-01-08 | 10,400,000 | notebooksbilliger.de | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Lower Saxony (LfD Niedersachsen) imposed a fine of EUR 10,4 million on the electronics retailer notebooksbilliger.de.The company had video-monitored its employees for at least two years without having a legal basis for doing so. Among others, the cameras covered workplaces, sales areas, warehouses and recreation areas. The company stated that the purpose of the installed video cameras was to prevent and investigate criminal acts and to track the movement of goods in the warehouses. However, to prevent theft, a company must first consider milder methods. Moreover, video surveillance to detect criminal acts is only permitted if there is a reasonable suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de, however, the video surveillance was neither limited to a specific period nor to specific employees. In addition, the recordings were stored for 60 days in many cases, which was significantly longer than required. Customers of notebooksbilliger.de were also affected by the unlawful video surveillance, as some cameras were pointed at seating areas in the sales area. So far, the fine against notebooksbilliger.de is the highest fine that the LfD Niedersachen has issued under the GDPR. | link |
| 520 | ITALY | Italian Data Protection Authority (Garante) | 2020-10-29 | 20,000 | Gaypa s.r.l. | Employment | Art. 5 (1) a), c), e) GDPR, Art. 12 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 20,000 on Gaypa s.r.l.. The controller had kept a former employee’s email account active and had access to the data subject’s correspondence, despite the termination of his/her employment. The data subject had not been informed about such a further use of his/her e-mail account, as well as about the storage of all incoming and outgoing e-mails on the company servers and the related processing of his/her personal data. | link |
| 521 | ITALY | Italian Data Protection Authority (Garante) | 2020-10-29 | 4,000 | Borgo Fonte Scura s.r.l. | Employment | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 4,000 on Borgo Fonte Scura s.r.l.. The controller had installed a video surveillance system which also recorded the three data subjects during their work. The data subjects were not sufficiently informed about the video surveillance and the resulting processing of their personal data. | link |
| 522 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-01-13 | 2,000,000 | Caixabank S.A. | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) fined Caixabank S.A. EUR 6,000,000 for violations of Art. 6 GDPR, Art. 13 GDPR and Art. 14 GDPR. Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers’ personal data to all companies within the CaixaBank Group. At the same time, the data subjects were not given the option of specifically not consenting to this transfer. Instead, if they wished to disagree with the transfer of their data, they were required to send a letter of disagreement to each individual company in the group. The DPA concluded that the bank had violated its information obligations as set out in Art. 13 GDPR and Art. 14 GDPR, as the information provided to customers under the privacy policy was not consistent, contained imprecise terminology, and did not provide sufficient information on the type of personal data processed and the nature of the processing. Also, the information on the rights of the data subjects as well as the contact information of the controller were not provided in a consistent manner. Furthermore, the DPA notes that the controller had processed its customers’ data beyond its legitimate interests, partly without a legal basis, and that the consent it obtained from customers did not meet the requirements of an effective consent. In addition, deficiencies in the company’s procedures allowed it to obtain the consent of customers to process their personal data. The DPA further concludes that, as a result, the data was unlawfully transferred to the companies of the CaixaBank Group. This constitutes a violation of Art. 6 GDPR. Appendix: The Spanish National Court reduced the toal fine from EUR 6,000,000 to a total fine of EUR 2,000,000 with its decisions from the 8th of May 2025 – SAN 2166/2025. |
link |
| 523 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-11-18 | 28 | Unknown | Industry and Commerce | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The data subject had subscribed to a newsletter of the controller. After altering his/her e-mail address, he/she continued to receive the newsletter via the old e-mail address. The data subject then contacted the controller, whereupon the controller confirmed that the address had now been updated. Nevertheless, the data subject continued to receive the newsletter via the old e-mail address. | link |
| 524 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-01-12 | 38,600 | Unknown | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined a company NOK 400,000 (EUR 38,600) for the illegal automatic forwarding of an employee’s email inbox. The automatic forwarding was activated in connection with the employee’s sick leave and lasted for more than a month. | link |
| 525 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-01-14 | 38,600 | Coop Finnmark SA | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined Coop Finnmark SA NOK 400,000 (EUR 38,600). The manager of the store in question recorded CCTV footage with a mobile phone and shared the video. The Norwegian DPA states that Coop Finnmark had no legal basis for sharing the CCTV footage. The DPA notes that the case is very serious as the footage showed children, which poses a potentially high risk to their privacy. | link |
| 526 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-01-12 | 10,000 | Unknown | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 12 (3) GDPR, Art. 21 (1) GDPR | Insufficient legal basis for data processing | Managing a fan page on Facebook without the data subject’s permission and failing to comply with the data subject’s request after exercising his or her right to object. | link |
| 527 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-01-05 | 5,500 | Śląski Uniwersytet Medyczny (Medical University of Silesia) | Public Sector and Education | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during identification via a direct link. The University failed to report the data breach to the DPA and notify the data subjects. | link |
| 528 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-01-20 | 1,200 | Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The controller installed cameras on his building, which were directed towards parts of the public space. However, no recording took place, as the cameras only served as a deterrent and remained inactive. The DPA notes, however, that even simulated video surveillance has an impact on the privacy of the data subjects, as they are led to believe that they are being permanently recorded by the cameras. According to the DPA, this has an intimidating effect. Therefore, the orientation of the cameras to the public space was also improper in this case. The DPA imposed a fine of EUR 2,000 on the controller, which was reduced to EUR 1,200 due to immediate payment and acknowledgement of guilt. | link |
| 529 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-01-21 | 50,000 | Alterna Operador Integral S.L. | Transportation and Energy | Art. 6 (1) b) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 50,000 on Alterna Operador Integral S.L.. A switch of the electricity supplier had taken place without the consent of the data subject. However, the personal data of the data subject were incorporated into the information systems of the controller (the new electricity supplier) without the controller having verified that a valid contract had been concluded. The processing of the data subjects’ personal data thus took place without a legal basis. | link |
| 530 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-01-19 | 9,700 | Aquateknikk AS | Industry and Commerce | Art. 5 GPDR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (EUR 9,700). The controller had carried out a credit rating on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis. | link |
| 531 | ITALY | Italian Data Protection Authority (Garante) | 2020-12-17 | 500,000 | Roma Capitale (Rome Municipality) | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 (2), (3) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) fined the municipality of Rome EUR 500,000 for the unlawful processing of users’ and employees’ personal data. The municipality of Rome had been using the ‘TuPassi’ booking system to manage appointments and other services since 2015. In the course of a detailed investigation, the Italian DPA found that the controller had violated several data protection regulations with regard to the processing of personal data of customers and employees with whom they had made appointments. For example, the municipality had not properly informed the data subjects prior to processing their data, nor had it taken appropriate technical and organizational measures to protect the processing. | link |
| 532 | ITALY | Italian Data Protection Authority (Garante) | 2020-12-17 | 40,000 | Miropass S.r.l. | Industry and Commerce | Art. 5 (1) a), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) fined Miropass S.r.l. EUR 40,000. Miropass is the provider of the TuPassi booking system, which among others has been used by the Municipality of Rome since 2015. The booking system enables the booking of appointments both on the website of the controller (www.tupassi.it) as well as via the corresponding app. For this purpose, the company collects and processes the personal data of the users. In the course of its investigation, the Italian DPA found that Miropass, particularly in the context of health data resulting from appointment bookings at health care facilities, had no legal basis for the processing and violated the principle of storage limitation. | link |
| 533 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-01-22 | 25,000 | Unknown | Media, Telecoms and Broadcasting | Art. 5 (1) f), (2) GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 33 (1), (5) GDPR, Art. 34 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Belgian DPA fined a mobile operator EUR 25,000. The controller had assigned the data subject’s phone number to an unauthorized third party, causing the data subject to lose access to his/her phone number. As the SIM card of the data subject had been deactivated, that would have allowed the third party to access various personal data of the data subject in the period between September 16 and September 19, 2019, such as call history and accounts of various services (e.g. Paypal, WhatsApp and Facebook) associated with the number. | link |
| 534 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-01-21 | 75,000 | Telefónica Móviles España, SAU | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 75,000 on Telefónica Móviles España, SAU. The controller had assigned five telephone lines with five numbers to the data subject as part of a mobile phone contract. One of the numbers was used by her son. When he was no longer able to use the mobile data, he contacted the controller. The controller informed him that the mobile data had been deactivated because the number was no longer in his possession. It turned out that unauthorized third parties had pretended to be the data subject and had the number transferred to a third party without the controller requiring authentication for this. Thereupon the unauthorized third parties had requested and received a replacement SIM card under the pretense of an alleged loss or theft. As a result, the son’s SIM card was blocked. | link |
| 535 | FRANCE | French Data Protection Authority (CNIL) | 2021-01-27 | 150,000 | Unknown | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company’s website.
Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website. In the course of its investigations, the CNIL found that the website in question had been subjected to numerous waves of credential stuffing attacks. In this type of attack, a malicious person obtains lists of ‘unencrypted’ identifiers and passwords published on the Internet, usually after a data breach. Assuming that users frequently use the same password and username (email address) for different services, the attacker will use ‘bots’ to try to log in to a large number of websites. If the authentication is successful, this will allow the attacker to see the information associated with those accounts. The CNIL found that the attackers were able to obtain the following information: Surname, first name, email address and date of birth of customers, as well as their loyalty card number and balance, and information related to their orders. The CNIL considers that the two companies had breached their obligation to maintain the security of customers’ personal data under Article 32 of the GDR. In fact, the companies took slow action to effectively combat these repeated attacks. They had decided to focus their response strategy on developing a tool to detect and block attacks launched by robots. However, the development of this tool took a year from the first attacks. In the meantime, however, a number of other measures with faster impact could have been considered to prevent further attacks or mitigate the negative impact on individuals. As a result of this lack of diligence, the data of approximately 40,000 website customers was made available to unauthorized third parties between March 2018 and February 2019. |
link |
| 536 | FRANCE | French Data Protection Authority (CNIL) | 2021-01-27 | 75,000 | Unknown | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company’s website.
Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website. In the course of its investigations, the CNIL found that the website in question had been subjected to numerous waves of credential stuffing attacks. In this type of attack, a malicious person obtains lists of ‘unencrypted’ identifiers and passwords published on the Internet, usually after a data breach. Assuming that users frequently use the same password and username (email address) for different services, the attacker will use ‘bots’ to try to log in to a large number of websites. If the authentication is successful, this will allow the attacker to see the information associated with those accounts. The CNIL found that the attackers were able to obtain the following information: Surname, first name, email address and date of birth of customers, as well as their loyalty card number and balance, and information related to their orders. The CNIL considers that the two companies had breached their obligation to maintain the security of customers’ personal data under Article 32 of the GDR. In fact, the companies took slow action to effectively combat these repeated attacks. They had decided to focus their response strategy on developing a tool to detect and block attacks launched by robots. However, the development of this tool took a year from the first attacks. In the meantime, however, a number of other measures with faster impact could have been considered to prevent further attacks or mitigate the negative impact on individuals. As a result of this lack of diligence, the data of approximately 40,000 website customers was made available to unauthorized third parties between March 2018 and February 2019. |
link |
| 537 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-01-27 | 50,000 | Family Service / N.D.P.K. nv. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | The Belgian DPA imposed a fine of EUR 50,000 on Family Service / N.D.P.K. nv. The controller is an advertising agency that, among other things, sends expectant mothers gift boxes containing various discount vouchers, product samples and information about pregnancy and birth. The box items are provided by third parties, to whom the controller subsequently transfers the recipients’ contact data for marketing purposes. The consent of the recipients to this transfer and to subsequent advertising measures by the third parties is obtained in advance by the controller for this purpose. A data subject filed a complaint with the Belgian DPA because, although she had revoked her previously given consent, she nevertheless continued to receive advertising calls from third parties to whom the controller had transmitted her data. | link |
| 538 | POLAND | Polish National Personal Data Protection Office (UODO) | 2020-12-09 | 2,850 | Smart Cities Sp. z o.o. | Industry and Commerce | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | Fine for failure to comply with an order of the Polish DPA (UODO). The controller failed to provide personal data and other information requested by UODO for investigative purposes. | link |
| 539 | ITALY | Italian Data Protection Authority (Garante) | 2020-12-17 | 100,000 | Azienda Unità Sanitaria Locale Toscana Sud Est | Health Care | Art. 5 (1) f) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 100,000 on Azienda USL Toscana Sud Est. The controller is a company in the healthcare sector that, among other things, launched the so-called ‘Sanità di iniziativa’ (Health Initiative) program. Within the framework of this program, participating healthcare companies transmit data on chronically ill patients to the controller. On the basis of this data, the controller then develops health plans for the patients. The Italian DPA notes several violations of data protection provisions related to this program. For example, when giving consent to the processing of their data, the data subjects were not adequately informed about how long their data would be stored, what rights they had (in particular their rights of complaint and access), and how exactly their data would be processed and for what purpose. In addition, the controller had not kept a register of processing activities. Finally, the controller had neither implemented adequate technical and organizational measures to protect the processing nor conducted a data protection impact assessment, although this would have been necessary due to the nature of the data processed (health data). |
link |
| 540 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-02-03 | 19,300 | Cyberbook AS | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined Cyberbook AS NOK 200,000 (EUR 19,300) for the illegal automatic forwarding of e-mails from a former employee. The forwarding took place for several months without the data subject being informed. | link |
| 541 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-01 | 24,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Xfera Móviles S.A.. The data subject claimed a violation of its right to information to the AEPD. The AEPD then issued a request to the controller to comply with the data subject’s request for information within a period of 10 days and to prove this to the AEPD. However, the controller did not comply with the request within the deadline. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and admission of responsibility by the controller. | link |
| 542 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-01 | 3,000 | IDFINANCE Spain, S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on IDFINANCE Spain S.L.. A person had received a debt collection email from IDFinance that contained a link for the payment of an invoice directly through the controller’s website. Via the link, the person was able to view the personal data of another customer. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of responsibility. | link |
| 543 | ITALY | Italian Data Protection Authority (Garante) | 2020-11-26 | 3,000 | Charly Mike s.r.l. | Accomodation and Hospitalty | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 3,000 on Charly Mike s.r.l.. The controller is the hotel operator of the Hotel Olimpo in Alberobello. Garante received a complaint about the video surveillance system installed in the hotel. During the course of the investigation, it was found that the hotel facility had 17 fixed cameras and one with 360° recording, placed inside and outside the facility, recording both employees and customers. The system had been operated without the required signs indicating video surveillance. |
link |
| 544 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-03 | 100,000 | Iberdrola Clientes | Transportation and Energy | Art. 5 (1) d) GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 100,000 on Iberdrola Clientes, SAU. The data subject had terminated an existing contract with the controller due to a move and therefore requested the deletion of his/her data. This request was rejected by the controller with reference to outstanding invoices. It turned out that the controller had sent the bills to the old address of the data subject. Even after the data subject informed the controller of the change of address, new notices regarding the deletion request and invoices were sent to the old address. | link |
| 545 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-04 | 2000 | Private Person | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Unauthorized use of two video surveillance cameras that also recorded parts of the public space, such as sidewalks and properties behind those. | link |
| 546 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-08 | 3,000 | Patio Ancestral S.L. | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on Patio Ancestral S.L.. The complainant worked for a construction company and had carried out some renovation work for the controller. During these works, damage had been caused to the controller’s properties. The controller had then sent a letter with claims for damages not only to the complainant but also to the complainant’s father, who had previously been employed by the same construction company. However, the father was an uninvolved third party in this case. The Spanish DPA found that the processing of the father’s personal data for this reason had taken place without a legal basis. The original fine was reduced to EUR 3,000 due to immediate payment and admission of responsibility. | link |
| 547 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-08 | 5,000 | Private Person | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 5,000 for illegal camera surveillance. The data subject had rented two rooms in the apartment of the controller. The controller had installed a video camera in the apartment and stated that it was installed exclusively for security purposes and also only monitored the area of the entrance door. However, it turned out that the camera was oriented in such a way that it also recorded other parts of the apartment, such as the living room. The Spanish DPA states that this constitutes an unjustified invasion of the privacy of the data subject. | link |
| 548 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-09 | 5,000 | Predase Servicios Integrales S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The company website did not present a privacy policy on its main page, nor did it provide the information required by Art. 13 GDPR. | link |
| 549 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-11 | 24,000 | Vamavi Phone S.L. | Media, Telecoms and Broadcasting | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD, Art. 28 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Vamavi Phone S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and admission of responsibility. | link |
| 550 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-02-10 | 1,000 | ING Bank N.V. Amsterdam – Bucharest office | Finance, Insurance and Consulting | Art. 29 GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) imposed a fine of EUR 1,000 on ING Bank N.V. Amsterdam – Bucharest Branch. It was found that the controller had sent files to a contractual partner in order to issue insurance policies. The sent files contained outdated information, as employees of the insurance policy monitoring department had not checked and processed the insurance policies according to the work process, which affected 270 people. Considering these aspects, it was found that the technical and organizational measures taken by the controller were insufficient, which resulted in the breach of confidentiality of personal data. | link |
| 551 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-01-05 | 19,000 | Unknown | Health Care | Art. 34 (1), (2) GDPR, Art. 58 (2) e) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) imposed a fine of EUR 19,000 on a hospital operator. A former employee had unlawfully copied the personal data of 100 patients from the hospital’s computer network. The leaked data included the social security number, name, date of birth, address and telephone number of the data subjects. Although the controller considered the potential risk to the data subjects to be high, she had not informed the data subjects about the incident. The DPA then requested the controller to immediately inform the data subjects about the incident and provide them with advice on how to minimize the potential negative impact of the breach. However, the controller did not comply with this request. | link |
| 552 | IRELAND | Data Protection Authority of Ireland | 2020-12-17 | 70,000 | University College Dublin | Public Sector and Education | Art. 5 (1) e), f) GDPR, Art. 32 (1) GDPR, Art. 33 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) fined University College Dublin (UCD) EUR 70,000 due to seven personal data breaches. Unauthorized third parties were able to access UCD e-mail accounts, and login credentials for UCD e-mail accounts were posted online. It was found that the controller did not take appropriate technical and organisational measures to protect data security when processing personal data in its email service. In addition, the controller stored certain personal data in an email account in a form that allowed identification of the data subjects for longer than necessary for the purpose for which the personal data were processed. Also, the controller did not notify the DPC of a personal data breach in a timely manner. | link |
| 553 | LATVIA | Data State Inspectorate (DSI) | 2021-02-09 | 65,000 | Lursoft IT SIA | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Latvian DPA (DSI) fined Lursoft IT SIA EUR 65,000 for the illegal processing of personal data by publishing documents containing personal data on its website ‘www.lursoft.lv’. The DPA found that the controller made parts of the non-public company register, which contained, among other things personal data, publicly available. | link |
| 554 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-12 | 120,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on Vodafone España, S.A.U. A former customer had received e-mails containing electronic bills even after he had terminated his contract with the controller resulting in a processing of personal data without sufficient legal basis. The data subject states that he still receives e-mails from the controller, although he has already objected to this several times and the controller has already received a fine twice for exactly these facts. The fine imposed this time is this high because the infringement was classified as very serious by the Spanish DPA. Among other things, because this was already the third violation in this matter. The original fine of EUR 200,000 was reduced for both immediate payment and admission of responsibility to EUR 120,000. | link |
| 555 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-02-11 | 440,000 | OLVG | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessary for their work. Besides medical records, the patient files also contained, the social security numbers, addresses and telephone numbers of the data subjects. | link link |
| 556 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-14 | 8,000 | Agenzia regionale protezione ambientale Campania (ARPAC) | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) imposed a fine of EUR 8,000 on the Regional Environmental Protection Agency of Campania (ARPAC). An external hard drive containing personal data had been stolen from the controller. Among other things, it contained copies of identity documents, tax records and payroll records. During the investigation, the DPA discovered that the hard drive had been located in a room to which all of the controller’s employees had access. In addition, the controller did not back up the affected data, so it was irrevocably lost. Consequently, the DPA concluded that the controller violated the duty to implement appropriate technical and organizational measures to ensure the security of data processing. | link |
| 557 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-16 | 1,000 | The Washpoint S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on The Washpoint S.L. for the lack of a privacy policy on its website, in violation of Art. 13 GDPR. | link |
| 558 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-14 | 30,000 | Azienda sanitaria provinciale di Enna | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 30,000 on Azienda sanitaria provinciale di Enna. The controller processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis. | link |
| 559 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-27 | 50,000 | Azienda USL della Romagna | Health Care | Art. 5 (1) a), d), f) GDPR, Art. 9 GDPR, Art. 32 (1) b) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 50,000 on Azienda USL della Romagna. Upon her arrival at the gynecology unit of a hospital operated by the controller (for the purpose of an abortion), a patient had explicitly asked the controller not to share her health data with third parties. She had separately left a telephone number for the purpose of being contacted. After the patient was discharged, a nurse tried to contact her in order to inform her about further therapy. However, the nurse did not use the telephone number provided by the patient specifically for this purpose, but instead used her home telephone number, which she was able to obtain from her patient file. When her husband took the call instead of the patient, the nurse informed him about her treatment, contrary to the patients request. Even though no further medical information was provided, it was clear from the conversation that the data subject had been admitted to this unit and was to receive further therapy. | link |
| 560 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-27 | 50,000 | Azienda Ospedaliero Universitaria Senese | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) fined Azienda Ospedaliero Universitaria Senese EUR 50,000. The controller, a hospital, had reported to the Italian DPA that a couple’s medical report had been mistakenly sent to an uninvolved third party. The report contained information about a genetic consultation and the health status and sex life of the data subjects. The incident occurred due to an error in packaging the letter, according to a statement from the controller. | link |
| 561 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-27 | 10,000 | Azienda Ospedaliero Universitaria di Parma | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) fined Azienda Ospedaliero Universitaria di Parma EUR 50,000. The controller, a hospital, had reported two data breaches to the Italian DPA in which patient data was mistakenly disclosed to third parties. In the first incident, parents found the report of a microbiological examination of another patient in the file of their minor child. The report revealed the data subject´s name, tax number, address, birth date and various health data. In the second incident, the heir of a patient received the health report of another patient, which contained the name and birth date as well as data on the health status of the data subject. | link |
| 562 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-14 | 2000 | Poliambulatorio Talenti S.r.l. | Health Care | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) fined Poliambulatorio Talenti S.r.l. EUR 2,000 for failing to respond to the data subject’s request for access to his and his daughters’ data in a timely manner. | link |
| 563 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-14 | 18,000 | Azienda Usl di Bologna | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) fined Azienda Usl di Bologna EUR 18,000. In a hospital operated by the controller, 49 patients in the oncology ward received discharge letters with detailed pharmacological therapy information that originated from other patients. Fourteen of these patients had already accessed this incorrect documentation before it was corrected. The breakdown had occurred due to a manual error by a technician. | link |
| 564 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-02-11 | 22,200 | Krajowa Szkoła Sądownictwa i Prokuratury | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 28 (3) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) fined Krajowa Szkoła Sądownictwa i Prokuratury (National School of Justice and Prosecution) EUR 22,200. UODO launched an investigation against the controller after it reported a data breach on its training platform website. During a test migration to the new platform, the data of more than 50,000 individuals had been exposed on the Internet. Among other things, this included the names, user names, postal and e-mail addresses, telephone numbers, units and departments of the data subjects. UODO found that the controller had not taken adequate technical and organizational measures to ensure the confidentiality of the data processed. In addition, the contract that the controller had concluded with the company entrusted with the processing of the data did not comply with the legal requirements. For example, the contract did not contain information about which categories of data would be processed. | link |
| 565 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-12 | 1,600 | Ripobruna 207, S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 2,000 against Ripobruna 207, S.L. (restaurant) for the unauthorized use of two video surveillance cameras that also recorded parts of the public space without any justified cause. The original fine of EUR 2,000 was reduced for immediate payment to EUR 1,600. | link |
| 566 | CROATIA | Croatian Data Protection Authority (azop) | 2021-02-22 | Unknown | Security company (name not available at the moment) | Industry and Commerce | Art. 32 (1) b), d) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | A data controller using the services of the security company reported the breach of personal data to the DPA, arising after an employee of the security company recorded the video surveillance footage with a phone and shared it with third party. The recording was ultimately made available on social media and in the media. The DPA found that the security company as a data processor enabled the breach by not maintaining adequate and sufficient technical and organizational measures for personal data security for more than two and a half years. Moreover, the processor has not foreseen or implemented adequate technical security measures following the incident to prevent or minimize the risks. One data subject was consequently exposed to insults and ridicule in the public and the security company has not taken any action to remove the recording from social networks and media. The amount of the fine is unknown at the moment, but the DPA clarified which aggravating circumstances it has taken into consideration when determining the fine – (i) the fact that the processor did not fulfil its obligation to inform the controller of the incident as required by the Art 33 (2) GDPR and (ii) the fact that the basic activity of the company is the provision of physical and technical protection, which includes the use of video surveillance. The DPA also noted that the fined security company is one of the leading companies in Croatia in that activity and as such should be the relevant entity in providing opinions, guidelines, advice and propose solutions to controllers on the use of the video surveillance system and give an example to its work and pay greater attention to it than others. | link |
| 567 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-02-24 | 12,000 | Avilon Center 2016 S.L. | Media, Telecoms and Broadcasting | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 20,000 on Avilon Center 2016 S.L. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. The original fine of EUR 20,000 was reduced to EUR 12,000 due to immediate payment and admission of responsibility. | link |
| 568 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-12-16 | 97,150 | Unknown | Finance, Insurance and Consulting | Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR, Art. 12 GDPR | Insufficient legal basis for data processing | The Hungarian DPA (NAIH) imposed a fine of EUR 97,150 against a credit institute. Two parents contacted the Hungarian DPA regarding the processing of personal data by their credit institute related to a ‘childbirth incentive loan’. The couple requested a suspension of repayment, for which they had to prove that the fetus is at least 12 weeks old. To certify this fact, the controller copied their entire pregnancy booklet. The NAIH found that the controller violated the principle of data minimization by copying the entire pregnancy booklet, which contained excessive amounts of health data, even though this was not necessary regarding the purpose of the processing. For this reason, the NAIH ultimately concluded that the controller had no legal basis for such extensive data processing | link |
| 569 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2020-12-10 | 22,200 | Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics) | Public Sector and Education | Art. 5 (1) a), b), c) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR, Art. 12 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Hungarian DPA (NAIH) imposed a fine of EUR 22,200 against the Budapest University of Technology and Economics. NAIH finds that the controller unlawfully processed personal data in the course of audits of applications for social scholarships. Among other things, data was processed without a legal basis and in some cases particularly sensitive data was processed, although this was not necessary for the evaluation of the scholarship applications. | link |
| 570 | IRELAND | Data Protection Authority of Ireland | 2020-08-12 | 85,000 | Tusla Child and Family Agency | Public Sector and Education | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) fined Tusla Child and Family Agency EUR 85,000. The controller had reported 71 data breaches to the Irish DPA that occurred between May 25 and November 16, 2018, and concerned the unauthorized access of personal data processed by the controller. After a broad investigation, the DPA concluded that the controller failed to implement adequate technical and organizational measures to protect the data processing and thus violated Art. 32 (1) of the GDPR. | link |
| 571 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2021-02-26 | 12,000 | Nacionaliniam visuomenės sveikatos centrui (NVSC) | Public Sector and Education | Art. 5 (1), (2) GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 58 (2) f) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) imposed a fine of EUR 12,000 on the Lithuanian National Health Service (NVSC). The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The IT company ‘IT sprendimai sėkmei’ had developed the app, which was then used by the NVSC. In the course of the investigation, the DPA found that during the app’s period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app’s privacy policy. |
link |
| 572 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2021-02-26 | 3,000 | IT sprendimai sėkmei | Industry and Commerce | Art. 5 (1), (2) GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 58 (2) f) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) imposed a fine of EUR 3,000 on the company ‘IT sprendimai sėkmei’. The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The controller had developed the app, which was then used by the Lithuanian National Health Service. In the course of the investigation, the DPA found that during the app’s period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app’s privacy policy. |
link |
| 573 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-03-02 | 24,400 | Unknown | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined a company NOK 250,000 (EUR 24,400). The controller ordered an employee to set up an automatic forwarding of his/her employee email account to a shared company account. The reason given for this was to improve the company’s operations. The DPA found that the controller had no legal basis to order such automatic forwarding. It therefore acted unlawfully. | link |
| 574 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-02 | 9,000 | Unknown | Not assigned | Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 9,000 on a website operator. The controller had published photos of the data subject on its website without the consent of the data subject. Also, the website in question did not contain a privacy statement. The fine is composed as follows: EUR 5,000 for a violation of Art. 6 GDPR and EUR 4,000 for a violation of Art. 13 GDPR. | link |
| 575 | GERMANY | Data Protection Authority of Sachsen-Anhalt | 2021-03-03 | 0 | Private Individual | Individuals and Private Associations | Art. 5 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | Original summary: The DPA of Saxony-Anhalt imposed a fine of EUR 200 on a private individual. The controller had taken photos of vehicles and, in some cases, their drivers and emailed them to the city of Magedburg in an unencrypted form as part of reports of violations of the Road Traffic Regulations.
Update: The fine proceedings have been closed. |
link |
| 576 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2021-03-02 | 15,000 | Registrų Centras | Public Sector and Education | Art. 32 (1) b), c) GDPR | Insufficient technical and organisational measures to ensure information security | The Lithuanian DPA (VDAI) imposed a fine of EUR 15,000 on Registrų Centras. The controller is a company which manages several Lithuanian registers. The company suffered a data breach that affected 22 of these registers. During its investigation, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing of personal data. The measures implemented by the controller were clearly not sufficient to ensure the continuous integrity, availability and resilience of the data, nor to restore the availability of the data after incidents. | link |
| 577 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-02 | 200,000 | I-DE Redes Eléctricas Inteligentes, S.A.U | Media, Telecoms and Broadcasting | Art. 5 (1) b), c) GDPR, Art. 6 (1) b) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Eléctricas Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and Servicios Aby 2018, S.L. because their customers had received letters from the controller. Both companies had previously transferred their customers’ personal data to the controller under a network access agreement entered into with the controller. Under this agreement, the two companies acted as representatives of their respective customers, who were supplied with electricity by the controller. In the letters sent, the controller mentioned, among other things, alleged breaches of contract and non-payment by the companies to the controller. In the course of its investigations, the DPA determined that the sending of these letters was neither related to nor necessary for the performance of the respective contract. The controller had therefore violated the principles of purpose limitation and data minimization, so that the sending of these letters constituted unlawful processing of the customers’ personal data. |
link |
| 578 | CYPRUS | Cypriot Data Protection Commissioner | 2021-03-03 | 25,000 | Hellenic Bank | Finance, Insurance and Consulting | Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, Art. 33 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA imposed a fine of EUR 25,000 on Hellenic Bank. The bank had closed one of its branches in the city of Nicosia in 2015. When moving out of the space, a safe containing old documents of still existing customers, installed in one of the walls, had been forgotten. As the building was vacant in the following years, the controller only learned about this incident when the property was rented out again for the first time in 2019. The new tenant had found the safe and informed the controller. Bank staff had then retrieved the documents and reported the data breach to the Cypriot DPA. The DPA ultimately concluded that the controller had violated Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, and Art. 33 (1) GDPR. | link |
| 579 | CYPRUS | Cypriot Data Protection Commissioner | 2021-03-03 | 10,000 | Cypriot Real Estate Registration Authority | Public Sector and Education | Art. 12 GDPR, Art. 15 GDPR, Art. 31 GDPR, Art. 58 (1) e) GDPR | Insufficient fulfilment of information obligations | The Cypriot DPA imposed a fine of EUR 10,000 on the Cypriot Real Estate Registration Authority. The data subject submitted a written request to the controller requesting various information relating to him personally, exercising the right of access granted to him under Art. 15 GDPR. After the controller failed to respond to the request for information, the data subject filed a complaint with the DPA. In the course of the subsequent investigation by the DPA, the controller also failed to respond to requests by the DPA to comment on the allegation. | link |
| 580 | CYPRUS | Cypriot Data Protection Commissioner | 2021-03-03 | 6,000 | KEPIDES | Real Estate | Art. 32 (4) | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA imposed a fine of EUR 6,000 against KEPIDES (real estate company). The controller had submitted a list of buyers of the properties it manages to a parliamentary committee. However, the controller had failed to anonymize the list, as a result of which the names of the data subjects were transmitted. | link |
| 581 | CYPRUS | Cypriot Data Protection Commissioner | 2021-03-03 | 40,000 | Electricity Authority of Cyprus | Employment | Art. 6 (1) GDPR, Art. 9 (2) GDPR | Insufficient legal basis for data processing | The Cypriot DPA imposed a fine of EUR 40,000 on the Electricity Authority of Cyprus. The controller used an automated system based on the so-called Brad-Factor to manage, monitor and control employee absences due to illness using a tool assessment. The DPA found that such an assessment mechanism was not covered by Cypriot labor law and had therefore been used unlawfully. Furthermore, an option for data subjects not to consent to such automated processing of their personal data should have been provided. | link |
| 582 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-03-04 | 500 | Natural person holding the position of General Secretary for a political party in Bucharest | Public Sector and Education | Art. 32 (1), (2) GDPR, Art. 58 (1) a), e) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) imposed a fine in the amount of EUR 500 against a natural person holding the position of General Secretary for a political party in Bucharest. The controller had published a list on a social network, which contained personal data such as names, signatures, nationalities, dates of birth, postal addresses, of ten supporters of the party. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect the processing of personal data. In addition, the controller had not sufficiently cooperated with the DPA in its investigation. | link |
| 583 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-01-15 | 4,600 | Anwara Sp. z.o.o. | Public Sector and Education | Art. 31 GDPR, Art. 58 (1) a) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA (UODO) fined the company Anwara Sp. z.o.o. EUR 4,600. The controller had not cooperated with the DPA and had not provided it with all the information necessary for an investigation. The controller twice ignored written requests for explanations regarding a procedure to investigate a complaint filed by an individual. Although the letters were properly sent, the company did not provide reasons for its failure to do so. | link |
| 584 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-01-11 | 30,000 | Enea S.A. | Transportation and Energy | Art. 33 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) fined Enea S.A. EUR 30,000 for the controller’s failure to report a personal data breach, in violation of Art. 33 (1) GDPR. The DPA received information about a personal data breach from a person who had become an unauthorized recipient of personal data. The breach consisted of sending an email with an unencrypted, non-password protected attachment that contained personal data of several hundred individuals. The sender of the email was an employee of the sanctioned controller. | link |
| 585 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-09 | 15,000 | Homeowners Association | Real Estate | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 15,000 on a homeowners’ association. The controller had publicly displayed the record of a homeowners’ meeting in the elevator of the building where the participants lived. From the records, the names, floors and apartment numbers of the meeting participants could be obtained, as well as the floors and apartment numbers of neighbors about whom the participants had complained during the meeting. The controller had justified the public notice with the fact that the results of this meeting concerned planned legal actions against some of the residential parties. They were to be informed about this so that they would not be able to claim later that they had not received the relevant notifications. The DPA considers this to be a violation of Art. 5 (1) f) GDPR, which refers to the principles of integrity and confidentiality of personal data. | link |
| 586 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2021-03-10 | 300,000 | VfB Stuttgart 1893 AG | Individuals and Private Associations | Art. 5 (2) GDPR | Non-compliance with general data processing principles | The DPA from Baden-Württemberg has imposed a fine of EUR 300,000 on the soccer club VfB Stuttgart 1893 AG for negligent breach of data protection accountability under Art. 5 (2) GDPR. However, the controller has promoted the DPA’s investigation and clarification measures through its own initiative and has cooperated extensively with the DPA. | link |
| 587 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-10 | 10,000 | Hospital Campogrande DE | Health Care | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 10,000 on Hospital Campogrande DE. A patient filed a complaint against the controller with the DPA. The controller had performed an MRI on the patient on September 05, 2019 due to an injury of the right knee. The cost of the examination was covered by the patient’s private health insurance. Due to a work-related injury, another MRI of the same knee had to be performed on September 27, 2019. Although the second MRI was performed at another hospital, albeit one belonging to the corporate group, the hospital system also linked the first, privately arranged MRI to the patient’s record at the second hospital. The first MRI was provided through the hospital network without any medical justification. This turned out to be very unfavorable for the patient when, upon presentation of the second MRI, the company physician informed him that he would have to contact his private physician or the social insurance with this injury, since the incident could not be considered an occupational accident. He justified this with the existence of the first MRI, which had a non-occupational cause. |
link |
| 588 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-10 | 8,000 | Filigrana Comunicación S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 13 GPDR, Art. 14 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined Filigrana Comunicación S.L.U. EUR 8,000. The controller operates a website that provides information on internships offered by the Spanish Ministry of Education and Sports. In addition, the results of various competitions held by the Ministry are published on the site. The controller had compiled and published the data of the participants from publicly available sources without first obtaining the consent of the data subjects. Likewise, the controller had not fulfilled its information obligations to them in accordance with Art. 13 GDPR and Art. 14 GDPR. | link |
| 589 | ITALY | Italian Data Protection Authority (Garante) | 2020-12-17 | 4,000 | Comune di Santo Stefano Belbo | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 4,000 on the municipality of Santo Stefano Belbo. The reason for this was that the controller had published two documents on a legal settlement of the data subject on its website. The documents were not only freely accessible, but could also be downloaded. The documents contained personal data and information about the data subject, including, in addition to his first and last name, a confirmation of the payment of legal costs, the IBAN code of his checking account, information about the lawsuit and the amounts paid in favor of the data subject. | link |
| 590 | ITALY | Italian Data Protection Authority (Garante) | 2020-12-17 | 10,000 | Comune di Luino | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 37 (1) a) GDPR, Art. 37 (7) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 10,000 on the municipality of Luino. The controller had published a document containing personal data of a local council member. In addition to personal data, the document also contained information about a complaint procedure filed against him by the mayor. The freely accessible document could be downloaded without further authentication. Furthermore, the municipality had failed to name a data protection officer and to provide the DPA with his/her contact details. | link |
| 591 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-25 | 300,000 | Istituto Nazionale Previdenza Sociale (INPS) | Public Sector and Education | Art. 5 (1) a), c), d) GDPR, Art. 25 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | Original fine summary: The Italian DPA (Garante) imposed a fine of EUR 300,000 on the Istituto Nazionale Previdenza Sociale (INPS). The Italian National Institute for Social Security had been tasked with anti-fraud investigations related to COVID-19 relief funds. After press reports raised problems with the institute’s data processing practices around the application review of politicians, the Italian DPA opened an investigation against INPS in August 2020. During that investigation, the DPA identified several violations.
The controller had collected data on tens of thousands of politicians from public sources and cross-checked it with data from applicants. In doing so, however, the controller had failed to ensure that data was collected only from those politicians who were eligible to receive the assistance funds. In doing so, the controller violated the principles of lawfulness, fairness, and transparency as set out in the GDPR. Furthermore, the controller had violated the principle of data minimization by initiating checks on reimbursements even for individuals whose applications had been rejected and who had therefore never received payments. Furthermore, the controller had not adequately assessed the risks associated with a data processing operation as sensitive as that on applications for social benefits, since it had not carried out an impact assessment on the rights and freedoms of the data subjects. Update: Following an appeal presented by INPS the judge of the XVIII civil section of the Court of Rome annulled the fine of EUR 300,000. |
link |
| 592 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-10 | 50,000 | Equifax Iberica S.L. | Finance, Insurance and Consulting | Art. 6 (1) f) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) fined Equifax Iberica S.L. EUR 50,000 for a violation of Art. 6 (1) f) GDPR. The controller had added the data subject to a debtor register without informing her beforehand. The data subject had outstanding payments of rent with her landlord, who had previously sent her corresponding requests for payment. The controller itself had also sent notices to the data subject requesting her to pay the debts. These, however, did not contain any information that the data subject would be entered in the debtors’ register in the event of non-payment. Also, the rental contract of the data subject did not contain any provisions in this regard, which led the DPA to conclude that the controller did not have a legitimate interest within the terms of the GDPR and thus had processed the personal data of the data subject without a legal basis. |
link |
| 593 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-10 | 90,000 | Xfera Moviles S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 17 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) imposed a fine of EUR 150,000 on Xfera Móviles S.A.. The DPA had received two complaints from a data subject. The first complaint concerned the sending of advertising SMS messages that the data subject received from the controller, although he had objected to this and requested that his data be deleted. According to the data subject, he received over 60 SMS messages within 30 days. The second complaint was filed by the data subject because the controller repeatedly sent him messages containing confidential data of a third party. This concerned the login information of another customer to a company platform. On the portal, it was possible to view personal information as well as invoices, among other things. Although the data subject had informed the company of this, the incorrect mailing did not end. The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt. |
link |
| 594 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-11 | 8,150,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 28 GDPR, Art. 24 GDPR, Art. 44 GDPR, Art. 21 LSSI, Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD | Insufficient fulfilment of data subjects rights | Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone España, S.A.U. The data subjects complained about advertising calls and messages (e-mail and SMS) made on behalf of Vodafone España as part of marketing campaigns. The contact was made without the prior consent of the data subjects and continued even after they had exercised their right to object. Furthermore, many data subjects were contacted even though their numbers were on the Robinson list.
The AEPD explains that aggravatingly, it took into account that Vodafone España had regularly received fines in more than 50 cases from January 2018 to February 2020, and the fact that there had been 162 complaints received by the AEPD in just under two years. The fine is composed as follows: EUR 4 million for a breach of Art. 28 GDPR and Art. 24 GDPR; EUR 2 million for a breach of Art. 44 GDPR; EUR 150,000 for a breach of Art. 21 LSSI; and EUR 2 million for a breach of Art. 48 (1) b) LGT, Art. 21 GDPR and Art. 23 LOPDGDD. |
link |
| 595 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-12 | 1,500 | Private Person | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a private individual EUR 1,500. The controller had installed a video surveillance camera facing a public thoroughfare and covering parts of the shared patio of an apartment complex. Furthermore, there was no sign in a visible place informing about the presence of the camera (responsible person, purpose, etc.). Finally, the controller had not obtained the consents of the other tenants before putting the camera into operation. | link |
| 596 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-12 | 12,000 | NBQ Technology, S.A.U. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U. EUR 20,000. An identity thief had obtained the data of a third party without authorization and applied for a microcredit from the controller under pretence of the data subject’s identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the loan recipient, but to the data subject, the AEPD determined that the controller did not have a legal basis for processing the data. The processing was therefore unlawful, and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 20,000 was reduced to EUR 12,000 due to immediate payment and admission of responsibility. | link |
| 597 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-15 | 5,000 | Certime S.A. | Public Sector and Education | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Certime S.A.. The data subject had renewed her driver’s license with the controller in 2009. After her address had changed in 2018, in 2019 she received mail from the controller to her new address without having informed the controller of the adress change. In the letter, the controller informed the data subject that her driver’s license would soon expire. In response to a inquiry from the data subject as to where her new contact information came from, the controller informed her that its database was regularly updated using data obtained from the Spanish transport authority DGT (Dirección General de Tráfico). As the data subject had not given consent for such processing of her data, she filed a complaint against the controller with the Spanish DPA. An investigation by the DPA revealed that the company had indeed entered into a contract with DGT. However, DGT had clarified that the purpose of the processing of contact data under the contract was to ensure the accuracy of the address when renewing a driver’s license or when issuing medical reports so that it could be sent to the correct address. Nevertheless, the data subjects must request and consequently consent to such a change of address. Since these criteria were not met in the specific case, the DPA found a violation of the purpose limitation principle. | link |
| 598 | ITALY | Italian Data Protection Authority (Garante) | 2020-12-17 | 2000 | Ordine degli Assistenti Sociali della Regione Lazio | Public Sector and Education | Art. 12 (3), (4) GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Ordine degli Assistenti Sociali della Regione Lazio. On November 27, 2019, a data subject had sent an email to the controller requesting what data was being processed regarding him and his daughters. After initially receiving no response to his request for information, on January 10, 2020, the data subject filed a complaint against the controller with the Italian DPA. His request for information was subsequentely complied with on June 17, 2020, but without explaining the delay and, in particular, the initial non-response to the request. | link |
| 599 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-11 | 75,000 | Ministero dello Sviluppo Economico | Public Sector and Education | Art. 5 (1) a), b), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 37 (1), (7) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined the Ministry of Economic Development (Ministero dello Sviluppo Economico) EUR 75,000 for failing to appoint a data protection officer by May 28, 2018, and for publishing personal data of more than five thousand managers on its website. In Italy, small and medium-sized companies that had previously received a relevant voucher could book advice on technological and digital processes from experienced business professionals, through the controller. The Italian DPA launched an investigation against the controller after it became known that personal data of more than five thousand managers who had made themselves available for corresponding consultations were freely accessible on its website. The personal data, such as name, tax number, e-mail, full CV and in some cases a copy of the identity card and health card of the data subjects, was publicly visible and could be freely downloaded. On the website, it was also possible to download the directorate resolution that had approved the list, which included the data and information of all the directors. The DPA found that the processing was unlawful and that the directorate resolution referred to by the controller did not constitute an adequate legal basis for the disclosure of online data. |
link |
| 600 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-14 | 75,000 | Regione Lazio | Public Sector and Education | Art. 5 (2) GDPR, Art. 28 GDPR | Insufficient data processing agreement | The Italian DPA (Garante) has fined Regione Lazio (Lazio Region) EUR 75,000 for failing to designate Capodarco, the company it entrusted with the management of reservations for healthcare services in 1999, as a data processor. The controller had not entered into a contract with Capodarco that would have governed its role as data processor in accordance with the requirements of data protection law. Thus, a proper contract for commissioned processing had not been concluded until 2019, which meant that data had been processed unlawfully for a period of about 20 years. | link |
| 601 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-03-15 | 1,000 | School | Public Sector and Education | Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 8 GDPR | Insufficient legal basis for data processing | The Belgian DPA (APD) fined a school EUR 1,000. The controller had conducted a survey on student well-being via a smartschooling system. The DPA states that the controller did not obtain the consent of the parents of the minor students and violated the principle of data minimization. The original fine of EUR 2,000 was reduced to EUR 1,000 after the controller appealed the APD’s decision. | link |
| 602 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-15 | 3,000 | Cultural association | Individuals and Private Associations | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on a cultural association. The controller had published pictures of a four-year-old child on various groups of the Chinese messenger service WeChat without the consent of the child’s parents. The photos show the child taking part in the controller’s Chinese lessons. Although the controller tried to obscure the child’s face using a digital sticker, it was still partially visible. Also the controller did not respond to the parents’ request to delete the photos and apologize to them. | link |
| 603 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-15 | 2000 | Heredad de Urueña S.A. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined Heredad de Urueña S.A. EUR 2,000 because its personal data processing policy did not comply with the requirements of Art. 13 GDPR. In addition, the controller did not provide a privacy policy on its website informing users about the processing of their personal data. | link |
| 604 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-18 | 3,000 | Asesoría Alpi-Clúa S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on Asesoría Alpi-Clúa S.L.. A client had requested documents from the controller to submit them to the tax authorities. The controller sent her an e-mail that, however, did not contain the documents she had requested, but documents from another client. | link |
| 605 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-16 | 60,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 60,000 on Vodafone Spain. The data subject had been a customer of the controller several years ago. After receiving payment reminders from the controller via SMS for services she had never booked, she informed the controller and asked for clarification and deletion of her data. Despite a positive response, she continued to receive the same SMS. The data subject then filed two complaints with the Spanish DPA against Vodafone Spain. Both times, the controller had assured that it had corrected the reason for the incorrect sending and deleted the data of the data subject. Nevertheless, the mailing continued, leading the data subject to file a third complaint. The original fine of EUR 100,000 was reduced to EUR 60,000 due to immediate payment and admission of guilt. | link |
| 606 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-03-23 | 2000 | S.C. Medicover S.R.L. | Health Care | Art. 32 (1) b), (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | In February, the Romanian DPA (ANSPDCP) closed an investigation against S.C. Medicover S.R.L. and found a violation of Art. 32 (1) b), (2), (4) GDPR. The DPA imposed a fine of EUR 2,000 on the controller. The investigation was initiated following successive notifications by the controller regarding personal data breaches related to unauthorized disclosure and unauthorized access to personal data such as name, correspondence address, email and health data of the data subjects. On several occasions, documents containing personal data had been sent to the wrong recipients. The DPA found that the incidents occurred due to the controller’s failure to implement appropriate technical and organizational measures to protect the processing of personal data. | link |
| 607 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-23 | 1,000 | Laboratorio Octogón, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization). | link |
| 608 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-03-15 | 4,900 | Ålesund Municipality | Public Sector and Education | Art. 32 (1) b) GDPR, Art. 24 (1) GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Ålesund. At two schools in Ålesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA’s investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example, a data protection impact assessment was not carried out, although this would have been necessary in view of the potential risk to the students. In addition, adequate technical and organizational security measures had not been implemented to ensure the protection of the processing. | link |
| 609 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-03-15 | 600,000 | Air Europa Lineas Aereas, SA. | Industry and Commerce | Art. 32 (1) GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected. The AEPD announced that it had fined the controller EUR 500,000 for a breach of Art. 32 (1) GDPR due to the failure to take appropriate technical and organizational measures to ensure an adequate level of security, and EUR 100,000 for a breach of Art. 33 GDPR for notifying the AEPD of the security breach 41 days late. In determining the amount of the fine, the fact that the incident was not limited to a local area, but affected a large number of people not only in Spain, but also worldwide, and that sensitive banking and financial data were affected, harming several thousand people, was taken into account as an aggravating factor. | link |
| 610 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-25 | 2000 | Comune di Conflenti | Employment | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 2,000 on the municipality of Conflenti. A former employee of the municipality filed a complaint with the DPA because a document containing her personal data, including information about her employment with the municipality and an excerpt from the termination letter, was published on the municipality’s website. | link |
| 611 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-03-08 | 14,900 | Dragefossen AS | Transportation and Energy | Art. 5 (1) a) GPDR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) imposed a fine of EUR 14,900 on the energy company Dragefossen AS. The latter had installed a webcam on the roof of its office building in the center of Rognan which was in operation 24/7 and recorded the city center. These recordings could be viewed via a live video stream on Youtube and on the controller’s homepage. In addition, the recordings could be rewound for up to twelve hours.
The area covered by the camera surveillance included a public street, the parking lot and entrance of two grocery stores, a pharmacy, a liquor store, the local bank, city hall, and a number of other buildings. It was not possible to make out facial details or read license plates on cars due to the image quality and distance from the camera. Nevertheless, the image quality was good enough to be able to identify what type of car the data subjects were driving, what type of clothing they were wearing, what hair color they had, and other personal characteristics. This was sufficient for those watching the live broadcast to identify and track co-workers, colleagues, friends, family, or other acquaintances. The Norwegian DPA concluded that the live broadcast constitutes a breach of Art. 6 (1) GDPR and Art. 5 (1) a) GPDR. The decision highlights that the illegal camera surveillance involved a significant number of employees and that many were monitored repeatedly, some on a daily basis. Those who were monitored were on their way to and from work, who needed to buy groceries, medications, or alcohol, or who were in the public area for other reasons. These are activities where the data subjects do not expect to be monitored, and even less they expect the monitoring to be broadcast live on the Internet. |
link |
| 612 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-12-10 | 475,000 | Booking.com B.V. | Accomodation and Hospitalty | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card’s security code in 97 cases. Furthermore, they tried to get other victims’ credit card details by pretending to be Booking.com employees via email or phone. Booking.com was notified of the data breach on January 13, 2019, but did not report it to the DPA until February 7, 2019. The controller was thus 22 days late in reporting the data breach, as it is required to report a data breach to the DPA within 72 hours. | link |
| 613 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-03-30 | 10,000 | Telekom Romania Mobile Communications S.A. | Media, Telecoms and Broadcasting | Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romania DPA (ANSPDCP) has fined Telekom Romania Mobile Communications S.A. EUR 10,000 for failing to implement adequate security measures to ensure the security of personal data processing. In particular, the ANSPDCP’s investigation revealed that the controllers’ failure to implement adequate security measures resulted in the unauthorized disclosure of the data of 99,210 data subjects, including their customer number, gender and telephone number, as well as unauthorized access to the personal data stored in the accounts of 413 customers. On this basis, the ANSPDCP ruled that the controller violated Art. 32 (1) and (2) GDPR. | link |
| 614 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-25 | 6,000 | Comune di Commezzadura | Employment | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 6,000 on the municipality of Commezzadura. A former employee of the municipality filed a complaint with the DPA because a document containing his personal data was published on the municipality’s website. The document contained the confirmation and acceptance of the employee’s voluntary termination of employment and information about the employment relationship at that time, including evaluations of his work and information about his health. The data subject also complained that this information had been mentioned in an article in a newspaper. In particular, the article discussed the end of employment and quoted a statement by the mayor of the municipality referring to the fact that the data subject had asked for flexible working hours and had been absent from work during the Christmas vacations due to illness. | link |
| 615 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-11 | 5,000 | Fondazione di religione e di culto “Casa sollievo della sofferenza” Opera di San Pio da Pietrelcina | Individuals and Private Associations | Art. 5 (1) a), f) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the Foundation for Religion and Worship ‘Casa sollievo della sofferenza’ Opera di San Pio da Pietrelcina. On January 31, 2020, the controller notified the DPA of a personal data breach under Art. 33 GDPR. Documents containing information about the health status of the data subject had been accidentally sent by mail to the wrong addressee. This had happened due to a mix-up: An invoice had previously been sent not to the data subject, but to another person with the same name, whose address had then been used for further correspondence with the data subject. | link |
| 616 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-25 | 20,000 | Gedi Gruppo Editoriale S.p.A. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has fined Gedi Gruppo Editoriale S.p.A. 20,000 euros. The controller had published photos in its newspaper of people who were in custody in connection with a murder. The photos showed the accused in handcuffs and had been taken without their consent. Although some of the photos had been pixelated around the handcuffs, the faces of the defendants remained visible, allowing them to still be identified. The DPA had ordered the controller in advance to refrain from further use of these photos. The DPA imposed the fine because the controller had not complied with this order. | link |
| 617 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-11 | 350,000 | Roma Capitale | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) fined the city of Rome EUR 350,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. In addition, the DPA found that the city of Rome had used the services of a provider for the hosting and maintenance of databases without a proper agreement as required by Art. 28 GDPR. | link |
| 618 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-11 | 60,000 | Roma Servizi per La Mobilita S.r.l. | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) fined Roma Servizi per La Mobilita S.r.l. EUR 60,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The controller was acting as a processor for the city of Rome. As part of this activity, it processed the data of individuals who held permits for restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. The DPA notes that the controller did not analyze the risk associated with the data processing and, as a result, did not implement adequate measures to protect the processing. | link |
| 619 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-25 | 4,000 | Ministero dell’Istruzione, Ufficio Scolastico Regionale per il Lazio | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 4,000 on the Lazio Region School Authority. A parent had filed a complaint against the school authority for forwarding data of his disabled son to the Office of Public Administration. The data forwarded included, among other things, information about the child’s health condition. The parent had previously complained of irregularities in the allocation of support hours for students with disabilities at the school I.C.G. Pitocco of Castelnuovo di Porto. The school authority had then transmitted the data in order to clarify the allegation. The DPA, however, found that the transfer had taken place without a legal basis. | link |
| 620 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-25 | 4,500,000 | Fastweb S.p.A. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GPDR, Art. 33 (1) GDPR, Art. 34 (1) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Fastweb S.p.A. EUR 4,500,000 for aggressive telemarketing. Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA finds that the controller illegally processed the personal data of millions of users for telemarketing purposes.
Namely, the call centers working for Fastweb largely acted in disregard of data protection regulations. They often used telephone numbers for their calls that were not registered in the Italian register for communications operators (Registro degli Operatori di Comunicazione). In addition, many users reported being contacted by ‘self-proclaimed Fastweb operators’ who attempted to obtain contractors’ identity documents via WhatsApp, likely for the purpose of spamming, phishing and other fraudulent activities. Other breaches involved procedures for the ‘call me back’ service that made it impossible for users to give free, specific and informed consent and to deactivate the service in an automated manner. |
link |
| 621 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-05 | 3,000 | Kukimbia S.L. | Industry and Commerce | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has fined Kukimbia S.L. EUR 3,000. The controller is a company that stores, transports and distributes goods. Documents containing personal data about the controller’s customers and suppliers were found freely accessible next to a trash can near one of the controller’s warehouses. The DPA determined that the controller had violated Art. 32 GDPR. | link |
| 622 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-05 | 3,000 | Electrotecnica Bastida S.L. | Industry and Commerce | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has fined Electrotecnica Bastida S.L. EUR 3,000. Police officers had found 29 envelopes addressed to the controllers’ respective employees on a vacant lot in the local industrial area. Two envelopes had already been opened. The envelopes contained results of medical examinations. The AEPD considered this to be a breach of the controller’s duty to implement adequate technical and organizational measures to protect the processing of personal data. | link |
| 623 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-05 | 4,000 | Stockhunters S.L. | Finance, Insurance and Consulting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Stockhunters S.L.. The controller was not able to answer the data subject’s requests regarding the use of his personal data. In addition, the data protection policy of the controller’s website did not comply with the provisions of Art. 13 GDPR. The data subject was therefore unsure of how his personal data was being used. | link |
| 624 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-06 | 2,400 | Promotech Digital S.L. | Finance, Insurance and Consulting | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has fined Promotech Digital S.L. EUR 2,400 for repeatedly sending the data subject advertising SMS, even though he never subscribed or agreed to receive SMS. Furthermore, the SMS did not offer a direct option to unsubscribe from the advertising. Instead, reference was made to the possibility of cancellation by e-mail. Even though the data subject had objected to receiving further SMS, he continued to receive SMS from the controller. The original fine of EUR 3,000 was reduced by 20% to EUR 2,400 due to immediate payment and acknowledgement of guilt. | link |
| 625 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-11 | 45,000 | Istituti ospedalieri bergamaschi | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has imposed a fine of EUR 45,000 on Istituti ospedalieri bergamaschi. The DPA initiated an investigation against the controller after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from seven other patients in his digital medical record. | link |
| 626 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-03-22 | 2000 | Candidate for parliamentary elections | Public Sector and Education | Art. 15 GDPR, Art. 11 Law 3471/2006 | Insufficient fulfilment of data subjects rights | The Greek DPA (HDPA) has fined a parliamentary candidate EUR 2,000. The data subject had received a call from the controller on her private mobile number prior to the Greek parliamentary elections in July 2019. The call was made for the purpose of promoting the controller’s candidacy. The data subject’s inquiries regarding the use of her personal data were answered by the controller in a contradictory manner. | link |
| 627 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-03-15 | 100,000 | Asker Municipality | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 32 (1) b) GDPR, Art. 24 GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA (Datatilsynet) has fined the municipality of Asker EUR 100,000. On May 20, 2020, the DPA received a notice that the municipality had unlawfully published personal data on its website. On the website, users could view the names of documents that had previously been sent via the municipality’s email distribution list. In addition to the names of the actual document, they also contained the names and dates of birth of 127 people, including children. Although the distribution lists were proofread daily by two people, the municipality had failed to detect the discrepancies. The Norwegian DPA concludes that the data breach occurred partly due to a lack of required routines for handling email lists. | link |
| 628 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-04-09 | 3,400 | Miljø- og Kvalitetsledelse AS | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 3,400 on Miljø- og Kvalitetsledelse AS. At one of the carwashes operated by the controller, incidents of vandalism had occurred at the payment terminal. The controller thereupon sent footage of the incident from a surveillance camera to the employer of the alleged vandal. The Norwegian DPA concluded that the sharing of the video footage had taken place without a legal basis and the controller had thus violated Art. 6 (1) GDPR and Art. 5 (1) a) GDPR. Furthermore, the DPA emphasizes that the disclosure of the recordings was not necessary to clarify the incident, as the recordings had already been provided to the police. | link |
| 629 | ITALY | Italian Data Protection Authority (Garante) | 2021-02-25 | 6,000 | Azienda Ospedaliera Universitaria Careggi | Health Care | Art. 5 GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 6,000 on Azienda Ospedaliera Universitaria Careggi for a breach of Art. 5 GDPR and Art. 9 GDPR. Azienda Ospedaliera Universitaria Careggi had notified the DPA of a data breach under Art. 33 GDPR regarding the transfer of health data to the wrong person. Medical documents of a patient had been sent by mail both to the affected patient and to another patient. The controller states that the incident occurred due to an error in the printing process. The ward where the affected patient was treated was only equipped with two printers, and one doctor had unknowingly also taken a colleague’s print job (the affected patient’s documents) when taking out his print job (the documents of the wrong recipient). | link |
| 630 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-08 | 60,000 | Kutxabank, S.A. | Finance, Insurance and Consulting | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Kutxabank, S.A.. Following a complaint from a former customer, claiming that the bank did not comply with his request to erasure of his data, the DPA started an investigation against the controller. The data subject had already been a customer of the bank in the past. At that time, he had exercised his right to erasure of his data. When he tried to open a new account with the controller, he was informed that this was not possible as his data was still blocked (due to his previous erasure request). The controller further informed the data subject that he would have to unblock the data if he wanted to open an account. For this purpose, a form was attached to the letter. The form stated that by signing it, the data subject was revoking his right to erasure and allowing his data to be used (again) by the controller. The DPA found that temporarily blocking the data, does not correspond to the right to erasure. The DPA also emphasized that deleted or blocked data may not be processed again when a new contractual relationship is entered into with the controller, even if the new processing purpose is the same as the previous one. The original fine of EUR 100,000 was reduced to EUR 60,000 euros due to the immediate payment and acknowledgement of guilt. | link |
| 631 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | 2,700 | Mall.tv | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Czech DPA (UOOU) fined Mall.tv EUR 2,700 for recording parts of the public space without a legal basis. The subject of the DPA’s investigation was the operation of two cameras by a company. The cameras recorded parts of the public space and then broadcast the footage in real time on internet television. The footage was of such high resolution that people and vehicles passing by were clearly visible and identifiable. | link |
| 632 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Ski rental company | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 18 GDPR, Art. 19 GDPR, Art. 20 GDPR, Art. 21 GDPR | Non-compliance with general data processing principles | The Czech DPA (UOOU) imposed a fine against a ski rental company. Due to the high value of the sports equipment, the controller required a financial deposit or a full copy of a valid ID when renting sports equipment. The consent to the copy of the ID was included in the sports equipment rental agreement itself. Thus, when the sports equipment rental agreement was signed, consent to the processing of the ID copy was obtained at the same time. The DPA considered this method of obtaining consent to be a violation against the lawfulness of the processing. In addition, it was found that the data subjects were not properly informed about the processing of their personal data. | link |
| 633 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-04-15 | 5,000 | S.C. Tip Top Food Industry S.R.L | Employment | Art. 5 (1) b), c) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | The Romanian DPA (ANSPDCP) has fined S.C. Tip Top Food Industry S.R.L. EUR 5,000. The controller had installed several video cameras in the food areas and changing rooms to surveil its employees. The CCTV was intended to deter theft and protect the manufactured goods. The Romanian DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary. The goods produced could had been protected by methods less intrusive to the privacy of the employees. | link |
| 634 | GREECE | Hellenic Data Protection Authority (HDPA) | 2020-04-07 | 2000 | Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε. | Employment | Art. 5 (1) c) GDPR, Art. 6 (1) f) GDPR | Non-compliance with general data processing principles | The Hellenic DPA (HDPA) has imposed a fine of EUR 2,000 on Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε. The controller had installed surveillance cameras covering areas where its employees were present. The controller claims that the cameras were installed for security purposes, as there had been incidents of theft in the past. Considering this, the surveillance system was intended to detect people entering the facilities. However, during the DPA’s investigation, it was found that the camera installation was not limited to areas necessary for the protection of property. The DPA recognized this as a violation of the principle of data minimization. | link |
| 635 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-15 | 3,000 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller resides on the 1st floor of an apartment building, where he is the owner of apartments on the 2nd and 3rd floors. He regularly rents out these apartments to tourists. The controller had installed four video cameras on the three floors and in the entrance area of the building. He justified their operation with security concerns related to the rental to tourists. The owners’ association had not granted permission for the operation of the cameras. Also, the controller did not put up a sign in the building informing about the operation of the camera. The DPA found this to be a violation of the principle of data minimization, as the cameras covered areas of the building used by the community, whose monitoring was not necessary for the protection of the controller’s property. Furthermore, the controller violated its obligation to provide information, as he failed to inform the other residents of the building about the processing of their data. | link |
| 636 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-13 | 90,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 150,000 on Vodafone España S.A.U.. Three data subjects had filed complaints with the AEPD against the controller. They complained about receiving unsolicited text messages from the controller informing them of new invoices, even though there was no longer a contractual relationship between them and the controller. Moreover, there were no outstanding invoices, as the amount to be paid was always zero euros. The data subjects had asked the controller several times to stop sending them text messages and to delete their data. The controller had explained that the messages had been sent due to a technical error and assured the data subjects that they would no longer receive such notifications in the future. However, the sending continued. The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt. | link |
| 637 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-04-19 | 1,500 | Lugera & Makler Broker S.R.L. | Finance, Insurance and Consulting | Art. 29 GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,500 on Lugera & Makler Broker S.R.L.. The controller had accidentally destroyed data of customers of Raiffeisen Bank S.A., for which it acted as processor. The ANSPDCP states that the incident occurred due to the fact that the controller had not taken sufficient technical and organizational measures to ensure an adequate level of protection of the data processing. | link |
| 638 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-19 | 1,500 | Pub owner | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined the owner of a pub EUR 1,500 due to the unauthorized use of two video surveillance cameras covering parts of the public space. | link |
| 639 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | 387 | Private healthcare provider | Health Care | Art. 24 GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Czech DPA (UOOU) conducted an investigation against the operator of a non-governmental medical facility following a security breach. The operator offers a range of diagnostic tests to patients. The results of the tests are subsequently communicated on its website to both patients and physicians who recommended the tests. The reported security breach involved an attack on the operator’s website by an unknown individual. Following this incident, the operator stopped operating the website in question and proposed technical measures to increase security. However, the DPA still found that other websites operated by the same operator had the same shortcomings. Yet, the operator did not restrict their operation nor did it take any new technical measures. As a consequence, the UOOU imposed a fine of EUR 387. | link |
| 640 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020-05-26 | Unknown | Unknown | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Czech DPA (UOOU) imposed a fine against a company for processing personal data without a sufficent legal basis. Several individuals were contacted by the sales staff of the controller for advertising purposes. The data subjects had used the services of the sales staff in the past (until around 2016) to conclude insurance or financial contracts. However, at that time, the sales staff were working for a different company with which they had concluded an agency contract. The DPA notes that on the one hand the use of the personal data known to the representatives from their previous activity constitutes a breach of the contract concluded with the previous company, and on the other hand no legal basis existed for the further processing of the data for advertising purposes in favour of the controller. | link |
| 641 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | 1,900 | Unknown | Industry and Commerce | Art. 12 (2) GDPR, Art. 15 (1) GDPR | Insufficient fulfilment of data subjects rights | A person had received an invoice for ordered goods, which, however, came from a different company than the one from which she had ordered the goods. Therefore, the data subject contacted the company that had supplied the goods and requested information about where her personal data had been obtained from, how it had been processed and on what legal basis it had been processed. As the company did not respond to her request, the data subject contacted the DPA. The DPA then demanded the controller to provide the data subject with the requested information immediately. As the controller did not respond to this request either, the DPA imposed a fine in the amount of EUR 1,900. | link |
| 642 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-20 | 8,000 | Highcliffe Estates Marbella S.L. | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 8,000 on Highcliffe Estates Marbella S.L.. The controller had published a photo of the data subject on its website without his consent. | link |
| 643 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-03-21 | 19,900 | Basaren Drift AS | Accomodation and Hospitalty | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 19,900 on Basaren Drift AS. The controller had installed video cameras in its premises which recorded both its employees and customers. The Norwegian DPA concluded that the controller had no legal basis for the camera surveillance. In addition, the Norwegian DPA found that the controller did not provide sufficient information on the surveillance to the data subjects. | link |
| 644 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-22 | 1,500 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, the public space and neighboring properties. According to the controller, he had installed the camera for security purposes regarding his property. The AEPD considered this to be a violation of the principle of data minimization, as such extensive monitoring was not necessary to protect the controller’s property | link |
| 645 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-22 | 4,000 | HazteOir.Org | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on HazteOir.Org. The controller had published a brochure on sex education in schools which unlawfully contained the photos and names of three data subjects who had not given their consent. The original fine of EUR 5,000 was reduced by 20% to EUR 4,000 due to immediate payment. | link |
| 646 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-04-16 | 2000 | Candidate for parliamentary elections | Public Sector and Education | Art. 15 GDPR, Art. 11 Law 3471/2006 | Insufficient fulfilment of data subjects rights | The Greek DPA (HDPA) has fined a parliamentary candidate EUR 2,000. The data subject had received a call from the controller on her private mobile number prior to the Greek parliamentary elections in July 2019. The call was made for the purpose of promoting the controller’s candidacy. The data subject’s inquiries regarding the use of her personal data were answered by the controller in a contradictory manner. | link |
| 647 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-11 | 3,000 | Comune di San Marco in Lamis | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 3,000 on the municipality of San Marco in Lamis. The municipality had uploaded documents containing personal data of the data subject and his family freely accessible on its website. The documents were two orders against the data subject. The documents were related to a proceeding against the data subject concerning construction activities without a building permit and contained the date of birth, place of birth, tax number and address of the data subject and his relatives. The data subject had already asked the municipality in advance to remove the documents from the website. However, the municipality did not comply. | link |
| 648 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Public university | Public Sector and Education | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | A public university required personal data from applying students without a sufficient legal basis. | link |
| 649 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Healthcare provider | Health Care | Art. 5 (1) a) GDPR, Art. 12 (1) GDPR, Art. 28 (2), (3) GDPR | Insufficient fulfilment of information obligations | A healthcare provider collected personal data through a software provided by an external body without informing the patients. | link |
| 650 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Bank | Finance, Insurance and Consulting | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD | Non-compliance with general data processing principles | A bank made the opening of an account conditional on the presentation of a copy of the identity card. | link |
| 651 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Unknown | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | A company stored biometric signatures of its customers, which violated the principle of data minimization. | link |
| 652 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | 3,850 | Television broadcaster | Media, Telecoms and Broadcasting | Art. 12 (1) GDPR | Insufficient fulfilment of information obligations | A TV broadcaster had provided information on its website about the processing of personal data, which was however hidden and inaccurate (links to outdated legal provisions). | link |
| 653 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Municipality | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR, Art. 14 (3) GDPR | Insufficient legal basis for data processing | A public school shared personal information with a municipal mayor, who disclosed it through the city radio mobile application. | link |
| 654 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | Unknown | Unknown | Employment | Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | State-subsidized organization shared photos of its employees on its website without a sufficient legal basis. | link |
| 655 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2020 | 19,200 | Unknown | Not assigned | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 12 (2), (3) GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 18 GDPR, Art. 19 GDPR, Art. 20 GDPR, Art. 21 GDPR, Art. 22 GDPR | Non-compliance with general data processing principles | A company copied personal data from public registers, which was considered illegal by the Czech DPA, as it was not deemed necessary. | link |
| 656 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-23 | 1,000,000 | Equifax Iberica S.L. | Finance, Insurance and Consulting | Art. 5 (1) a), b), c), d) GDPR, Art. 6 (1) GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Ibérica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File (‘FIJ’) without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects’ personal data involving the FIJ file had been unlawful and violated several data protection principles of data processing (lawfulness and transparency, purpose limitation, data minimization, and accuracy). In addition, the controller had not properly informed the data subjects about the processing of their data, thus violating its duty to inform them. | link |
| 657 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-27 | 3,000 | Pagamastarde S.L. | Finance, Insurance and Consulting | Art. 17 (1) GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Pagamastarde S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The controller stated that the data subject’s request had not been fulfilled due to a human error. The fine is composed proportionately of EUR 3,000 for a violation of Art. 17 (1) GDPR and EUR 2,000 for a violation of Art. 21 LSSI. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of guilt. | link |
| 658 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-04-27 | 15,000 | Anytime Fitness Iberia S.L. | Industry and Commerce | Art. 17 GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on Anytime Fitness Iberia S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 10,000 for a breach of Art. 17 GDPR and EUR 5,000 for a breach of Art. 21 LSSI. | link |
| 659 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-03-11 | 600,000 | Municipality of Enschede | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Dutch DPA (AP) has fined the municipality of Enschede EUR 600,000. In 2017, the municipality decided to install special measurement boxes to measure crowds in the city center of Enschede. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone passed by, making it possible to track the movement of passers-by. The municipality states that it was never its intention to track passers-by. However, the DPA finds that the wifi tracking (even if it was unintentional) constitutes a serious breach of the GDPR. The DPA concludes that the municipality tracked its passers-by without an effective legal basis and thus violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR. | link |
| 660 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-11 | 15,000 | Mediacom s.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 15,000 on Mediacom s.r.l.. The controller carried out advertising calls on behalf of TIM s.p.a.. Several of the calls were made even though the data subjects had not consented, had objected to the advertising calls, or had their numbers on the Robinson list. Garante found that the controller failed to verify the legitimacy of the data in contact lists acquired from third-party companies, as well as to sufficiently ensure that valid consents had been given by the data subjects for corresponding promotional activities. | link |
| 661 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-11 | 80,000 | Planet Group Spa | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 21 (2), (3) GDPR, Art. 12 (3) GDPR, Art. 25 (1) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 80,000 on Planet Group Spa. The controller made promotional calls on behalf of TIM s.p.a.. Several of these calls were made even though the data subjects had not consented or had objected to the calls. Garante found that the controller had contacted a total of 47,981 telephone numbers without consent or legal basis. In addition, Garante highlighted that the controller had not respected the data subjects’ right to object. In one case, a user had been contacted 155 times in one month, even though he had exercised his right to object. | link |
| 662 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-25 | 30,000 | OneDirect Srl | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 7 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 30,000 on OneDirect Srl. A data subject had filed two complaints with the DPA after receiving advertisements by e-mail from the controller, even though he had not consented to it. Even after the data subject had repeatedly objected to the sending, the controller had not stopped the mailings. Moreover, the controller did not respond to the data subject’s objections. Furthermore, the controller did not maintain a register of its processing activities and had not sufficiently cooperated with the DPA in the course of the investigation. | link |
| 663 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-25 | 20,000 | GEDI News Network Spa | Media, Telecoms and Broadcasting | Art. 12 (3), (4) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 20,000 on GEDI News Network Spa. A data subject filed a complaint with the Italian DPA against the controller regarding an article published by the latter in which he was referred to. In this context, the data subject exercised his right under Art. 17 GDPR and requested the deletion of the article, considering it no longer relevant. However, the controller did not respond to the data subject’s request in a timely manner. | link |
| 664 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-04-26 | 100,000 | Financial company | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject’s ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proceedings. As the DPA noted, the data protection violations occurred due to the fact that the controller had not taken adequate organizational measures to protect personal data from unauthorized processing. | link |
| 665 | FINLAND | Deputy Data Protection Ombudsman | 2021-04-21 | 75,000 | ParkkiPate Oy | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 12 (3), (4), (6) GDPR, Art. 14 (2) a) GDPR, Art. 14 (3) GDPR, Art. 15 GDPR, Art. 17 (1) a) GDPR, Art. 25 (2) GDPR | Insufficient fulfilment of data subjects rights | The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data. However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not sufficient to verify their identity. According to the DPA, the controller has not only violated its duty to inform the data subjects and the right to delete their data, but has also violated the principle of data minimization. The DPA stressed that it is permitted to request further proof of identification if there are reasonable doubts about the identity of the data subject. However, in the cases in question, no such doubts had existed. Furthermore, the DPA found a violation of the principle of storage limitation. The controller had stored photos of incorrectly parked cars and copies of parking tickets for possible future disputes in court without having defined a deadline for the deletion of the data. |
link |
| 666 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-03-24 | 27,700 | Budapest Főváros Kormányhivatala XI. kerületi Hivatalát (11th District Public Health Department of the Government Office of the Capital City Budapest) | Health Care | Art. 32 (1) a), b) GDPR, Art. 32 (2) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Hungarian DPA (NAIH) has fined the XI District Office of the Government of Budapest EUR 27,700.The controller had emailed health data regarding Covid-19 rapid tests, as well as the contact details of the people tested, to doctors in a single Excel file, unencrypted and without any further measures to ensure confidentiality. The DPA found that the controller had failed to implement technical and organizational measures that ensured the protection of personal data. In addition, the controller failed to inform the DPA and the data subjects about the data violations. | link |
| 667 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-05-05 | Only intention to issue fine | Disqus Inc. | Media, Telecoms and Broadcasting | Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | On May 5, 2021, the Norwegian DPA (Datatilsynet) announced that it intents to fine Disqus Inc. EUR 2, 500, 000 for violations of Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR and Art. 13 GDPR. It is alleged that Disqus unlawfully tracked visitors of Norwegian websites which used the Disqus plugin. Their data was then passed on to third-party advertisers. | link |
| 668 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-05-07 | 2000 | World Class România S.A. | Employment | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on World Class România S.A.. The controller had published the termination letter of an employee in a WhatsApp group used by the controller’s employees. As a result, all members of this WhatsApp group were granted unauthorized access to certain personal data of the data subject (surname, first name, address, ID number, information related to the request for termination). | link |
| 669 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2021-04-29 | 23,100 | InfoMentor ehf | Industry and Commerce | Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 23,100 on InfoMentor ehf. Previously, the controller had reported a data breach according to Art. 33 GDPR. The incident concerned the company’s online system, which is mainly used by schools and other institutions for communication and information purposes. In the course of its investigations, the DPA determined that inadequate technical and organizational security measures on the part of the controller led to the breach. Due to a security leak that resulted in the six-digit system number of each user being visible in the URL address of a specific page within the mentor system, unauthorized persons gained access to the personal data of 424 children. | link |
| 670 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-04 | 1,500,000 | EDP Comercializadora, S.A.U. | Transportation and Energy | Art. 13 GDPR, Art. 25 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR – Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company’s business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR. | link |
| 671 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-04 | 1,500,000 | EDP Energía, S.A.U | Transportation and Energy | Art. 13 GDPR, Art. 25 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energía, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR – Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company’s business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR. | link |
| 672 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-06-16 | 7,500 | PVV Overijssel | Public Sector and Education | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Dutch DPA (AP) fined the Overijssel local branch of the PVV party EUR 7,500 for failing to notify the AP of a personal data breach, in violation of Art. 33 GDPR. An email regarding the convening of a meeting had been sent via an open distribution list due to a human error. Since the total of 101 recipients were addressed as ‘Friends of the PVV’ in the email, the political beliefs of the data subjects were thus disclosed to all addressees. | link |
| 673 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-12 | 3,000 | Solram T Y R S.L. | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Solram T Y R S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data. | link |
| 674 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-25 | 4,000 | Comune di Castellanza | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 4,000 on the municipality of Castellanza. The municipality had uploaded documents containing personal data of the data subject on its website, which were freely accessible. The documents concerned a legal proceeding of the data subject. | link |
| 675 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-05-14 | 200 | Website operator | Individuals and Private Associations | Art. 5 (1) a), b), (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1), (2), (3) GDPR, Art. 32 (2) GDPR | Non-compliance with general data processing principles | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 200 on the operator of the website declaratieppr.ro. During the Covid19 pandemic, visitors to the site were able to fill out a form that was required to leave their place of residence. Personal data such as name, address and ID number were collected for this purpose. However, the controller was unable to prove that it was processing the data lawfully. In addition, the controller had not sufficiently informed the data subjects about the processing of the data when collecting their personal data and had not implemented sufficient technical and organizational measures to ensure the security of the data processing. | link |
| 676 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-05-13 | 2000 | Telekom Romania Communications SA | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Telekom Romania Communications SA. The controller had made an advertising call to the data subject although the latter had exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and e-mail address from the Telekom database. | link |
| 677 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-14 | 30,000 | Allianz Compañia de Seguros y Reaseguros, S.A. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Allianz Compañia de Seguros y Reaseguros, S.A. EUR 30,000. The controller had sent an invoice to the data subject although no contractual relationship existed. The data subject had concluded a motorcycle insurance policy with the controller in 2016, but had terminated the policy in 2017. | link |
| 678 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-12-20 | 525,000 | Locatefamily.com | Media, Telecoms and Broadcasting | Art. 27 GDPR | Non-compliance with general data processing principles | The Dutch DPA (AP) has imposed a fine of EUR 525,000 on Locatefamily.com. Locatefamily.com is a platform where people can search for the contact information of family members they have lost contact with or other people they would like to get in touch with. The data subjects complained that their contact information (name, address, phone number) was published on the website without their knowledge. The data subjects were not able to request the deletion of their data published on the site easily, because Locatefamily.com did not have any representation in the European Union. Organizations offering goods or services in the EU must have a representative to whom EU citizens can turn to obtain information or exercise their data protection rights. Accordingly, the Dutch data protection authority found a breach of Art. 27 GDPR. | link |
| 679 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-03-25 | 1,425 | Operator of a care facility | Health Care | Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR, Art. 13 (1), (2) GDPR | Insufficient legal basis for data processing | The Hungarian DPA (NAIH) has imposed a fine of EUR 1,425 on the operator of a care facility. The operator had installed a total of 25 cameras in all rooms of the facility, with the exception of the restrooms, locker rooms and the main nurses’ station. Both the residents of the facility and the employees were recorded by the video surveillance. The controller states that the cameras were installed for security purposes. These included preventing unauthorized persons from gaining access to the facility and deterring theft. The DPA states that such extensive video surveillance was not necessary for the processing purpose (security of the facility). Furthermore, the controller did not sufficiently inform the data subjects about the data processing. | link |
| 680 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-05-12 | 5,000 | A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ | Not assigned | Art. 5 (1) a), b) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 17 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has fined A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ EUR 5,000. The controller had not responded to requests for information and deletion from the data subject. During the DPA´s investigation, the controller informed the DPA that it had deleted the data of the data subject. However, the data subject had not been informed of this. Furthermore, the DPA determined that the data subject’s data had been collected for a purpose other than the agreed purpose. A corresponding consent of the data subject for this new processing purpose had not been obtained. | link |
| 681 | POLAND | Polish Data Protection Authority (UODO) | 2021-04-22 | 245,000 | Cyfrowy Polsat S.A. | Media, Telecoms and Broadcasting | Art. 24 (1) GDPR, Art. 32 (1), (2) GDPR, Art. 34 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) has fined Cyfrowy Polsat S.A. EUR 245,000. The fine was based on a large number of data breaches reported by the controller to the DPA. Frequently, postal correspondence containing personal data was lost or delivered to the wrong recipient. The DPA notes that although the data breaches were caused by the courier company contracted by the controller, the controller had to ensure that such breaches did not occur. The controller failed to implement technical and organizational measures appropriate to the risk to protect the processing of the data. Furthermore, the controller did not notify the data subjects about the data breaches until two to three months later. | link |
| 682 | ITALY | Italian Data Protection Authority (Garante) | 2021-04-15 | 2000 | Società triveneta di chirurgia | Health Care | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Società triveneta di chirurgia. A physician had shown slides of a clinical case at a congress, which were subsequently published on the controller’s website. The slides contained personal data of a patient, such as the patient’s initials, age, gender, a detailed history of the pathology suffered by the patient, details of admissions from 1980 to 2016 and the surgical procedures performed during this period, indicating the date of admission and surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images, and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his personal data. | link |
| 683 | ITALY | Italian Data Protection Authority (Garante) | 2021-04-15 | 5,000 | Physician | Health Care | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 5,000 on a physician. The controller had shown slides of a clinical case at a congress, which were subsequently published on the website of the Società triveneta di chirurgia. The slides contained personal data of a patient, such as the patient’s initials, age, gender, a detailed medical history of the patient, details of admissions from 1980 to 2016 and surgical procedures performed during that period, indicating the date of admission and the date of surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his or her personal data. | link |
| 684 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-05-19 | 500 | Owners Association of Iasi Municipality | Individuals and Private Associations | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 500 on Asociație de Proprietari din municipiul Iași (Owners Association of Iasi Municipality). The controller did not provide the DPA with the information it had requested. | link |
| 685 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-05-19 | 2000 | Banca Comercială Română S.A. | Finance, Insurance and Consulting | Art. 5 (1) a), d), (2) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA (ANSPDCP) has fined Banca Comercială Română S.A. EUR 2,000. A data subject had initiated a complaint with the DPA because the controller had used his personal data in the context of an enforcement procedure for debts arising from a credit agreement of which he was unaware. | link |
| 686 | ITALY | Italian Data Protection Authority (Garante) | 2021-04-15 | 40,000 | Comune di Palermo | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has imposed a fine of EUR 40,000 on the municipality of Palermo. A data subject had filed a complaint with the Italian DPA against the municipality of Palermo. His complaint was based on the fact that his personal data from a food subsidy application he had submitted had been acquired by an unauthorized person and processed for his own purposes. As the DPA determined in the course of its investigations, such processing had occurred because the municipality had not implemented adequate technical and organizational measures to ensure the security and confidentiality of the processing. | link |
| 687 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2020-03-24 | 15,000 | CP&A | Employment | Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA (AP) has imposed a fine of EUR 15,000 on CP&A. The controller had documented both the causes of illness and specific complaints of the data subjects as part of the recording of employee absences due to illness. The DPA found that this was unlawful since health data is granted special protection. Employers are not permitted to record either the reasons or causes of sick leave. Furthermore, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing when recording absences. Namely, the absence registration was accessible online, without any form of authentication. Yet, when an absence system is accessible via the Internet, the system is to be accessed only through a multi-factor authentication. In the DPA’s view, another form of authentication would have been required in addition to the ‘normal’ login. |
link |
| 688 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-05-20 | 39,000 | Municipality of Oslo | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,000 on the Municipality of Oslo. On a website of the controller a subpoena from the public prosecutor’s office concerning the data subject had been published. The subpoena contained, among other things, personal information such as health data. The incident occurred because the subpoena was not originally classified as confidential and accordingly was not exempted from public disclosure. The document was publicly available for five hours before it was removed. | link |
| 689 | IRELAND | Data Protection Authority of Ireland | 2021-03-23 | 90,000 | Irish Credit Bureau DAC | Finance, Insurance and Consulting | Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) has imposed a fine of EUR 90,000 on Irish Credit Bureau (ICB). The fine follows a data breach reported by the controller to the DPA on August 31, 2018. The controller is a credit reporting agency that maintains a database of credit contract performance between financial institutions and borrowers. The data breach occurred when the controller made a code change to its database that contained a technical error. As a result, between June 28, 2018 and August 30, 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. The controller disclosed 1,062 inaccurate account records to financial institutions or affected individuals before the issue was resolved. | link |
| 690 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-21 | 3,000 | Physician | Health Care | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined a physician EUR 3,000. The controller had left his/her former clinic and started working in a new clinic. The complainant had taken over the controller’s former clinic. The purchase agreement explicitly stated that the selling party (the controller) was not allowed to make a copy of the patient’s files under any circumstances. Nevertheless, the controller had informed his/her former patients that his/her services could be obtained at his/her new clinic in the future. The AEPD found that the controller had acted not only in breach of contract but also in breach of data protection legislation by contacting the former patients. | link |
| 691 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-25 | 900 | Managing Director of a company | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on the managing director of a company. A data subject filed a complaint with the AEPD against the controller with whom he had entered into a contract. The fine is based on the fact that the controller had not properly informed the data subject about the processing of his data when collecting it. The AEPD considers this to be a violation of Art. 13 GDPR. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and admission of guilt. | link |
| 692 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-04-27 | 1,400 | Company | Industry and Commerce | Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Hungarian DPA (NAIH) has imposed a fine of EUR 1,400 on a company. In the course of his professional activities, a data subject had made a telephone call to the controller on September 23, 2019. The controller had recorded the conversation without informing the data subject or obtaining his consent and then provided it to the company where the data subject was employed. The employer of the data subject subsequently terminated his employment because the recorded telephone call apparently did not meet the company’s service and professional standards. The DPA finds that the controller not only processed the data subject’s data without a legal basis, but also breached its accountability obligation by failing to demonstrate the lawfulness of the processing. In addition, the controller violated its duty to provide information under Art. 13 GDPR. | link |
| 693 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-04-27 | 570 | Company | Industry and Commerce | Art. 5 (1) a), (2) GDPR, Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Hungarian DPA (NAIH) has imposed a fine of EUR 570 on a company. In the course of his professional activities, a data subject had made a telephone call to a company on September 23, 2019. The company had recorded the conversation without informing the data subject or obtaining his consent, and subsequently made it available to the company where the data subject was employed (the controller). The controller then terminated the employment relationship because the recorded telephone conversation apparently did not meet the controller’s service and professional standards. The DPA finds that the controller not only processed the data subject’s data without a legal basis, but also breached its accountability obligations by failing to demonstrate the lawfulness of the processing. In addition, the controller violated its obligation to provide information pursuant to Art. 13 GDPR. | link |
| 694 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-25 | 100,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 28 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Vodafone España, S.A.U.. A data subject had filed a complaint with the Spanish DPA against the telecommunications company. According to the complaint, the data subject had received an advertising call from a company, which was made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. According to Vodafone’s commissioned processor, the advertising call to the data subject had occurred due to an error in the call number filtering system. In the course of its investigation, the DPA found that Vodafone had not established any measures to avoid advertising calls to numbers on the Robinson list. In the present case, Vodafone had not even been aware that the number of the data subject was on the Robinson list, which meant that it was not blocked for the commissioned company. | link |
| 695 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-25 | 4,000 | Alava Norte, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined Alava Norte, S.L. EUR 4,000. The controller had installed three 360° video surveillance cameras on the facade of one of its buildings to secure the facility. These also captured parts of the public space. The AEPD considered this to be a violation of the principle of data minimization, as such extensive video surveillance was not necessary to fulfill the purpose of the processing (security of the facility). | link |
| 696 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-25 | 6,000 | Desolasol Restauración, S.L. | Accomodation and Hospitalty | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined Desolasol Restauración S.L. EUR 6,000. The data subject had submitted a consumer complaint form to the restaurant because he was unable to converse at the table due to the volume of the music. A copy of the form remained with the controller. Due to an error by a restaurant employee, the copies of the form were given to other guests of the restaurant who were present during the incident. | link |
| 697 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-26 | 3,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Failure to provide information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. The original fine of EUR 5,000 was reduced by 20% EUR 3,000 due to immediate payment and admission of guilt. | link |
| 698 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-25 | 7,000 | TECNOMEDICAL S.r.l. | Health Care | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) has imposed a fine of EUR 7,000 on TECNOMEDICAL S.r.l.. A data subject filed a complaint with the DPA after the controller failed to properly respond to his request for information. The data subject had requested access to his personal data. For this purpose, he demanded a copy of his medical records and the medical documentation of his dental implant surgery that had taken place. However, the controller did not provide the information in due time and in its entirety. | link |
| 699 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-05-17 | 10,000 | Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato | Individuals and Private Associations | Art. 6 (1) c) GDPR, Art. 12 (3), (4) GDPR, Art. 17 (1) d) GDPR | Insufficient legal basis for data processing | The Hellenic DPA has fined the Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato EUR 10,000. The controller had published documents containing personal data of the data subject without legal basis. The documents contained, besides his name, information about his profession, his place of work and an evaluation of his behavior. The controller also failed to respond to a subsequent deletion request from the data subject.The fine is composed proportionately of EUR 7,000 for a violation of Art. 6 (1) c) GDPR and EUR 3,000 for a violation of Art. 12 (3), (4) GDPR and Art. 17 (1) d) GDPR. | link |
| 700 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-05-18 | 95,500 | Innovasjon Norge | Finance, Insurance and Consulting | Art. 5 (1) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out several credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject without the data subject’s consent. | link |
| 701 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-27 | 2000 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 2,000 on a private individual for the unauthorized use of video surveillance cameras, which also recorded parts of public space without legitimate reason, and the online publication of these recordings. | link |
| 702 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-21 | 3,000 | Homeowners Association | Real Estate | Art. 5 (1) c) GDPR, Art. 12 GDPR | Non-compliance with general data processing principles | Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance. | link |
| 703 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-05-12 | 5,000 | KARIERA A.E. | Industry and Commerce | Art. 17 GDPR, Art. 21 GDPR, Art. 25 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 5,000 on ΚARIERA A.E.. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send him e-mail advertisements even though he had requested the deletion of his data and the controller had confirmed the deletion. Due to a technical error, the data subject’s data had not been deleted. | link |
| 704 | ITALY | Italian Data Protection Authority (Garante) | 2021-04-21 | 15,000 | Fondazione Policlinico Tor Vergata di Roma | Health Care | Art. 5 (1) a), f) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 15,000 on Fondazione Policlinico Tor Vergata di Roma. In February 2020, a data subject filed a complaint with Garante alleging a breach of data protection laws in relation to the booking services for medical specialists offered by the controller. In order to book a relevant appointment on the booking portal, visitors had to fill out an online form in which various personal data was requested. As the DPA found, the controller had not implemented adequate technical and organizational measures to ensure the protection of data processing. In addition, the controller did not comply with its information obligations pursuant to Art. 13 GDPR, as it had not properly informed the data subjects about the processing of their personal data at the time of the data collection. | link |
| 705 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-05-21 | 45,000 | Telefónica de España, S.A.U | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 75,000 on Telefonica de España, S.A.U.. A data subject had filed a complaint with the AEPD against the telecommunications company. The controller had booked a service for the data subject without the data subject having concluded a contract for it. After the data subject had accordingly not made any payments for this service, the service was canceled in the same year and a collection agency was commissioned to collect allegedly outstanding debts. The AEPD determined that neither the data processing for the service booking nor the transfer of the data subject’s personal data to the collection agency had taken place lawfully. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and admission of responsibility. |
link |
| 706 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-06-02 | 4,000 | Avalos Consultores, S.L. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Avalos Consultores, S.L.. The data subject, who was a client of the controller, filed a complaint with the AEPD because the controller had transferred her personal data to the agency Torrent Asesores Nga, S.L. without her consent. | link |
| 707 | ITALY | Italian Data Protection Authority (Garante) | 2021-04-15 | 12,000 | Istituto Nazionale Previdenza Sociale (INPS) | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) has imposed a fine of EUR 12,000 on the Italian National Institute for Social Security (Istituto Nazionale della Previdenza Sociale). That fine was based on the fact that the controller failed to respond properly to two requests for information that the data subject had submitted to the controller. The requests were related to the disclosure of personal data of the data subject to third parties. Initially, the data subject had received no response to either request. In the course of the investigation, the controller then provided him with information and explained that the previous requests had not been answered due to a technical error in its e-mail system | link |
| 708 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-06-04 | 6,000 | Creator Energy S.L. | Transportation and Energy | Art. 6 (1) b) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Creator Energy S.L.. The controller had used the personal data of the data subject without his consent to conclude contracts for gas and electricity supplies and a maintenance service. | link |
| 709 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-06-07 | 20,000 | Master Distancia S.A. | Public Sector and Education | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 25,000 on Master Distancia S.A.. The controller had included personal data of the data subject in a credit report register without sufficient legal basis. The controller justified this with alleged debts the data subject had with the controller. In fact, however, the parties were still in arbitration. Accordingly, the controller had no authorization to include the data subject’s data in the register. The original fine of EUR 25,000 was reduced to EUR 20,000 due to immediate payment. | link |
| 710 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-06-07 | 19,600 | Radiotelevisión del principado de Asturias | Employment | Art. 5 (1) c) GDPR, Art. 12 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 26,000 on Radiotelevisión del principado de Asturias. The fine consists of EUR 20,000 due to a violation of Art. 5 (1) c) GDPR and EUR 6,000 due to a violation of Art. 12 GDPR. The fine was based on the fact that the controller installed a video surveillance system totaling 14 video cameras and monitoring the business premises. The controller states that the cameras were installed for the purpose of security of the premises. However, the cameras captured the employees’ offices in a way that was not necessary for this purpose. For example, one camera also captured a considerable part of the employees’ recreation room. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine was reduced to EUR 19,600 due to timely payment and admission of guilt. | link |
| 711 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-05-12 | 1,900 | Unknown | Not assigned | Art. 5 (1) c), e) GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,900 on a company. The controller had installed a video surveillance system to protect the company’s assets and prevent entry by unauthorized persons. However, the cameras also excessively captured parts of the public space. The DPA finds that the controller thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the DPA finds that the controller stored the recordings longer than legally permitted and thus violated Art. 5 (1) e) GDPR. | link |
| 712 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-05-12 | 2,400 | Unknown | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,400 on a company. The controller had installed a video surveillance system to protect the company’s assets and prevent entry by unauthorized persons. However, the cameras also excessively captured parts of the canteen terrace which serves as a recreation area for employees. The DPA finds that recording employees during their break is not necessary to ensure the purposes related to the video surveillance and was therefore disproportionate. The DPA finds that the controller has thus violated the principle of data minimization under Article 5 (1) c) GDPR. | link |
| 713 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-05-12 | 2,600 | Unknown | Employment | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,600 on a company. The controller had installed a video surveillance system to protect the company’s assets and prevent entry by unauthorized persons.However, the cameras also excessively captured parts of the canteen which serves as a break location for employees. The DPA finds that recording employees during their break is not necessary to ensure the purposes related to the video surveillance and was therefore disproportionate. The DPA finds that the controller has thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 714 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-05-12 | 1,000 | Unknown | Not assigned | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,000 on a company. The controller had installed a video surveillance system with the purposes of the protection of property, securing access to private and risky places, as well as the safety of users and the prevention of accidents. However, the cameras also excessively captured parts of the public space. The DPA finds that the controller thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 715 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-07 | 25,000 | Region Sörmland | Health Care | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Swedish DPA has imposed a fine of EUR 25,000 on Region Sörmland. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. The DPA imposed the fine on Region Sörmland for collecting call data from data subjects without first properly informing them of its processing. |
link |
| 716 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-07 | 25,000 | Region Värmland | Health Care | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Swedish DPA has imposed a fine of EUR 25,000 on Region Värmland. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. The DPA imposed the fine on Region Värmland for collecting call data from data subjects without first properly informing them of its processing. |
link |
| 717 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-07 | 50,000 | Region Stockholm | Health Care | Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | The Swedish DPA has imposed a fine of EUR 50,000 on Region Stockholm. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. The DPA imposed the fine on Region Stockholm for collecting call data from data subjects without first properly informing them of its processing. |
link |
| 718 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-07 | 1,200,000 | MedHelp AB | Health Care | Art. 5 (1) a), f) GDPR, Art. 6 GDPR, Art. 9 (1) GDPR, Art. 13 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. The Swedish DPA found that MedHelp had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. Similarly, MedHelp had failed to properly inform callers about the processing of their personal data in accordance with Art. 13 GDPR. In addition, the DPA finds the outsourcing of the processing of personal data to Medicall to be a breach of the legality principle set out in the GDPR. This is because Medicall is not covered by Swedish health and medical legislation and is therefore not subject to the legally regulated confidentiality obligation that exists in the Swedish healthcare sector. |
link |
| 719 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-07 | 64,500 | Voice Integrate Nordic AB | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. The Swedish DPA found that Voice Integrate had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. |
link |
| 720 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-06-09 | 2000 | S.C. Dreamtime Call S.R.L. | Not assigned | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has fined S.C. Dreamtime Call S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation. | link |
| 721 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-04-27 | 5,050 | PNP S.A. | Not assigned | Art. 31 GDPR, Art. 58 (1) e) GDPR | Insufficient cooperation with supervisory authority | The controller failed to provide information requested by the Polish DPA (UODO) for investigative purposes. | link |
| 722 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-09 | 34,800 | Directorate of the Östra Skaraborg Rescue Service | Employment | Art. 5 (1) a), c) GDPR, Art. 32 (1), (4) GDPR | Non-compliance with general data processing principles | The Swedish DPA has imposed a fine of EUR 34,800 on the directorate of the Östra Skaraborg Rescue Service. The DPA had received information that several fire stations in Östra Skaraborg operated surveillance cameras that filmed areas where firefighters were changing during an emergency, whereupon it initiated a review of the camera surveillance. The video surveillance was taking place around the clock, although the controller itself stated that video surveillance was only required in case of emergency alarms. The DPA concludes that the 24/7 monitoring was too far-reaching, but notes that the controller had weighty reasons for the camera surveillance. However, the camera surveillance should be limited to emergencie cases. The fine is composed proportionally of EUR 29,800 for a violation of Art. 5 (1) a), c) GDPR and EUR 5,000 for a violation of Art. 32 (1), (4) GDPR. |
link |
| 723 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-05-28 | 39,700 | BRAbank ASA | Finance, Insurance and Consulting | Art. 24 GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,700 on BRAbank ASA. The controller had reported a data breach to the DPA on September 6, 2019. On the controller’s website, some customers were able to view other customers’ data on the ‘My Page’ section. These included credit terms and address information of other customers. The section had been activated shortly before for 500 selected customers and was intended, among other things, to provide an overview of loans taken out with the controller. Based on investigations into the case, the DPA found that the controller had not complied with the GDPR’s requirements for risk assessment and appropriate technical measures in connection with the launch of the customer portal. According to the DPA’s assessment, the personal data security breach could have been prevented if the controller had conducted a risk assessment and review as required by law. |
link |
| 724 | LIECHTENSTEIN | Data Protection Authority of Liechtenstein | 2020 | 4,100 | Unknown | Not assigned | Unknown | Non-compliance with general data processing principles | Unlawful operation of a video surveillance system. | link |
| 725 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-02-04 | 12,000 | Orthodontic Clinic | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA (AP) has fined an orthodontic clinic EUR 12,000. The web form that new patients used to sign up contained mandatory fields for all sorts of patient personal data. The data that the patients (mostly children) entered into the form was then sent to the orthodontic clinic via an unencrypted – and thus unsecured – connection. This presented the risk of unauthorized third parties accessing the personal data of the data subjects. | link |
| 726 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-05-31 | 18,000 | Unknown | Not assigned | Art. 38 (1), (2) GDPR, Art. 39 (1) a) GDPR | Insufficient involvement of data protection officer | The DPA of Luxembourg has imposed a fine of EUR 18,000 on a company. According to the DPA, the controller firstly failed to involve the data protection officer in all matters relating to the protection of personal data. Secondly, the controller failed to provide the data protection officer with the necessary resources to perform his duties. | link |
| 727 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-06-14 | 1,200 | Inmopiso Zaragoza S.L. | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The controller failed to provide accurate information about the data collection in accordance with Art. 13 GDPR. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of guilt. | link |
| 728 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-06-09 | 2000 | La Santrade S.R.L. | Not assigned | Art. 31 GDPR, Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has fined La Santrade S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation. | link |
| 729 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-03-19 | 4,900 | Funeda Sp. z o.o. | Finance, Insurance and Consulting | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA (UODO) has fined Funeda Sp. z o.o. EUR 4,900 for failing to provide information requested by the DPA during an investigation. | link |
| 730 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-06-16 | 27,000 | Vejle Municipality | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA (Datatilsynet) has imposed a fine of EUR 27,000 on Vejle municipality. The Danish DPA had started investigations against the municipality after it had reported a data breach pursuant to Art. 33 GDPR. The municipal dental care service had sent automated welcome letters to both parents as part of the treatment of children, which contained the contact details of both parents. In this process, the municipality had not checked whether it was permitted to pass the information on to the other parent. In several cases, parents thus received the address of the other parent, regardless of whether the other parent had name and address protection. The DPA considered this to be a failure of the municipality to take technical and organizational measures to ensure adequate data protection. | link |
| 731 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-06-03 | 15,000 | PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ | Not assigned | Art. 5 (1) a), b) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Hellenic DPA has fined PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ EUR 15,000 due to the illegal installation and operation of a video surveillance system. The controller had installed a video surveillance system in the office premises without informing the employees about it, thus violating the principles of legality, fairness, transparency, purpose limitation and accountability. | link |
| 732 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2021-06-21 | 20,000 | UAB VS FITNESS | Industry and Commerce | Art. 5 (1) a), c) GDPR, Art. 9 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 30 GDPR, Art. 35 (1) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA’s review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that the controller also unlawfully processed employees’ fingerprints. The controller also failed to set out for what purpose and on what legal basis it processed the employees’ biometric data. It also did not conduct a data protection impact assessment and did not demonstrate the necessity and proportionality of the processing of the employees’ fingerprints. Furthermore, the DPA finds that the controller did not comply with its information obligations pursuant to Art. 13 GDPR. | link |
| 733 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2021-06-21 | 1,600,000 | Storstockholms Lokaltrafik | Transportation and Energy | Art. 5 (1) a), c) GDPR, Art. 6 (1) f) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm’s public transportation without a valid ticket. Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passed the inspector. Since several hundred thousand people use public transportation in Stockholm every day, a large number of people were thus at risk of being monitored by video and audio recordings. The DPA believes that body-worn camera technology could be used to prevent and document threatening situations, but that the pre-recording time should be reduced to a maximum of 15 seconds, as a longer pre-recording time is not necessary to achieve the above-mentioned purposes. Furthermore the DPA found that audio recordings did not contribute to the identification of persons without a valid ticket. The DPA therefore considered the audio recordings to be a violation of the principles of legality and transparency as well as data minimization. The DPA also criticized the controller for not providing sufficient information about the camera surveillance, including the fact that not only images but also sounds were recorded. |
link |
| 734 | FRANCE | French Data Protection Authority (CNIL) | 2021-06-14 | 500,000 | BRICO PRIVÉ | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 82 Loi informatique et libertés, Art. L. 34-5 CPCE | Non-compliance with general data processing principles | The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ. CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers. The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000 people who had not logged into their customer accounts for five years. In addition, the controller violated its information obligations under Art. 13 GDPR. Furthermore, the controller failed to fulfill its obligation to fully comply with the deletion requests received. The CNIL also found that the controller did not implement sufficient technical and organizational measures to ensure information security. Thus, for example, the controller did not require the use of a secure password during the process of opening an account the company´s website or when employees accessed the customer relationship management software. The fine is composed proportionately of EUR 300,000 for violations of Art. 5(1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR and Art. 32 GDPR and EUR 200,000 for violations of Art. 82 Loi informatique et libertés and Art. L. 34-5 CPCE. |
link |
| 735 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-06-22 | 24,800 | Unknown | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company’s managing director logged into the complainant’s email inbox on a daily basis for a period of six weeks after the former employee’s employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject’s e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject’s e-mail account under Art. 17 GDPR and its obligation to consider the complainant’s objection under Art. 21 GDPR. | link |
| 736 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-06-22 | 10,000 | TNT EXPRESS WORLDWIDE SPAIN, S.L. | Industry and Commerce | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on TNT EXPRESS WORLDWIDE SPAIN, S.L.. The data subject had placed a private order with the controller and had entered the address of his workplace as the delivery address. The delivery was correctly delivered, but the invoice was issued to the company where the data subject was employed and not to the data subject. Both the invoice and the delivery bill contained various personal data of the data subject. These were disclosed to his employer as a result of the incident. | link |
| 737 | ITALY | Italian Data Protection Authority (Garante) | 2021-05-13 | 2,856,169 | Iren Mercato S.p.A. | Transportation and Energy | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) fined Iren Mercato S.p.A. EUR 2,856,169 for failing to verify that all transfers of data of recipients of promotional activities were covered by consent. Several data subjects filed complaints with the DPA against the controller because they had received unsolicited advertising to which they had never consented. In its investigation against the cotroller, the DPA found that the cotroller had in fact processed personal data for telemarketing activities that it had not collected directly but had acquired from other sources. It had not checked whether valid consents had been obtained from the advertising addressees for all transfers of the data. The controller had received lists of personal data from one company, which in turn had acquired them from two other companies. The latter companies had obtained the consent of potential customers for the telemarketing carried out by them and by third parties, but this consent did not include the transfer of customer data to the controller. In this context, the DPA emphasized that consent given by a customer to a company for third-party promotional activities cannot extend its effectiveness to subsequent transfers to other operators. | link |
| 738 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-06-04 | 49,200 | Moss municipality | Health Care | Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA (Datatilsynet) has fined the municipality of Moss EUR 49,200 for inadequately securing personal data. In January, the municipality of Rygge was annexed to the municipality of Moss. For this reason, several IT systems from both municipalities were combined. Due to inadequate security measures, a data breach occurred in a productive system used in the municipality’s health service. This system processed personal and health data and affected people who live in the municipality and use the health center. The system is used for services related to immunization programs in the municipality, as well as for other health checks and follow-ups of pregnant women. About 2000 people were potentially affected by the breach. Due to the data breach, errors had occurred in vaccine registration. As a result, the data subjects were at risk of receiving the wrong vaccines. There was also a potential for their immunization data to be misfiled in the national immunization registry. Furthermore, errors occurred in follow-ups for pregnant women, including information on the week of pregnancy or the mother’s drug use. Also, patient information was provided to health workers in a health service ward without being required and without access being documented. |
link |
| 739 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2020 | 8,000 | Unknown | Not assigned | Art. 5 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Lithuanian DPA (VDAI) fined a company EUR 8,000 for conducting sound recordings on public transport buses in violation of Article 5 GDPR, Article 13 GDPR, Article 24 GDPR and Article 35 GDPR. | link |
| 740 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2021-06-15 | 34,000 | Huppuís ehf | Employment | Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 (1), (2) GDPR | Non-compliance with general data processing principles | The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 34,000 on Huppuís ehf. A former employee filed a complaint against the controller with the DPA. The reason for this was the camera surveillance installed by the controller. During their shifts, the controller’s employees wore clothing provided by the controller.However, the designated changing room of the store was a storage room in which large quantities of cleaning materials were stored. Due to a lack of sufficient space in this room, the employees (mostly minors) had to change in the general employee area, which was covered by a video camera. The controller stated that they had installed the video camera for security purposes. The DPA concluded that the controller had a legitimate interest in the video surveillance, but that the interests of the mostly underage employees must also be taken in account. The controller should have tried to implement less restrictive measures. In addition, the DPA underlined that the information on video surveillance was inadequate in both the employee and customer service areas. In determining the amount of the fine, the fact that a large number of the data subjects were minors was taken into account as an aggravating factor. | link |
| 741 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-06-21 | 35,300 | Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A. | Finance, Insurance and Consulting | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The controller had sent an email to that contained personal data of a customer to the wrong recipient. The leaked data included data such as the name, postal address of the data subject and insurance details. In this context the controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. | link |
| 742 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-04-08 | 2,800 | Unknown | Not assigned | Art. 5 (1) e) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,800 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company’s assets, monitor the transport of goods and the drivers’ working hours, among other things. Some of the location data collected by the controller was stored for two years and four months. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of storage limitation. In addition, the DPA found that the controller had not sufficiently informed the data subjects about the processing of the location data and had thus violated its information obligations pursuant to Art. 13 GDPR. | link |
| 743 | ITALY | Italian Data Protection Authority (Garante) | 2021-06-10 | 2,600,000 | Foodinho s.r.l. | Industry and Commerce | Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) a), b), c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Foodinho s.r.l. EUR 2,600,000. Foodinho is an Italian food delivery service. The investigation against Foodinho mainly focused on the drivers of Foodinho. In the process, the DPA found some serious violations of applicable data protection regulations. Thus, the DPA identified some irregularities concerning the algorithms of the Foodinho system. In particular, the DPA found that the controller had not adequately informed employees about how the system worked and did not guarantee the accuracy and correctness of the results of the algorithms used to evaluate drivers. Furthermore, the DPA found violations of the principles of data minimization as well as memory limitation. For example, the systems processed drivers’ data to an extent that exceeded the purpose of the processing and, in some cases, stored the data significantly longer than necessary. In addition, the controller had not taken sufficient technical and organizational measures to ensure secure data processing. The controller had also not conducted a data protection impact assessment, although this would have been necessary due to the considerable amount of data of different types relating to a significant number of data subjects. Separate proceedings are being conducted against the parent company GlovoApp23 by the Spanish DPA (AEPD). | link |
| 744 | FINLAND | Deputy Data Protection Ombudsman | 2021-06-24 | 8,500 | Magazine publisher | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 7 (2), (4) GDPR, Art. 12 (2) GDPR, Art. 21 (2) GDPR, Art. 24 (1) GDPR, Art. 28 (1), (3) GDPR | Insufficient legal basis for data processing | The Finnish DPA has imposed a fine of EUR 8,500 on a magazine publisher. The DPA received four complaints against the magazine publisher for unsolicited telephone advertising.The controller had carried out direct marketing using an automated calling system, without valid consent from the recipients of the calls. Specifically, the controller had obtained the apparent consent for direct marketing when a customer subscribed to a magazine on its website, for example. The subscriber to the magazine was required to accept the terms of the subscription and contract, which included consent to direct marketing. If the consent to direct marketing was not given, the magazine could not be subscribed. The DPA states that the consent and the way it was obtained did not comply with the GDPR. Indeed, the consent was not specifically requested for direct marketing and the consent collected together with the subscription and contract terms did not constitute voluntary consent for the purpose of direct marketing. In addition, it was not possible for data subjects to exercise their right to object due to the fact that the direct marketing calls were made using automated calling systems and the voice bots could not understand specific questions from data subjects about their data. Furthermore, the magazine publisher had commissioned a call center to carry out the advertising campaign and had not regulated its processing activities in a contract on commissioned processing. |
link |
| 745 | CROATIA | Croatian Data Protection Authority (azop) | 2021-07-05 | Unknown | IT services company | Industry and Commerce | Art. 32 (1) b), (2) GDPR | Insufficient technical and organisational measures to ensure information security | A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which led to unauthorized access and processing of personal data by hackers and involved personal data of 28,085 respondents. The incident occurred because the IT provider had not taken the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks. The IT provider, as a data processor, was obliged to take appropriate technical security measures in such a way as to ensure the permanent confidentiality of the system, including regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure security of processing. When assessing the appropriate level of security, the IT provider should have taken particular account of the risks of unauthorized disclosure of personal data. Due to failure to take appropriate technical measures for the security of personal data processing, the DPA imposed an administrative fine on the IT provider. The amount of the fine is unknown at the moment. In its decision, the DPA took into account the nature of the IT provider’s business activity, whose role should be to support other entities through opinions and guidelines, proposing solutions for the implementation of web applications, and especially designing and implementing appropriate technical measures. | link |
| 746 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-07-07 | 53,800 | Nordbornholms Byggeforretning Aps | Employment | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps.
In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company’s customers. The controller had emailed two of the company’s customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in detail the alleged course of events. According to the DPA, the controller in such a case had a |
link |
| 747 | ITALY | Italian Data Protection Authority (Garante) | 2021-05-13 | 84,000 | Comune di Bolzano | Employment | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined the municipality of Bolzano EUR 84,000. A former employee of the municipality filed a complaint with the DPA against the municipality. In particular, the former employee complained that the municipality processed personal data related to his internet use during working hours and that he later received a notice of initiation of disciplinary proceedings accusing him of accessing Facebook for more than 40 minutes and YouTube for more than 3 hours during his working hours and of using the municipality’s computer for private purposes. The DPA’s investigation revealed that the municipality had been using a system to control and filter employees’ internet browsing for about a decade, with monthly retention of data and creation of special reports for network security purposes. The system also collected information that had nothing to do with professional activities and, in any case, concerned the private life of the person in question. The DPA finds that the controller thus violated the principle of data minimization, lawfulness and purpose limitation. The controller should rather have taken less intrusive measures to prevent the private use of the Internet. The DPA pointed out that the need to reduce the risk of misuse of Internet navigation cannot lead to the complete elimination of any privacy of the data subject at the workplace, even in cases where the employee uses network services provided by the employer. In addition, the controller had not adequately informed employees about the collection of Internet history, in violation of its obligation under Article 13 of the GDPR. Furthermore, the investigation identified other violations in the processing of data related to employees’ requests for extraordinary medical examinations, which were made using a special form. The form provided by the controller had to be checked by the head of the organizational unit, a circumstance that led to the unlawful processing of health data. |
link |
| 748 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-06-11 | 7,200 | Unknown | Employment | Art. 5 (1) c), e) GDPR, Art. 13 GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,200 on a company. The company had installed a video surveillance system to protect the company’s assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee’s work area and the smoking area that employees frequently used. Furthermore, the controller had installed location sensors on the cars in its fleet. This was intended to optimize the company’s operations.
The DPA finds that the recording of employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA states that the controller thus violated the principle of data minimization under Article 5 (1) c) of the GDPR. The location data collected by the controller was stored for a period of eight months, although this would not have been necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of data retention. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR. Finally, the DPA found a violation of Art. 32 (1) GDPR. All persons who had authorized access to the software via which the locations could be tracked used the same account and not an individual account. |
link |
| 749 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-06-11 | 7,600 | Unknown | Employment | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,600 on a company. This company had installed a video surveillance system for the purpose of protecting the company’s assets, preventing intrusion by unauthorized persons and preventing accidents. However, two of the cameras also covered parts of a public street and six of the cameras covered the workplaces of some employees The DPA states that the recording of the employees and the public street was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA finds that the controller thus breached the principle of data minimization under Article 5(1)(c) of the GDPR. In addition, the DPA found that the controller had not complied with its information obligations under Article 13 GDPR. |
link |
| 750 | ITALY | Italian Data Protection Authority (Garante) | 2021-06-10 | 20,000 | Dentist | Health Care | Art. 5 (1) a), c) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has fined a dentist EUR 20,000. A data subject filed a complaint with the DPA against the dentist for refusing to treat him after the data subject had indicated he had HIV in his medical history form. In the dentist’s clinic, it was common practice for patients to fill out a medical history form before medical treatment, which contained questions about previous, existing or suspected infectious diseases (e.g. tuberculosis, hepatitis, HIV). The DPA considered this to be a violation of the principles of legality. It stated that it was legitimate to ask for such information in order to better plan medical treatment. However, it was not permissible to collect such information and then refuse treatment to the patient. |
link |
| 751 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-05-31 | 450,000 | UWV (Dutch employee insurance service provider) | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA (AP) has fined UWV (the Dutch employee insurance service provider – ‘Uitvoeringsinstituut Werknemersverzekeringen) EUR 450,000. The UWV had not properly secured the sending of group messages via the ‘My Workbook’ environment. This is a personal environment on the UWV website where job seekers have contact with the UWV. As a result, there were multiple data leaks of personal information, including health information, from a total of more than 15,000 individuals. | link |
| 752 | UNITED KINGDOM | Information Commissioner (ICO) | 2021-07-05 | 29,000 | Mermaids | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The ICO has fined transgender charity Mermaids EUR 29,000 for failing to protect the personal data of its users, in breach of Art. 5 (1) f) UK GPDR and Art. 32 (1), (2) UK GDPR. The ICO conducted an investigation after it received a report of a data breach relating to an internal email group. During the investigation, the ICO found that the group was created with insufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly three years. This resulted in personal information, such as names and email addresses, of 550 people being online. The ICO concludes that Mermaids should have restricted access to its email group and could have considered pseudonymization or encryption to provide additional protection for the personal data. Organizations responsible for personal data must ensure that they take the appropriate technical and organizational measures to ensure the security of personal data. |
link |
| 753 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-06-11 | 15,000 | Unknown | Not assigned | Art. 38 (1), (3) GDPR, Art. 39 (1) a), b) GDPR | Insufficient involvement of data protection officer | The DPA of Luxembourg (CNPD) has imposed a fine of EUR 15,000 on a company. During an investigation, the DPA found that the controller had not sufficiently involved the data protection officer in all matters relating to the protection of personal data. In addition, the controller had not guaranteed sufficient autonomy for the data protection officer. Lastly, the data protection officer had not received sufficient training to be able to properly and independently advise and inform the controller. | link |
| 754 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-08 | 50,000 | Caixabank S.A. | Finance, Insurance and Consulting | Art. 6 (1) f) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 50,000 on Caixabank S.A.. A data subject had filed a complaint with the DPA because he had received commercial advertising from the controller, although he had objected to the processing of his data for advertising purposes and the controller had replied that it would comply with this request. | link |
| 755 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-08 | 4,000 | Malagatrom S.L.U. | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Malagatrom S.L.U.. The data subject had purchased a product from the controller via the platform ‘Amazon’, which was delivered defectively . The data subject then decided to leave a negative review on the controller’s store page due to the defective delivery. Thereupon, the controller published personal data of the data subject, such as his first and last name, address, cell phone number as well as the name of his wife and her cell phone number on the store page of the defendant in the Amazon portal. | link |
| 756 | CROATIA | Croatian Data Protection Authority (azop) | 2021-07-05 | Unknown | Insurance company | Finance, Insurance and Consulting | Art. 13 GDPR, Art. 14 GDPR, Art 27 (1) of the National Implementation Law | Insufficient fulfilment of information obligations | The DPA has ex officio, without prior notice, conducted a direct supervision over an insurance company based in Zagreb. Upon inspection of its business facility for carrying out technical inspections and vehicle registration and contracting insurance services, the DPA established that both the business facility and its external surface are under video surveillance. However, the DPA established that the insurance company has failed to provide notice of such surveillance, which is contrary to Art 27 (1) of the Law on the Implementation of GDPR. Namely, data controllers and processors are obliged to indicate that the object and its outer surface are under video surveillance, and such notice must be visible at the latest when entering the perimeter of the recording and must contain all the prescribed information. Due to the breach, the DPA imposed an administrative fine on the insurance company. | link |
| 757 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-07-09 | 80,700 | Medicals Nordic I/S | Health Care | Unknown | Non-compliance with general data processing principles | The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company’s test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre. The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared confidential information about citizens to the company’s central administration through those WhatsApp groups. This meant that employees who, did not have a work-related need to process information – which other employees had to transmit to the central administration – nevertheless received the information, which included, inter alia, personal identity numbers and health data of citizens. | link |
| 758 | GERMANY | Data Protection Authority of Bavaria | 2020 | 7,000 | Unknown | Not assigned | Art. 58 (1) f) GDPR | Insufficient cooperation with supervisory authority | The Bavarian DPA has imposed a fine on a company. The controller had refused access to the business premises and data processing equipment during an on-site inspection carried out by the DPA pursuant to Article 58 (1) f) GDPR. The DPA then imposed a fine of EUR 20,000, which was, however, reduced to EUR 7,000 by a district court. | link |
| 759 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-07-16 | 67,900 | Region of Syddanmark | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen’s child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach.
The Region of Syddanmark had maintained a database for research and clinical purposes for a period of more than 1.5 years, whereby the database was not adequately secured against unauthorized access. By manipulating URLs, it was possible to gain access to PDF documents stored in the database. This allowed citizens who were registered in the database – and who also had a login to the database – to access the personal data of people registered in the database. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care. |
link |
| 760 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-06-29 | 12,500 | Unknown | Not assigned | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 12,500 on a company. The company had installed a video surveillance system for the purpose of protecting company property, securing access to private and high-risk locations, and ensuring the safety of users and preventing accidents. However, the cameras also excessively captured parts of the public space and workplaces of employees. The DPA finds that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 761 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-09 | 1,500 | Aparcamiento Arcusa S.L.U. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on Aparcamiento Arcusa S.L.U. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR. | link |
| 762 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-06 | 4,200 | Marbella Resorts S.L. | Accomodation and Hospitalty | Art. 28 (3) GDPR | Insufficient data processing agreement | The Spanish DPA (AEPD) has imposed a fine of EUR 7,000 on Marbella Resorts S.L.. In the case at hand, the data subject had booked a room in the hotel complex of the controller. On the day of the data subject’s arrival, a concierge made copies of the data subject’s data. However, the concierge was not authorized to do so. He was solely authorized to verify the reservation and then to give the guests the keys to their room. After providing the controller with his personal data, the data subject discovered that his personal data had been published on a page with online content for adults. In this regard, the DPA found a lack of diligence on the part of the controller in managing the personal data of its customers and thus a violation of Article 28 (3) GDPR. The fine is composed proportionally of EUR 2,000 for a breach of Art. 22(2) LSSI and 5,000 EIR for a breach of Art. 28(3) GDPR. However, the original fine of EUR 7,000 was reduced to EUR 4,200 due to the immediate payment and admission of guilt. | link |
| 763 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-02 | 1,500 | Private Individual | Individuals and Private Associations | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. That private individual had published personal data of the data subject on a website without her permission. The data included photos, personal notes and information about the sexual relationship between the controller and the data subject. The DPA finds that the controller processed these data without a valid legal basis and thus violated Art. 6 (1) a) GDPR. | link |
| 764 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-07 | 2000 | Homeowners Association | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera which also captured the public space in violation of the principle of data minimisation. | link |
| 765 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-01 | 1,000 | Unknown | Not assigned | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a company. The controller had used the personal data of a third party in order to obtain a microcredit. The DPA states that the controller lacked a legal basis for the processing and thus violated Art. 6 (1) GDPR. | link |
| 766 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-01 | 6,000 | Private Individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of Euro 6,000 on a private individual. On July 8, 2020, the DPA became aware of the dissemination on social networks of a video showing images of aggression by a man against a woman, as well as a young male minor intervening in the scene and trying to prevent the aggression that was taking place. However, the faces of the woman and the minor had not been pixelated. The original fine of EUR 10,000 was reduced to EUR 6,000 due to timely payment and admission of guilt. |
link |
| 767 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-07-08 | 5,000 | Pediatrician | Health Care | Art. 12 (1) GDPR, Art. 15 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has fined a pediatrician EUR 5,000. A father had asked the controller to view the medical records contained in his child’s patient file via e-mail. However, the controller did not comply with this request. | link |
| 768 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-12 | 45,000 | Telefónica Móviles España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Telefónica Mobiles España, S.A.U. EUR 45,000. A data subject filed a complaint against the controller with the DPA. His complaint was based on the fact that his telephone number and customer profile were used by controller employees to conduct tests in call centers and branches without his consent. As a result, the data subject received 247 unsolicited calls from the controller. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and acknowledgement of responsibility. | link |
| 769 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-06-30 | 3,000 | Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra | Public Sector and Education | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identification number) of 96 data subjects. | link |
| 770 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-04-09 | 750,000 | TikTok | Media, Telecoms and Broadcasting | Art. 12 GDPR | Insufficient fulfilment of information obligations | The Dutch DPA (AP) has fined the video portal TikTok EUR 750,000 for violating the privacy of young children. The information that Dutch users – mostly young children – received from TikTok when installing and using the app was in English and therefore not easy to understand. By not providing the privacy policy in Dutch, TikTok did not adequately explain how the app collects, processes, and reuses personal data. The DPA considered this to be a violation of the company’s duty to provide information. | link |
| 771 | FRANCE | French Data Protection Authority (CNIL) | 2021-07-20 | 1,750,000 | SGAM AG2R LA MONDIALE | Finance, Insurance and Consulting | Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000. The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019. On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns. With regard to the data of prospects, the controller did not comply with the maximum retention period of three years defined in the reference framework and in the Group’s processing register. As a result, the controller retained the data of nearly 2,000 customers who had not been in contact with the controller for more than three years, and in some cases five years. In relation to customer data, the controller did not comply with the maximum statutory retention periods stipulated in the Insurance Code and the Commercial Code. In this case, the controller retained the data of more than 2 million customers, some of which were sensitive (health) or specific (banking data), beyond the legally permitted retention periods after the end of the contract. |
link |
| 772 | ITALY | Italian Data Protection Authority (Garante) | 2021-05-27 | 120,000 | Azienda Usl della Romagna | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Azienda Usl della Romagna EUR 120,000. The local health authority of Romagna had accidentally transmitted a patient’s report regarding an abortion to a general practitioner. However, the patient had asked not to inform her general practitioner about it. The transmission of the report was made through the regional network ‘Sole’. The investigation by Garante revealed that the data had been accidentally transmitted due to an error in the software that manages patient admissions, discharges and transfers. | link |
| 773 | ITALY | Italian Data Protection Authority (Garante) | 2021-05-27 | 150,000 | Azienda Provinciale per i Servizi Sanitari di Trento | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Azienda Provinciale per i Servizi Sanitari di Trento EUR 150,000. The controller had accidentally forwarded 293 medical reports of 175 patients to their general practitioners, even though the patients had asked not to forward the reports to their general practitioners. Among the patients in question had been two minors and several women who had undergone abortions. The investigation by Garante found that the data had been accidentally transmitted due to an error in the software that manages patient reports. | link |
| 774 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-26 | 2000 | Intersumi S.C. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Intersumi S.C.. The controller failed to provide an adequate privacy statement on its website. | link |
| 775 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-26 | 2000 | Fincas Miguel García S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined Fincas Miguel García S.L. in the amount of EUR 2,000. A data subject had filed a complaint against the controller, alleging a breach of Art. 13 GDPR. The DPA found that the information provided to the data subject by the controller did not comply with the provisions of Art. 13 GDPR, as essential aspects were missing, such as information on the purposes of the processing for which the personal data collected are intended and its legal basis, as well as information on the legitimate interests of the controller that justify the processing, the period for which the personal data will be stored and the right to withdraw consent at any time. | link |
| 776 | FRANCE | French Data Protection Authority (CNIL) | 2021-07-26 | 400,000 | Monsanto Company | Industry and Commerce | Art. 14 GDPR, Art. 28 GDPR | Insufficient fulfilment of information obligations | The French DPA (CNIL) has fined MONSANTO EUR 400,000.
In May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file. For each of these individuals, the file contained information such as the organization they belonged to, the position they held, their business address, their business phone number, their cell phone number, their business email address, and in some cases their Twitter account. In addition, CNIL noted that each person was assigned a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues. The DPA believes that the company violated the provisions of the GDPR by not informing the data subjects that their data was stored in this file. In addition, the CNIL complained that the company had not given the contractual guarantees that should normally regulate the relationship with a subcontractor. The creation of contact files by stakeholders for lobbying purposes is not illegal in itself. However, CNIL stressed that data subjects nevertheless have the right to be informed of the existence of the file in order to exercise additional rights, in particular the right to object. In addition, the CNIL found that the data collection was carried out by a provider contracted by Monsanto and that Monsanto violated Article 28 of the General Data Protection Regulation by not including in its contracts with the data processor the provisions foreseen in the GDPR, in particular regarding data security. |
link |
| 777 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-26 | 2,520,000 | Mercadona S.A. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 (1) GDPR, Art. 35 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees. During its investigation, the DPA found numerous privacy violations. For instance, the system violated the principle of data minimization, the principle of necessity and proportionality since the controller could process multiple biometric data – beyond the purpose of the system. In addition, the DPA concluded that Mercadona’s privacy impact assessment was deficient as it did not take into account the specific and unique risks to Mercadona’s employees posed by data processing through facial recognition systems. Furthermore, MERCADONA had violated its duty to inform according by not properly providing data subjects with information about the processing of their personal data. The original fine of EUR 3,150,000 consisted of EUR 500,000 due to a violation of Art. 5(1)(c), EUR 2,000,000 due to a violation of Art. 6 and Art. 9 of the GDPR, EUR 100,000 due to a violation of Art. 12 and Art. 13 of the GDPR, EUR 500,000 due to a violation of Art. 25(1) of the GDPR, and EUR 50,000 due to a violation of Art. 35 of the GDPR. The original fine was reduced to EUR 2,250,000 due to voluntary payment. |
link |
| 778 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-07-16 | 746,000,000 | Amazon Europe Core S.à.r.l. | Industry and Commerce | Unknown | Non-compliance with general data processing principles | In its quarterly report, Amazon.com Inc. announced that the DPA from Luxembourg (CNPD) had fined Amazon Europe Core S.à r.l. EUR 746,000,000 for failing to process personal data in compliance with the GDPR. Amazon plans to take legal action against the decision. | link |
| 779 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-29 | 3,000 | UNIVERSIDAD A DISTANCIA DE MADRID, S.A. | Public Sector and Education | Art. 17 (1) GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine on UNIVERSIDAD A DISTANCIA DE MADRID, S.A.. A data subject had filed a complaint against the distance learning university. He stated that he had requested the controller to delete all his data and prohibit its processing for any purpose. He received a confirmation, that his data had been completely deleted. Nevertheless, the data subject later received advertising from the controller by e-mail. The AEPD then imposed a fine of EUR 5,000, which was reduced to EUR 3,000 due to acknowledgement of guilt and immediate payment. | link |
| 780 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 500 | Website operator | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined a website operator EUR 500 due to the fact that its privacy policy did not comply with the requirements of Art. 13 GDPR. | link |
| 781 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 1,000 | NEXTSTEPAGENCY, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined NEXTSTEPAGENCY, S.L. EUR 1,000. A website of the controller lacked reliable data about the owner of the website such as tax number and postal address. | link |
| 782 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 10,000 | PERSONAL MARK, S.L. | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on PERSONAL MARK, S.L.. A data subject complained that she was receiving promotional text messages from the controller, despite having requested the deletion of her personal data from the controllers’s databases on several occasions. | link |
| 783 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 2,400 | PODEMOS PARTIDO POLÍTICO | Public Sector and Education | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on the political party PODEMOS PARTIDO POLÍTICO. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. Due to voluntary payment and acknowledgement of guilt, the original fine in the amount of EUR 4,000 was reduced to EUR 2,400. | link |
| 784 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 900 | Owners Association | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on an owners’ association. A data subject claimed to the DPA that the controller had installed a camera on one of his houses, which recorded both the public pool area and parts of the data subject’s house. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and acknowledgement of guilt. | link |
| 785 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 2000 | Owners Association | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on an owners’ association. A data subject claimed to the DPA that the controller had installed a camera that recorded both the pool area and other parts of the interior of the data subject’s home. | link |
| 786 | FINLAND | Deputy Data Protection Ombudsman | 2021-07-05 | 25,000 | Higher Education Institution | Employment | Art. 5 (1) c) GDPR, Art. 6 GDPR, § 3 Law 759/2004 | Non-compliance with general data processing principles | The Finnish DPA imposed a fine of EUR 25,000 on a higher education institution for data protection violations in the processing of employee location data. The controller had introduced a mobile application that allowed teleworkers to clock in and out. The use of the application on a mobile device also required authorization for location data collection. The collection of location data at the time of clocking in was a feature of the app, without which it was not possible to clock in working hours using the app. According to the information received from the controller, the controller did not actively use or exploit the location data in any situation, but only processed the location data at the time of clocking in for technical reasons. However, the mere fact that time clocking is not possible in the application without processing the location data does not make it necessary to process them. |
link link |
| 787 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-07-30 | 200 | Private Individual | Individuals and Private Associations | Art. 5 (1) a), b), (2) GDPR, Art. 6 (1) GDPR, Art. 14 (1), (4) GDPR | Insufficient legal basis for data processing | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 200 on a private individual due to the unlawful disclosure of personal data. The controller had disclosed personal data of several individuals by distributing some materials in households of the municipality and through posts on his personal Facebook account. This involved, on the one hand, a photo of a salary statement of the data subject, whereby, among other things, the surname, first name, place of work and salary could be extracted. The other was a photo of a file from the register of children enrolled in the kindergarten of the municipality, whereby personal data of a minor child were disclosed. The DPA found that the controller had processed the data without a legal basis and had not informed the data subjects about the processing of their data. |
link |
| 788 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 60,000 | PRA Iberia S.L. | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 15 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined PRA Iberia S.L. EUR 60,000. A data subject had filed a complaint against the controller with the AEPD. The complaint was based on the fact that the controller asserted a claim arising from a contract that the data subject had never concluded and of which he had no knowledge. The AEPD points out that the data subject had attempted to exercise his right to information, but received no response from the controller, that instead continued to add interest to the data subject’s alleged debt. | link |
| 789 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-02 | 3,000 | Club Náutico el Estacio | Individuals and Private Associations | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club’s ordinary meeting on its website, disclosing personal data without access restrictions. | link |
| 790 | ITALY | Italian Data Protection Authority (Garante) | 2021-07-22 | 2,500,000 | Deliveroo Italy s.r.l. | Industry and Commerce | Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 30 (1) c), f), g) GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 37 (7) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined food delivery service Deliveroo Italy s.r.l. EUR 2,500,000 for unlawfully processing the personal data of approximately 8000 drivers. Garante’s investigation revealed numerous and serious data protection violations. The violations included a lack of transparency in the algorithms used to manage drivers, both when assigning jobs and when booking work shifts. Deliveroo had used a centralized system for driver management through which it then processed and managed the assignment of orders as well as the booking of work shifts. However, Garante notes that the controller did not adequately inform the drivers about the functioning of the system they had installed on their smartphones, and did not ensure the accuracy and correctness of the results of the algorithmic systems used to evaluate the drivers. In addition, Garante found that Deliveroo carried out a meticulous control of the drivers’ work performance – through the continuous geolocation of their device, which went far beyond what was necessary to assign the order (e.g., recording the position every 12 seconds) – and through the storage of a large amount of personal data collected during the execution of the orders, including communication with customer service. In this context, the storage period of the various data had not been defined in a manner appropriate to the purpose. Instead, the controller had defined a flat storage period of six years. Furthermore, the Garante found that the controller had not implemented adequate technical and organizational measures to ensure adequate security of the processing. Deliveroo Italy had also not conducted a data protection impact assessment, although this would have been necessary due to the risk posed to the drivers. |
link |
| 791 | GERMANY | Data Protection Authority of Niedersachsen | 2020 | 65,000 | Company | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority regarding a data breach pursuant to Art. 33 GDPR. As a result, the DPA conducted an audit of the company’s web presence. In the process, the DPA discovered that an outdated web store application was used on the site, which was no longer provided with security updates. The developer had explicitly warned against further use of this version, as it contained significant security vulnerabilities. The investigations of the DPA further revealed that the passwords stored in the database were not sufficiently secured. The DPA concluded that the technical measures taken by the responsible party were not adequate for the protection requirements of the GDPR, resulting in a violation of Art. 32 GDPR. | link link |
| 792 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021-08-02 | 2,000,000 | Unser Ö-Bonus Club GmbH | Industry and Commerce | Art. 6 GDPR, Art. 7 GDPR, Art. 12 GPDR | Insufficient legal basis for data processing | The Austrian DPA has imposed a fine of EUR 2,000,000 on Rewe affiliate Ö-Bonus Club GmbH. When signing up for the customer loyalty program jö Bonus Club, the controller is said to have failed to properly explain that customers’ data and shopping behavior are used to create individual profiles, and that the information is also passed on to partner companies. According to the GDPR, the clarification must be easily accessible and in simple language. However, the controller had designed the registration for the jö Bonus Club in such a way that the clarification about profiling could only be found after scrolling down. However, the consent was placed higher up, so in all cases the consents were obtained before the clarification. In turn, on the physical flyers, the signature box placed at the bottom of the form appeared as if it were a confirmation of enrollment in the club, even though it constituted consent to profiling as well. The DPA concluded that the controller breached its duty to provide consent in an understandable and easily accessible form in clear and simple language. Accordingly, it deemed the consents to be invalid and the profiling carried out on their basis to be unlawful. |
link link |
| 793 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 2000 | Body Tonic Shop S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Body Tonic Shop S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the company Vasco Andaluza de Inversiones S.L., the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis. | link |
| 794 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 2000 | Gerco Fit S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Gerco Fit S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the company Vasco Andaluza de Inversiones S.L., the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis. | link |
| 795 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 2000 | Vasco Andaluza de Inversiones S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Vasco Andaluza de Inversiones S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the controller, the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis. | link |
| 796 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 1,000 | APARTAMENTOS PLAYA DE COVACHOS, S.L. | Accomodation and Hospitalty | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on APARTAMENTOS PLAYA DE COVACHOS, S.L.. The controller had installed a video surveillance system at its resort and informed about it on information posters, which, however, did not contain any information about the identity and contact details of the responsible person. | link |
| 797 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-05 | 3,000 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. Two neighbors had complained about the individual to the DPA due to the fact that he had installed two video surveillance cameras with motion detectors on a public street. Among other things, these recorded images of the neighbors reaching their properties via the street. The authority considered this to be a violation of the principle of data minimization. | link |
| 798 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 3,000 | UST GLOBAL ESPAÑA, S.A. | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on UST GLOBAL ESPAÑA, S.A.. An employee filed a complaint against the controller with the DPA. UST GLOBAL ESPAÑA, S.A. was acting as a service provider for OpenBank as part of a project. On 08.01.2020, the controller informed OpenBank by email that two new employees (one of them the complainant) would join the project, for which it requested access to the VPN and other applications. This email, which was sent with a copy to both employees, included their first and last names, professional email addresses, and ID card numbers. This way, both gained mutual unauthorized access to their colleague’s data. The DPA considered this to be a violation of the principle of integrity and confidentiality. | link |
| 799 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 3,000 | INSTAPACK, S.L. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on INSTAPACK, S.L.. A data subject had filed a complaint with the DPA. The reason for the complaint is that he had been receiving thousands of SMS messages on his cell phone every month informing him of the receipt of orders and deliveries and in this context asking him to rate the company. He also stated that he had sent a request for deletion of his data to the contact address indicated on the controller’s website, but without having received a reply. Even after he submitted the deletion request, the sending of the messages continued. | link |
| 800 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-27 | 4,000 | Private Individual | Individuals and Private Associations | Art. 5 (1) c), e) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a private individual EUR 4,000 for unauthorized video surveillance. The controller had installed two cameras on a public road and another in a tree which covered parts of a private property. In addition, the DPA found that the controller stored the recordings for longer than necessary. The DPA considered this to be a violation of the principle of data minimization. | link |
| 801 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-30 | 600 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a private individual EUR 600 for unauthorized video surveillance. The controller had installed a video surveillance camera which covered, among other things, neighboring houses and a public street. The DPA considered this to be a violation of the principle of data minimization. Due to voluntary payment the original fine in the amount of EUR 750 has been reduced to EUR 600. | link |
| 802 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-30 | 2000 | Private Individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 2,000 on a private individual. The controller had published the phone number of the data subject to a picture of another person on a dating website in order to create a fake profile with the name ‘Katy’. This was only possible due to the fact that no proof of identity was required to create a profile on the portal. | link |
| 803 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-07-30 | 4,000 | Gas inspector | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined a gas inspector. The controller had carried out butane gas checks in the private homes of the data subjects on the basis of a list containing their surnames, first names, addresses and telephone numbers. However, the data subjects had never consented to be included in the list. The original fine of EUR 5,000 was reduced to EUR 4,000 due to acknowledgement of guilt. | link |
| 804 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-09 | 1,000 | BAZTANDIS, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Use of surveillance cameras without proper contact information on the data controller, in violation of Art. 13 GDPR. | link |
| 805 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-09 | 5,000 | CLUB GIMNASIA RÍTMICA SAN ANTONIO | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on CLUB GIMNASIA RÍTMICA SAN ANTONIO. A person had filed a complaint against the controller with the AEPD based on the controller’s posting of pictures and videos of her two underage daughters on Instagram. The complainant had previously told the controller that she did not want pictures of her daughters to be posted on social media as she refused to give permission for her daughters to be photographed and recorded. | link |
| 806 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-05 | 6,000 | Future Vinline S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish Data Protection Agency (AEPD) has fined Future Vinline S.L.. The privacy policy on the website operated by the controller did not comply with the provisions of the GDPR. The original fine of EUR 10,000 was reduced to EUR 6,000 due to a voluntary payment and an admission of guilt. | link |
| 807 | ITALY | Italian Data Protection Authority (Garante) | 2021-06-10 | 40,000 | Aeroporto Guglielmo Marconi di Bologna S.p.a. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier EUR 20,000 for violations of the GDPR. In the course of the DPA’s investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the link protocol) and that the application itself did not provide for encryption of the reporting party’s identification data, the information about the report and the attached documents. The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects. In addition, the DPA found that the controller should have conducted an impact assessment, given the sensitivity of the information processed and the risks and vulnerability of the data subjects. | link |
| 808 | ITALY | Italian Data Protection Authority (Garante) | 2021-06-10 | 40,000 | aiComply S.r.l. | Industry and Commerce | Art. 28 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian Data Protection Authority (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier aiComply S.r.l. EUR 20,000 for violations of the GDPR. In the course of the DPA’s investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the link protocol) and that the application itself did not provide for encryption of the reporting party’s identification data, the information about the report and the attached documents. The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects. In addition, the DPA found that aiComply failed to contractually regulate the relationships with two other companies that processed data on its behalf. |
link |
| 809 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-08-12 | 9,600 | Waxing Palace AS | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 9,600 on the waxing salon operator of Waxing Palace AS. The controller had camera surveillance of the controller’s reception area. The DPA found that the controller had no legal basis for the camera surveillance, as well as had not provided sufficient information about it. The camera surveillance concerned both employees and customers. | link |
| 810 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-10 | 2000 | DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES, S.L.. The controller had forwarded two emails containing personal data (payroll and extension of working hours) of the data subject to an employee. | link |
| 811 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-03 | 96,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U.. A data subject had filed a complaint with the DPA against the controller for failing to comply with her deletion request. The data subject states that on she had received calls from the company ISGF on behalf of the controller claiming a debt received from a third party for an ADSL connection for the residence of the data subject. However, the data subject had never entered into a contract for an ADSL connection. Instead, the contract had been concluded by a third party who had fraudulently used the name and ID number of the data subject to conclude the contract in her name. The data subject then requested ISGF to cancel the contract and asked the controller to delete her personal data. However, the controller had not responded to her request. The DPA then imposed a fine of EUR 120,000 which consisted of EUR 70,000 due to a violation of Art. 6 (1) GDPR and EUR 50,000 due to a violation of Art. 17 (1) GDPR. The original fine was reduced to EUR 96,000 due to voluntary payment. | link |
| 812 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-04-20 | 2,800 | Website operator | Not assigned | Art. 5 (2) GDPR, Art. 24 GDPR | Non-compliance with general data processing principles | The Hungarian DPA (NAIH) has imposed a fine of EUR 2,800 on a website operator. The controller had failed to prove the lawfulness of its processing of personal data upon request by the DPA. The DPA considered this to be a breach of the controller’s duty of accountability. | link |
| 813 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-06-18 | 28,400 | Magyar Telekom Nyrt. | Media, Telecoms and Broadcasting | Art. 5 (1) d) GDPR, Art. 6 (1) GDPR, Art. 12 (2), (3), (4) GDPR, Art. 17 (1) GDPR, Art. 25 GDPR | Insufficient fulfilment of data subjects rights | The Hungarian DPA (NAIH) has imposed a fine of EUR 28,400 on Magyar Telekom Nyrt. The controller had mistakenly sent an e-mail newsletter to the data subject. This occurred due to the fact that a third party had mistakenly entered the wrong e-mail address, namely that of the data subject. The data subject then requested the controller to delete his data several times. He continued to receive the newsletter and instead of deleting the data, the controller sent him a link to unsubscribe from the newsletter. | link |
| 814 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-13 | 1,000 | Employer | Employment | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on an employer. The controller had installed a video surveillance system without properly informing employees. | link |
| 815 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-23 | 2000 | Company owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a company owner. A person had applied for a job at the controller’s company and sent the controller his CV via WhatsApp. Thereby, he was neither informed about the processing of his personal data nor about his data subject rights. The AEPD considered this to be a violation of Art. 13 of the GDPR. | link |
| 816 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-08-24 | 3,000 | Actamedica SRL | Health Care | Art. 28 (1) GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has fined Actamedica SRL EUR 3,000. The controller had informed a private individual about the loss of her biological samples and a sum of money sent via a courier service. When asked what personal data had been disclosed on this occasion and whether the ANSPDCP had been informed of this incident, the controller only provided the contact details of his lawyer and an e-mail address of the courier service to which the private individual could address her complaint. The ANSPDCP found a breach of the controller’s obligation to implement technical and organizational measures to ensure a level of protection appropriate to the risk to data subjects, as well as a breach of the controller’s obligation to notify the ANSPDCP of the data breach. | link |
| 817 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-08-13 | 2,200 | President of the Zgierz District Court | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) has imposed a fine of EUR 2,200 on the president of the Zgierz District Court. The president had reported a data breach involving the loss of an unencrypted USB stick by a probation officer. The data medium stored the data of 400 persons under probation supervision. The lost and at the same time unsecured data carrier has not yet been found, so that unauthorized persons could still have access to the personal data it contained. The president had assumed that the duty to secure the data did not lie with himself, but with the respective probation officers who had these data in use. However, the DPA found that the president himself should have secured the USB sticks. | link |
| 818 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-26 | 1,000 | Owners Association | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on an owners’ association. The controller had unlawfully installed a video surveillance system in a residential complex which recorded, among other things, common areas such as the swimming pool, as well as parts of the public space. In addition, video cameras were installed in the rooms where the guards of the residential complex dressed, without any notice being given. The DPA considered this to be a violation of the principle of data minimization. | link |
| 819 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-25 | 120,000 | Banco Bilbao Vizcaya Argentaria, S.A. | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The reason for this had been a complaint from a person relating to a lack of authentication. Accordingly, only the ID number had to be given as identification when providing information by telephone. This could allow any person to call, provide an ID number, and thus receive the information associated with the ID number without any verification that the caller is actually the ID holder. The DPA considered this to be a failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. The original fine of EUR 200,000 was reduced to EUR 120,000 due to voluntary payment and acknowledgement of guilt. | link |
| 820 | IRELAND | Data Protection Authority of Ireland | 2021-09-02 | 225,000,000 | WhatsApp Ireland Ltd. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient fulfilment of information obligations | The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service’s compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp.
In the course of the investigation, the DPC found that WhatsApp had committed serious violations of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR with respect to the information provided to users. Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other affected European supervisory authorities in December 2020. The DPC subsequently received objections from eight supervisory authorities. Due to lack of agreement, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR on June 3, 2021. The European Data Protection Supervisor (EDPB), by its decision of July 28, 2021, then, required the DPC to reassess and increase its proposed fine based on a number of factors. The EDPS found a violation of the principle of transparency set forth in Article 5(1) a) of the GDPR in addition to the violations found by the DPC, and requested this to be reflected in the final amount of the fine. Based on this, the DPC imposed the fine in the amount of EUR 225,000,000. The fine is composed as follows: EUR 90,000,000 for the violation of Art. 5 (1) a) GDPR; With respect to Art. 12 GDPR and Art. 13 GDPR, the DPC found that WhatsApp had failed to provide information about the nature of the data collection ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language.’ This includes making the information easy for children to understand when it is addressed to them. For example, WhatsApp had distributed information about the relationship between WhatsApp and other Facebook companies and the sharing of data under that relationship through a variety of texts. Much of the information provided was of such general nature, moreover, that the DPC deemed it meaningless. Users often had to overcome multiple links to FAQs to get to the information they were looking for on WhatsApp’s website. In this regard, the DPC stated that it would be unreasonable to expect users to search the WhatsApp website after failing to find sufficient information in the privacy statement itself. With regard to Art. 14 GDPR, one of the issues was the impact of a user’s consent allowing the messaging platform to have access to his or her contacts. As such, the company searched its users’ contact information on their phones for phone numbers and other data, not only from other WhatsApp users, but also from contacts who do not even have a WhatsApp account. The DPC finds that this data had been processed unlawfully, as these contacts (especially those who do not have a WhatsApp account) had not received any information about this processing and therefore could not possibly have given their consent. Given the seriousness and the far-reaching nature and impact of the breaches, the DPA concluded that there had also been a violation of the transparency principle from Art. 5 (1) a) GDPR. |
link link |
| 821 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-30 | 6,000 | Furnishyourspace S.L. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 (4) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller’s privacy notice. Namely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearly stated. No information was provided regarding the legal basis, the retention period of the personal data and the data subjects’ right to object. Also, the privacy notice was confusing and the wording contained grammatical errors and used terms that are not part of common usage. In addition, the privacy notice required a tax identification number in order to issue a simplified invoice, i.e., an invoice not exceeding the amount of EUR 3,000. The AEPD found this to be a violation of the principle of legality. The fine is composed as follows: EUR 3,000 for a breach of Art. 12 GDPR and Art. 13 GDPR; |
link |
| 822 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-08-23 | 1,800 | Agency | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine on an agency. The controller had disposed of documents containing personal data of its clients in the garbage. The AEPD considered this to be a lack of security and data protection measures in the sense of Art. 32 GDPR, which states that ‘the controller and processor shall implement appropriate technical and organizational measures to ensure an adequate level of security.’ The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and acknowledgement of responsibility. | link |
| 823 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-02 | 4,000 | Automecanica Jerez, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 21 LSSI | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has fined Automecanica Jerez, S.L. EUR 4,000. The controller had sent commercial e-mails to a large number of people without their consent. In doing so, the controller failed to hide the personal data of the recipients, such as surname, first name and email address, which allowed the other recipients to view the data. The AEPD considered this to be a violation of Article 5 (1) f) GDPR and Article 32 GDPR, as the controller had failed to implement technical and organizational measures to ensure an adequate level of security in the processing of personal data. Furthermore the AEPD found a breach of Art. 21 LSSI. | link |
| 824 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-09-08 | 53,800 | Midtjylland Region | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 53,800 on Midtjylland Region.
On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been given key cards that allowed them to access all three buildings of the lifestyle center, regardless of whether the user was required to access them. In addition, the region had not established sufficient guidelines for access restrictions when creating key cards, and had not conducted adequate periodic testing, assessment, and evaluation of the security measures taken. In evaluating the question of whether a fine should be imposed, the Danish DPA took into account, as an aggravating factor, that the region processed large amounts of sensitive data, such as health data. |
link |
| 825 | IRELAND | Data Protection Authority of Ireland | 2021-09-07 | 1,400 | Vodafone Ireland Limited | Media, Telecoms and Broadcasting | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Irish DPA has fined Vodafone Ireland Limited EUR 1,400. Vodafone had in several cases sent marketing SMS and emails and made telephone calls without the consent of the data subjects. Despite several revocations by the data subjects, they continued to receive unsolicited advertising. In one case, a former customer had contacted Vodafone seven times and asked not to receive any more advertising calls on his cell phone. Despite his request, he continued to receive advertising calls. In another case, a customer received an advertising call on his cell phone number and informed Vodafone during the conversation that he did not want to receive any more advertising calls. Despite his request, Vodafone made twelve more marketing calls to his cell phone. In another case, the data subject filled out a form clearly stating his wish not to receive marketing calls from Vodafone. However, the employee who processed the request failed to register the customer’s marketing preferences. As a result, the customer subsequently received fourteen more unsolicited commercial messages – seven emails and seven text messages. | link |
| 826 | ITALY | Italian Data Protection Authority (Garante) | 2021-07-22 | 200,000 | Regione Lombardia | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante’s preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region’s website. These lists included personally identifiable information such as the application ID, the applicant’s name, the student’s grade, the code and name of the school, as well as the application number. In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident. |
link link |
| 827 | ITALY | Italian Data Protection Authority (Garante) | 2021-07-22 | 800,000 | Roma Capitale | Public Sector and Education | Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle’s license plate number. Part of the equipment was supplied by another company, Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees.
Irregularities were then identified during the investigation. Namely, the city of Rome, as data controller, had not provided information on the processing of the drivers’ data, had not designated the company Atac as data processor, and had not provided it with the necessary instructions to process the data collected. Also, the subcontractor was not formally instructed nor instructed on how to proceed with the data processing. It was also found that the companies had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by Atac were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person’s habits and parking location. In calculating the fine for the unlawful data processing, the DPA aggravatingly took into account the large amount of personal data processed (from June 2018 to November 2019, the system established by Atac had already collected the data of 8,600,000 stops and potentially affects all users of the paid parking service in the city area) and the sanctions already received for data protection violations, but also the positive cooperation offered by the city and the companies to remedy some violations detected during the inspection. |
link link |
| 828 | ITALY | Italian Data Protection Authority (Garante) | 2021-07-22 | 30,000 | Flowbird Italia s.r.l. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 30 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 30,000 on Flowbird Italia s.r.l.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters that were installed in the city of Rome in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle’s license plate number. Part of the equipment was supplied by Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. During the investigation the DPA found that Flowbird Italia had not established a data processing register. | link link |
| 829 | ITALY | Italian Data Protection Authority (Garante) | 2021-07-22 | 400,000 | Atac s.p.a. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 30 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle’s license plate number. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. Irregularities were then identified during the investigation. It was found that Atac had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person’s habits and parking location. | link link |
| 830 | CYPRUS | Cypriot Data Protection Commissioner | 2021-09-06 | 40,000 | APOEL FC | Individuals and Private Associations | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 40,000 on the soccer club APOEL FC. Due to a lack of security measures in the club’s ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club’s website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the club failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined AC Omonia and Hellenic Technical Enterprises Ltd. for the same violations. | link link |
| 831 | CYPRUS | Cypriot Data Protection Commissioner | 2021-09-06 | 40,000 | AC Omonia | Individuals and Private Associations | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 40,000 on the soccer club AC Omonia. Due to a lack of security measures in the club’s ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club’s website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the club failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined APOEL FC and Hellenic Technical Enterprises Ltd. for the same violations. | link link |
| 832 | CYPRUS | Cypriot Data Protection Commissioner | 2021-09-06 | 25,000 | Hellenic Technical Enterprises Ltd. | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 25,000 on Hellenic Technical Enterprises Ltd.. The controller hat designed the ticket sales system of the soccer clubs AC Omonia and APOEL FC. Due to a lack of security measures in the ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club’s website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the controller failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined APOEL FC and AC Omonia for the same violations. | link link |
| 833 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-13 | 1,000 | GESTIONES AUTO LOW COST S. L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on GESTIONES AUTO LOW COST S. L. due to the fact that the company’s website did not contain a privacy policy. | link |
| 834 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-13 | 1,000 | Hairdressing salon | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a hairdressing salon. The controller had installed video surveillance cameras and had not properly informed the data subjects about the processing of the data by the cameras. | link |
| 835 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-13 | 9,000 | Website operator | Not assigned | Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 9,000 on the controller of a website. A person had filed a complaint with the DPA due to the fact that the controller had published his first and last name as well as a screenshot of his Linkedin profile on his website. The controller had neither obtained the data subject’s consent for this, nor had he informed him about the processing of his personal data. The DPA considered this to be a violation of Art. 6 GDPR and Art. 13 GDPR. | link |
| 836 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-09-16 | 10,000 | Favrskov municipality | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 10,000 on Favrskov municipality.
On August 19, 2020, the DPA received a notification from Favrskov Municipality of a personal data breach under Art. 33 GDPR. The notification stated that during a break-in at the municipality’s premises, a laptop was stolen which contained a program that provided an overview of the municipality’s care facilities and thus information on the names and personal identity numbers of approximately 100 individuals with physical or mental disabilities. The computer hard drive in question was not encrypted and the program in question, which contained confidential and sensitive personal data, was not equipped with security measures. In reviewing the case, the DPO found that Favrskov Municipality had not ensured the encryption of the hard drives of the municipality’s laptops for a long period of time prior to August 12, 2020, resulting in an inadequate level of security. The DPA considered this to be a violation of Art. 32 GDPR, as the municipality had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk. |
link |
| 837 | FRANCE | French Data Protection Authority (CNIL) | 2021-09-15 | 3,000 | Société nouvelle de l’annuaire français | Individuals and Private Associations | Art. 16 GDPR, Art. 17 GDPR, Art. 30 GDPR, Art. 31 GDPR | Insufficient fulfilment of data subjects rights | The French DPA (CNIL) has fined Société nouvelle de l’annuaire français (SNAF) EUR 3,000. SNAF operates the website annuairefrancais.fr, which lists French companies based on data published by the French Statistical Office.
Between 2018 and 2019, the CNIL received sixteen complaints indicating problems in requesting the erasure and rectification of personal data. In response, the CNIL requested SNAF to comply with the requests within two months, which SNAF failed to do. As a result, the CNIL imposed the fine on SNAF, mainly for non-compliance with the rights of rectification and erasure of the data subjects and for lack of cooperation with the CNIL. |
link link |
| 838 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-16 | 4,000 | Frigorifica Botana S.L. | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Frigorifica Botana S.L.. The main activity of Frigorífica Botana is freezing, storing and processing seafood. Based on a complaint against the controller, the AEPD had initiated investigations against it. The controller had installed a video surveillance system (audio and video) that captured, among other things, parts of a conference room. In this context, the DPA found that the controller had violated the principle of data minimization by processing data without a valid reason and without informing the data subjects about the video surveillance in advance. | link |
| 839 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-09-17 | 67,200 | Syddanmark Region | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA imposed a fine of EUR 67,200 on Syddanmark Region. On March 9, 2020, the DPA received a notification from Syddanmark Region regarding a personal data breach according to Art. 33 GDPR. The Syddanmark Region states that since May 2011, a PowerPoint presentation was available on its website that had been created at Odense University Hospital for training purposes and contained charts with personal data – including health information and ID card number details – of 3,915 patients. The region used a screening tool to periodically check for inadvertent postings of personal identity numbers on its website. However, the screening tool was unable to scan the underlying data in PowerPoint presentations. In this context, the DPA found that the region had not implemented appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. In assessing whether a fine should be imposed, the DPA took into aggravating consideration the fact that Syddanmark Region processes large amounts of personal data, including health data – which is of a sensitive nature. |
link |
| 840 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-08-26 | 20,000 | Dixons South East Europe ΑΕΒΕ-ΚΩΤΣΟΒΟΛΟΣ | Industry and Commerce | Art. 12 (1), (2), (3) GDPR, Art. 15 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 20,000 on Dixons South East Europe ΑΕΒΕ-ΚΩΤΣΟΒΟΛΟΣ. A data subject had filed a complaint against the controller after it failed to comply with its right to information. After returning a product, the data subject had asked the controller via Facebook Messenger to inform him about the request to cancel his credit card statements sent electronically to the bank. However, the controller refused to comply, whereupon the data subject asserted the same right with the bank, which, however, did not provide him with a response. | link |
| 841 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-08-26 | 20,000 | National Bank of Greece | Finance, Insurance and Consulting | Art. 12 (1), (2), (3) GDPR, Art. 15 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 20,000 on the National Bank of Greece. A data subject had filed a complaint against a company and the bank after they failed to comply with his right to information. After returning a product he had purchased from a company, the data subject had asked the company via Facebook Messenger to inform him about the request to cancel his credit card statements sent electronically to the bank. However, the controller refused to comply, whereupon the data subject asserted the same right with the bank, which, however, did not provide him with a response. | link |
| 842 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-09-03 | 8,000 | Rhodes Municipal Transport Company | Employment | Art. 5 (1) c) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 8,000 on the Rhodes Municipal Transport Company. A former employee had filed a complaint against the controller with the DPA. The former employee was in a legal dispute with the controller after the latter had reported him for alleged embezzlement. Against this background, he had asked the controller to send him, for his defense in the criminal proceedings, a copy of the video recordings recorded by the bus’s video surveillance system on the day on which the incident in question allegedly occurred. However, the controller had never responded to his request. The DPA considered this to be a violation of the data subject’s right to information pursuant to Art. 12 (3) GDPR and Art. 15 GDPR. Furthermore, the controller had provided the data subject with a certificate about his previous employment, which, in addition to the type and duration of employment, also contained the information that he had been dismissed due to a criminal offense. The DPA considers this to be a violation of the principle of proportionality pursuant to Art. 5 (1) c) GDPR. The fine is composed proportionately of EUR 3,000 for a violation of Art. 5 (1) (c) GDPR and EUR 5,000 for a violation of Art. 12 (3) and Art. 15 GDPR. |
link |
| 843 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-08-26 | 5,000 | NOW DOCTOR – Εταιρία Παροχής Ηλεκτρονικών Υπηρεσιών Αναζήτησης και Προβολής Ιατρών Ε.Π.Ε. | Health Care | Art. 5 (1) a), e) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 (2), (3) GDPR, Art. 17 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 5,000 on the operator of the medical platform nowdoctor.gr that enables online booking of medical appointments. A doctor had filed a complaint with the DPA. Accordingly, she had repeatedly stated that she no longer wished to work with the controller and requested the deletion of her data on the platform. The controller did not comply with her request. The deletion did not take place until 18 months later, after the DPA requested the controller to do so. The DPA considered this to be a breach of the controller’s accountability obligations and found that the controller had stored the data subject’s data longer than necessary for the intended purpose. The purpose, namely the provision of online display services, ceased to exist when the data subject declared that she no longer wished to work with the controller. In addition, the DPA finds that the controller failed to take measures with regard to the requirement of Art. 12 GDPR to facilitate the exercise of data subjects’ rights. The controller had publicly provided an e-mail address on its website as a means of communication. However, the controller did not have sufficient staff available to actually process the correspondence. | link |
| 844 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-20 | 18,000 | CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L. | Health Care | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L.. The data subject filed a complaint with the AEPD. He had requested an MRI scan of his knee due to an accident at work. In addition, he had contacted his insurance company in order to obtain a sick leave. The insurance company then contacted the controller, who transmitted the data subject’s medical records. In doing so, the controller also provided the insurer with the report of a previous MRI scan of the knee that the data subject had undergone due to an event outside of work. In its evaluation, the insurer thus also referred to the MRI report outside working hours and attributed the data subject’s incapacity to work to this event. In consequence, no sick leave was granted to the data subject. The DPA considered the disclosure of the earlier MRI report to the insurance company to be a violation of the principle of integrity and confidentiality. The original fine of EUR 30,000 was reduced to EUR 18,000 due to the voluntary payment and admission of guilt. |
link |
| 845 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-14 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing. The data subject stated that two telephone lines were registered in his name, for each of which charges were made. However, the data subject had never concluded contracts with the company for either of these lines. Rather, the contracts in question were concluded by fraudsters using the data subject’s personal data. Nevertheless, the personal data was entered into the company’s information systems without any verification as to whether the contracts had been lawfully and actually concluded by the data subject. The contracts were concluded even though they were not signed and the information provided by the fraudster, such as the address or date of birth, did not match those on the data subject’s ID card. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 846 | GERMANY | Data Protection Authority of Hamburg | 2021-09-24 | 900,000 | Vattenfall Europe Sales GmbH | Transportation and Energy | Art. 12 GDPR, Art. 13 GDPR | Insufficient data processing agreement | The DPA from Hamburg has imposed a fine of EUR 900,000 on Vattenfall Europe Sales GmbH. The fine is related to data matching, which the controller had carried out in the period from August 2018 to December 2019 in the course of contract inquiries for special contracts. The special contracts served to attract new customers and were accompanied by bonus payments for the customers. The controller compared personal data of prospective customers who had submitted an inquiry for a special contract with contracts concluded by existing customers. If this revealed that an applicant had already signed a contract with the controller, then switched to another supplier and now wanted to sign a contract again, the controller could reject the application for the special contract if necessary. This was intended to prevent ‘bonus shopping’, which is not lucrative for the companies. However, the controller had not properly informed the customers that such comparisons would be made. The DPA considered this to be a violation of the company’s transparency and information obligations. Around 500,000 people were affected. | link |
| 847 | ISLE OF MAN | Information Commissioner of Isle of Man | 2020-12-11 | 3,250 | Cosmetic Medical Limited | Industry and Commerce | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The DPA of Isle of Man has imposed a fine of EUR 3,250 on Cosmetic Medical Limited. A data subject had filed a complaint with the DPA regarding the controller’s failure to comply with her request to exercise her right of access to personal data. As part of its investigation, the DPA sent the controller a request for information in order to clarify the facts of the case. However, the controller had not responded to this request in due time. The DPA concluded that as the controller did not properly cooperate with the authorities, it violated Article 31 of the GDPR. | link |
| 848 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-24 | 3,000 | Unknown | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a company. The company had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR. | link |
| 849 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-14 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing.The data subject stated that several telephone lines were registered in his name. However, the data subject had never signed contracts with the company for any of these lines. Rather, the contracts in question were concluded by fraudsters using the data subject’s personal data. Nevertheless, the personal data was entered into the company’s information systems without any verification as to whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment. | link |
| 850 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-14 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject stated that, unauthorized third parties had gained access to her Vodafone account and had booked the Vodafone Unlimited package in her name, as well as purchased an iPhone 11 Pro Max in installments. The DPA notes that the controller had not adequately verified whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment. | link |
| 851 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-09-27 | 496,000 | Ferde AS | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 28 (3) GDPR, Art. 32 (2) GDPR, Art. 44 GDPR | Non-compliance with general data processing principles | The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000. Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China. As part of its operations, Ferde is responsible for registering passages at toll booths. The registration is usually done by a chip in the car. If the chip in the car is not properly registered or the car does not have a chip, a photo of the car’s license plate is taken. These images are then sent to an automatic optical character recognition system to digitally read the license plate. In cases where the image quality is not good enough for automatic interpretation, the image is transmitted for manual processing. Ferde contracted Unitel Bratseth Services (UBS), which also has employees in China, for this task. After its investigations, the DPA concluded that Ferde AS had violated a number of basic obligations of the GDPR for a period of 1-2 years. For one thing, Ferde had not conducted a risk assessment before processing personal data and before using manual image processing by the processor. However, this would have been necessary to assess the risks associated with the transfer and to determine whether further security measures may be required. In addition, the DPA found that Ferde had not entered into a proper processor contract regarding the processing of UBS.As a result, the transfer of the personal data in question to China took place without a valid legal basis. |
link |
| 852 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-14 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject stated that unauthorized third parties gained access to his Vodafone account and signed three mobile phone contracts in his name. The DPA found that Vodafone had failed to verify whether the contracts were lawful and actually concluded by the data subject. The contracts were concluded even though they were not signed and the information provided by the fraudster, such as address or date of birth, did not match those of the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment. | link |
| 853 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-14 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing. The data subject stated that he received a call from Vodafone in which the latter requested him to pay for three telephone lines. In the call, he explained to Vodafone that the said lines had neither been ordered nor authorized by him, so he asked to send him the invoices. On the invoices, the data subject recognized that the telephone and account numbers did not match its own. During its investigation, the DPA found that an unauthorized third party had concluded the contracts for the lines in the name of the data subject. In addition, the DPA found that Vodafone failed to verify the identity of the person who concluded the contract and to take the necessary precautions to ensure that these incidents do not occur. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. |
link |
| 854 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-28 | 3,000 | Bar owner | Accomodation and Hospitalty | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a bar owner EUR 3,000. A data subject had filed a complaint with the DPA. He had suffered an accident in the bar which was recorded by the surveillance cameras. The controller states that he had installed the surveillance cameras for security purposes. At a later date, the video was distributed via WhatsApp and published in a digital newspaper. The data subject claims to be personally affected in his reputation by the publication of the video. The DPA concludes that the publication of the images was not related to the purpose of the video surveillance and that the controller therefore violated Art. 5 (1) b) GDPR. | link |
| 855 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-29 | 5,000 | CYNGASA, S.L. | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on CYNGASA, S.L.. The data subject, when requesting a work report, discovered that the controller had disclosed his personal data to a third party company without his consent. The data involved included among others first and last name as well as his social security number. | link |
| 856 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-29 | 10,000 | ACONCAGUA JUEGOS S.A. | Industry and Commerce | Art. 37 GDPR | Insufficient involvement of data protection officer | The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on ACONCAGUA JUEGOS S.A.. The controller had failed to appoint a data protection officer and thus violated Art. 37 GDPR. | link |
| 857 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-09-29 | 107,000 | Danish Cancer Society | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has fined the Danish Cancer Society EUR 107,000 for failing to comply with the requirements of the GDPR regarding appropriate security measures.
The Danish Cancer Society had reported four data breaches according to Art. 33 GDPR to the DPA. Two of these involved computer thefts, two phishing attacks – and all four were due to the Danish Cancer Foundation’s failure to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. A similar personal data breach already occurred in August 2018, when the Foundation fell victim to phishing and spoofing hacking attacks. In this context, the Danish Cancer Society stated that it should increase protection through multifactor authentication, however, this was not implemented. The data of at least 1,448 individuals was compromised, and in several cases it involved sensitive personal health data, including medical history. |
link |
| 858 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-09-20 | 40,200 | Høylandet Municipality | Public Sector and Education | Art. 32 (1) b), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has imposed a fine of EUR 40,200 on the municipality of Høylandet. The latter had reported a data breach to the DPA in accordance with Art. 33 GDPR. An employee gained access to several image files (bitmap) when she had to create new letter templates and insert an image logo from the file. The image files that the employee had access to contained sensitive information about individuals who had no connection with the municipality of Høylandet. The information included health data among others. The DPA found that the municipality had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. Instead, the municipality stated that it had simply asked employees using the relevant computer program to avoid opening bitmap files that were not created by the municipality. The error has meanwhile been corrected and the municipality has introduced a new internal control system. |
link |
| 859 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-09-20 | 75,600 | ST. OLAVS HOSPITAL HF | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has fined St. Olav’s Hospital in the amount of EUR 75,600. The hospital suffered three data leaks in accordance with Art. 33 the GDPR. The first incident had occurred between January 13, 2011, and January 27, 2020, at the hospital’s cardiology department following an upgrade for a new treatment-oriented health registry for the cardiology laboratory.
In connection with the upgrade, a test server was used on which treatment reports were temporarily cached and then copied to the new system. However, the reports in the test server were not deleted. Moreover, another error occurred, which allowed all authenticated employees to access the reports. About 21,000 reports were affected. The second breach occurred in the period from May 17, 2015 to January 28, 2020, when reports from medical devices (pulse oximeters for long-term measurement of oxygen saturation and pulse) were stored in a file area accessible to any employee with an authenticated and active account. The third breach occurred in the period from January 01, 2018 to December 09, 2019. Passwords for various databases were stored in plain text in a file on the hospital’s server. Employees with an active hospital system account were able to first connect to the server viaRemote Desktop and then search for a file with a password in the database. The DPA found that the hospital had failed to establish effective access controls. |
link |
| 860 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-09-04 | 1,500 | AMPUDIA DIAZ, S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on AMPUDIA DIAZ, S.L.. The controller had installed a video surveillance system in its premises, which recorded a public sidewalk among other things. This made it possible to record passers-by. The controller had not installed any signs informing about the video surveillance. The DPA found that the controller had violated the principle of data minimization and its duty to inform. The fine consists of EUR 1,000 for a violation of Art. 5 (1) (c) GDPR and EUR 500 for a violation of Art. 13 GDPR. |
link |
| 861 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-04 | 2000 | Store owner | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on the owner of a store. The controller had installed a video surveillance system that covered, among other things, a public street. Thereby, the DPA found that the controller had violated the principle of data minimization. | link |
| 862 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-04 | 1,000 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on the owner of a store. The controller had installed a video surveillance system, however, without having placed signs informing about the use of video surveillance. | link |
| 863 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-09-21 | 12,500 | Ultra-Technology AS | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Norwegian Data Protection Authority has imposed a fine of EUR 12,500 on Ultra-Technology AS. Background of the fine is a complaint from a data subject who was credit-checked without any customer relationship or other affiliation to Ultra-Technology AS. |
link |
| 864 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-04 | 5,000 | CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L. | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L. EUR 5,000 for unlawfully processing an individual’s data. Previously, CYNGASA, S.L. had disclosed the data to the controller without the consent of the data subject. The data concerned included, among others, his first and last name and social security number. CYNGASA, S.L. received a fine in a separate proceeding as well. | link |
| 865 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-05 | 4,000 | CLUB DEPORTIVO SANSUEÑA, S.L. | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 6 GDPR, Art. 32 (1) b), d) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined CLUB DEPORTIVO SANSUEÑA, S.L. EUR 4,000 for adding the cell phone number of a data subject to a WhatsApp group without the data subject’s consent. | link |
| 866 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-08-05 | 135,000 | Insurance company | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) a), b) GDPR, Art. 33 (1), (5) GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Luxembourg has imposed a fine of EUR 135,000 on an insurance company.
On October 19, 2018, an employee of the controller had sent an e-mail to an uninvolved third party instead of the data subject. This occurred due to an error by the employee who had incorrectly entered the e-mail address of the data subject. In addition to the name and gender of the data subject, the e-mail also contained detailed information about the data subject’s illnesses. In addition, the attachment contained three forms relating to illnesses that the data subject had reported in connection with the conclusion of a life insurance policy.On November 29, the same incident occurred. The second misdirected e-mail contained, in addition to the data subject’s name, very specific questions about a particular pathology, the last name of the life insurance doctor, the address of said doctor, and two blank forms related to said pathology to be filled out by him or his doctor The DPA noted that it had not been informed of the data breach in a timely manner in accordance with Art. 33 GDPR. The company had also not complied with its documentation obligation under Art. 33 (5) GDPR. |
link |
| 867 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-08 | 30,000 | ORANGE ESPAGNE, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on ORANGE ESPAGNE, S.A.U.. A data subject had filed a complaint with the DPA as she had received a total of 30 calls from Jazztel employees (subsidiary of Orange Espagne, S.A.U.) and text messages between 03/01/2021 and 03/03/2021 without ever having been a customer of the company. She then requested that her phone number be deleted from the company database. Although the controller confirmed the deletion of the data, she continued to receive calls and text messages from the controller. The original fine of EUR 50,000 was reduced to EUR 30,000 due to the admission of guilt and the voluntary payment. | link |
| 868 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-11 | 10,000 | MAF.COM ESQUI CLUB | Industry and Commerce | Art. 7 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on MAF.COM ESQUI CLUB. The mother of an underage girl who had attended ski lessons with the controller filed a complaint with the DPA against the latter. The controller had published videos of the mother’s daughter on its website and social media channels without her consent. The images were only disseminated with the consent of the father, who enrolled the girl in the ski course. The girl’s parents were divorced at the time of the incident. The DPA found that the controller had failed to obtain consent from both parents and thus processed the images without a valid legal basis. | link |
| 869 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-16 | 5,000 | La Prima S.r.l. | Real Estate | Art. 5 GDPR, Art. 6 GDPR, Art. 24 GDPR, Art. 25 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the real estate portal La Prima S.r.l.. A data subject had filed a complaint against the controller with the DPA. She complained about receiving a contact request on Linkedin by an employee of La Prima, which aimed to offer real estate services related to a specific property owned by the data subject. The controller had obtained the information regarding the data subject’s ownership of the property from an openly accessible public register. At no time had the data subject consented to such a contact request. The controller had argued during the DPA’s investigation that consent for others to contact her could be inferred from the fact that she had a public profile. However, the DPA noted that the exchange of information via a social network should only allow for what is specified in the relevant terms of use. The DPA clarified that the platform is intended to enable the exchange of contact information in order to make job offers. In contrast, it is not intended that users use the platform to send messages to other users in order to sell services. Moreover, it is irrelevant whether a user profile is public or not. Consequently, the DPA concluded that the controller had processed the data unlawfully. | link |
| 870 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-13 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A woman filed a complaint against the controller based on the fact that the controller had sent telephone bills belonging to a third party to her e-mail address. After bringing this to the attention of the controller, she received no response. Thereupon, she contacted the controller by telephone in this regard. However, none of the employees were able to help her with this concern. The DPA concluded that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR, and that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 871 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021-09-28 | 9,500,000 | Austrian Post | Transportation and Energy | Art. 12 (2) GDPR | Insufficient fulfilment of data subjects rights | The Austrian DPA imposed a fine of EUR 9.5 million on the Austrian Post on September 28, 2021. The main accusation is that, in addition to the contact options used by Austrian Post via mail, web contact form and customer service, data protection-related inquiries should also be allowed via e-mail. According to the newspaper ‘Der Standard’, the Austrian Post had only introduced a contact form for data protection inquiries, in order to automate the process of inquiries and to obtain all information necessary for processing the inquiries. | link link |
| 872 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021 | 4,000,000 | Bank | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Original fine summary: The Austrian DPA has imposed a fine of EUR 4,000,000 on a credit institution. The controller had stored an Excel file containing personal data, such as customers’ account information, on an internal drive for the purpose of internal administration of bank customers. The file could be accessed and viewed by all branch employees as needed. The Excel file was neither encrypted nor protected by other adequate measures against unauthorized access or unintentional disclosure to third parties. An employee inadvertently sent the Excel list to 234 customers, disclosing the personal data of approximately 5,971 customers. The DPA therefore found that the controller had failed to implement adequate technical and organizational measures to protect personal data. Update: The fine was reduced from EUR 4,000,000 to EUR 50,000 following a court ruling in 2024. |
link |
| 873 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021 | 1,200,000 | Customer loyalty program | Industry and Commerce | Unknown | Unknown | According to the newspaper ‘Der Standard’, the Austrian DPA has imposed a fine of EUR 1.2 million on a customer loyalty program in 2021. Further information has not yet been disclosed. | link |
| 874 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-16 | 5,000 | Ciechi Ardizzone Gioeni di Catania | Individuals and Private Associations | Art. 5 (1) a), c) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the Ciechi Ardizzone Gioeni di Catania residential home for blind people. A visitor to the residence filed a complaint with the DPA. He based this on an installed video surveillance system in the accommodation. The video surveillance system recorded, among other things, the corridor connecting the accommodation with the communal showers. Moreover, the footage was not only recorded but also displayed in real time on the monitors of the concierge staff, creating the risk that the images could also be inadvertently seen by visitors or suppliers. During the course of the investigation, the institution’s administration justified the installation of the video surveillance system by citing the need to prevent theft and ensure the health of residents by preventing unauthorized access during the pandemic period.
The DPA found that the institute thereby violated the principles of lawfulness, transparency and data minimization. The fact that, as claimed by the institute, the passage of the guests to the shower rooms was filmed only occasionally and for a short duration, and that the quality of the recordings was not ‘perfectly clear,’ does not resolve the unlawfulness of the recordings. Also, the DPA noted that some procedural precautions – such as scheduling time windows to turn off the cameras to allow guests to visit the shower rooms without being filmed, or temporarily ensuring the security of the locations through alternative measures, such as the use of security personnel – may allow the institute to pursue the purpose of the video surveillance in an equally effective manner and avoid unjustifiably restricting the freedoms of the data subjects. Furthermore, the DPA found that the institute had not properly fulfilled its duty to inform. The institute had only provided the data subjects with detailed information about the video surveillance system on the bulletin board after the investigation had begun. However, this type of information is not suitable for visually impaired people. The institute should have provided the residents with a pre-recorded audio message that could be played back if necessary. |
link |
| 875 | IRELAND | Data Protection Authority of Ireland | 2021-10-06 | Only intention to issue fine | Facebook Ireland Limited | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c) GDPR | Insufficient fulfilment of information obligations | The organization ‘None of your business’ (NOYB) published a draft decision of the Irish DPA (DPC) on October 13, 2021, which indicates that it proposes a fine between EUR 28 million and EUR 36 million against Facebook.
The draft primarily addresses the fact that Facebook has included details on data processing in its terms of service, thus relying on Art. 6 (1) b) rather than on consent pursuant to Art. 6 (1) a) GDPR. However, the DPC emphasizes that the GDPR does not establish a hierarchy of legal bases that can be used to process personal data. Yet, the DPC noted that Facebook failed to provide clear information about its legal basis for data processing and highlights that the information provided by Facebook is discontinuous and that users are referred to different documents and texts of the data policy and terms of service. The DPC concludes its draft that Facebook has thus violated Art. 5 (1) a) GDPR, Art. 12 (1) GDPR and Art. 13 (1) c) GDPR. The draft decision will now be forwarded to other European data protection authorities allowing them to comment on it. |
link |
| 876 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-16 | 200,000 | Bocconi University | Public Sector and Education | Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 35 GDPR, Art. 44 GDPR, Art. 46 GDPR, Art. Art. 2-sexies Codice della Privacy | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible to take the exams live and in person as usual. The software was able to monitor the behavior of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. At the end of the exam, the system processed the video, inserted warning signals regarding possible indications of incorrect behavior, and, among other things, assigned a so-called ‘review priority’ so that the examiner could subsequently assess whether an unauthorized act had been committed during the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data involved in the use of Respondus. For instance they were not informed that they would be audiovisually recorded and that the images would subsequently be processed. In addition, students were not provided with information regarding specific retention periods for personal data. Nor had they received sufficient information about the fact that their personal data would be transferred to the United States; instead, they were only informed in general terms that personal data would be processed both within and outside the territory of the European Union. Furthermore, the DPA found that the little information the students had received was presented in a fragmented and disorganized manner in various documents. The DPA considered this to be a violation of the principles of lawfulness, fairness and transparency. The DPA also found that the university had processed the personal data without a valid legal basis. Thus, consent to the processing of personal data was a prerequisite to participate in the exams in the first place. As an alternative to online exams, the option of an in-person exam was proposed. However, in the light of the pandemic, this also meant an increased health risk. Students were also concerned that refusing to take the online exams would negatively impact their grades. Consequently, the DPA concluded that the students’ consent could not be considered voluntary. Further, the DPA found that the university retained the data for 12 months, although this would not have been necessary for the purpose of ensuring that the exams were properly carried out. Eventually, the DPA found violations related to the transfer of data to Respondus. The processing agreement between the University and Respondus was based on the data protection agreement between the EU and the USA, known as the Privacy Shield, although it had been declared invalid by the Schrems II ruling of the Court of Justice of the European Union (CJEU). For this reason, the DPA found that the university transferred personal data to a third country, even though this transfer was not in compliance with the conditions set forth in Chapter V of the GDPR. |
link |
| 877 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-16 | 3,296,326 | Sky Italia S.r.l. | Media, Telecoms and Broadcasting | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR, Art. 12 (2) GDPR, Art. 14 GDPR, Art. 21 GDPR, Art. 28 GDPR, Art. 29 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has fined Sky Italia S.r.l. EUR 3,296,326 for illegal telemarketing. The DPA’s decision followed a complex investigation launched after dozens of reports and complaints from people who claimed that they received unsolicited promotional calls and promotional SMS both from Sky Italia directly and through call centers of other companies. In this regard, the DPA found that the promotional calls were made without adequately informing the users (such as about the origin of the personal data transmitted to Sky Italia). Thus, data subjects would have had the opportunity to contact the company that collected the data and object to the processing. Only after obtaining consent, Sky would then have been allowed to proceed with the commercial offers. Sky used lists of data it had acquired from other companies for these promotional purposes. Contrary to Sky Italia’s view, the consent to the disclosure of data to third parties given by the data subjects to the companies from which Sky Italia had acquired the lists did not authorize Sky Italia to use the data for its own promotional purposes. In addition, Sky failed to verify the list of individuals who had objected to being contacted for advertising purposes before making the advertising calls. As a result, several data subjects had received advertising calls despite their explicit objection. Further, the DPA found that Sky had failed to properly appoint the suppliers of the lists as data processors. In determining the amount of the fine, the DPA took into aggravating consideration that the violations involved ‘systemic’ conduct that was rooted in the company’s operations as well as the fact that Sky should have acquired sufficient experience and competence to make fundamental decisions in compliance with data protection regulations due to its ongoing contacts with the authority and its long-standing presence in the market. |
link link |
| 878 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-10-18 | 412,000 | Østre Toten municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality’s data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web.
Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health status, as well as banking data of the municipality’s residents and employees. The DPA’s investigation revealed that the municipality had fundamental deficiencies in the security of personal data and related internal controls.Among other things, the municipality had not used two-factor authentication when logging into systems, and lacked appropriate backup systems. |
link |
| 879 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-19 | 70,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 21 GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 70,000 on VODAFONE ESPAÑA, S.A.U.. A data subject had filed a complaint with the DPA for having received promotional emails from Vodafone without having expressly consented to this and without having had a prior contractual relationship. The data subject then objected to receiving future e-mails. Vodafone confirmed the objection. Nonetheless, the data subject received four advertising e-mails a few months later. The fine consists of EUR 50,000 for a violation of Art. 21 GDPR and EUR 20,000 for a violation of Art. 21 LSSI. | link |
| 880 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-10-21 | 5,000 | Glove Technology SRL | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on Glove Technology SRL. The controller had installed a video surveillance system that audiovisually monitored employees at their workplace and recorded conversations between them to be used against them. The DPA found that the controller had violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR. |
link |
| 881 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-19 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Vodafone España, S.A.U. EUR 40,000. An individual had filed a complaint with the DPA against Vodafone for debiting his bank account in May 2020 for a Vodafone telephone line whose owner was not him but his ex-partner. As it turned out, the complainant’s ex-partner had concluded a contract with Vodafone in his name. She stated that she was authorized to do so, but did not provide any proof of this. The DPA found that Vodafone had unlawfully processed the complainant’s data. Indeed, compliance with the principle of lawfulness in the processing of third party data requires that the controller is able to prove lawfulness. |
link |
| 882 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-19 | 2000 | BEEPING FULFILMENT S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined BEEPING FULFILMENT S.L. in the amount of EUR 2,000. The controller had not provided the required information about the purposes and characteristics, of the data processing in the privacy policy of a website it operates. The data protection authority considered this to be a violation of Art. 13 GDPR. | link |
| 883 | UNITED KINGDOM | Information Commissioner (ICO) | 2021-10-18 | 11,800 | HIV Scotland | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The British DPA (ICO) has imposed a fine of EUR 11,800 on the non-profit organization HIV Scotland. The controller had sent an e-mail to 105 people, with e-mail addresses on the mailing list visible to all recipients. In the case of 65 of the e-mail addresses, persons could be identified by name. It was possible to draw conclusions about the individuals’ HIV status or risk based on the personal data provided.The DPA found that the organization had failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. For example, the organization had conducted inadequate employee training and used improper methods for sending bulk e-mails via blind copy (bcc). | link link |
| 884 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-21 | 3,000,000 | CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. An individual had filed a complaint against the controller. The reason was that Caixabank had requested information about him from a company although, the latter has not been a customer of Caixabank since 2014 and that he was included in an advertising campaign to offer him a pre-grant credit.
Caixabank had used individuals’ data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis. In doing so, the DPA found that the controller had not obtained effective consent from the data subjects. It is true that the data subjects had at one point given consent for their data to be processed by the entire CaixaBank Group. However, the controller had not adequately informed the data subjects about the data processing, including profiling. For example, the controller had only provided data subjects with general information about the various profiling processing operations, so data subjects could not know exactly what the processing they had consented to consisted of. |
link |
| 885 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-25 | 3,000 | MERCEDES GERENCIA, S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on MERCEDES GERENCIA, S.L.. The controller failed to respond to a request for information from the DPA in a timely manner. | link |
| 886 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-26 | 64,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject had filed a complaint against the data controller. The data subject stated that telephone lines were registered in his name for which there were also outstanding payments. However, the data subject had never concluded contracts with the company for any of these lines. Rather, the contracts in question were concluded by fraudsters using the personal data of the data subject. Still, the personal data was entered into the company’s information systems without any verification as to whether the contracts were lawful and actually concluded by the data subject. The original fine of EUR 80,000 was reduced to EUR 64,000 due to voluntary payment. | link |
| 887 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-26 | 16,000 | SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L. | Industry and Commerce | Art. 35 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.. The company had installed five terminals with a fingerprint control system to record its employees’ working hours. In doing so, the company had failed to conduct a data protection impact assessment. The AEPD found a violation of Art. 35 GDPR for this reason. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment. | link |
| 888 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-26 | 40,000 | VODAFONE SERVICIOS, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on VODAFONE SERVICIOS, S.L.U.. A data subject filed a complaint with the DPA against the controller. The data subject is a client of the controller. When he checked his bills on the official website ‘MY VODAFONE’ last December, he found that he had four outstanding bills, but he could not access them. He had also received a number of requests to pay them. He was informed that there was a parallel account at Vodafone with details that partly corresponded to those of him. As it turned out, fraudsters had concluded a mobile phone contract using the personal data of the data subject. However, the personal data had been entered into the company’s information systems without any verification that the contract was lawful and had actually been concluded by the data subject. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 889 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-10-26 | 40,000 | VODAFONE SERVICIOS, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on VODAFONE SERVICIOS, S.L.U.. A data subject has filed a complaint with the AEPD against the data controller. The data subject states that she received invoices and debits on her bank account for the payment of Vodafone services that she had not booked herself. The data subject also stated that she was receiving calls from the collection company Bureau Veritas asking her to pay for these services. As it turned out, fraudsters had used the data subject’s personal data to conclude a service contract. However, the personal data had been entered into the company’s information systems without any verification that the contract was lawful and had actually been concluded by the data subject. The original fine of EUR 50,000 was reduced to EUR 40,000 due to the voluntary payment. | link |
| 890 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-11-01 | 1,000 | IKEA ROMÂNIA SA | Industry and Commerce | Art. 32 (1) b), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,000 on IKEA ROMÂNIA SA. The controller had sent a notification to the DPA about a personal data breach under Art. 33 GDPR. Accordingly, the controller had organized a drawing contest in which children of IKEA Family members could participate. Participants uploaded their own drawings to an online platform along with entry forms containing their personal data and that of their parents, including their consent. In order to vote for the best drawing, the children’s drawings were posted on the online platform and by accident along with it the personal data included in the participation forms. At the time of the investigation, it was determined that the security incident had resulted in the unauthorized disclosure of personal data of IKEA Family members (surname, first name and age of minors, as well as surname, first name, city, country, email, IKEA Family membership number and the signature of the parents) on the online platform accessible only to IKEA Family members in Romania. The incident affected 114 people, half of whom were minors. The DPA found that the controller had thus breached its obligation under Art. 32 (1) b), (2) GDPR to implement technical and organizational measures that ensure a level of security appropriate to the risk for the data subjects. |
link |
| 891 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-11-01 | 5,000 | S.P.E.E.H. Hidroelectrica S.A. | Transportation and Energy | Art. 32 (1) b), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on S.P.E.H. Hidroelectrica S.A.. The controller had notified the DPA of several breaches of personal data protection under Art. 33 of the GDPR. The data breach led to the data of 325 individuals being accessed unlawfully or passed on to the wrong recipients. The DPA considered this to be a breach by the controller of its obligation under Art. 32 (1) b), (2) GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk represented by the processing.
In addition, the DPA found that the controller had processed personal data of three customers after they had exercised their right to erase their data and revoked their consent to the processing. The processing was therefore carried out without a valid legal basis. The DPA imposed a fine of EUR 5,000 for a breach of Art. 32 (1) b), (2) GDPR. For a violation of Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, the DPA further issued a warning. |
link |
| 892 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-16 | 5,000 | Comune di Montalbano Jonico | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 9 (1), (2), (4) GDPR, Art. 2-ter (1), (3) Codice della privacy, Art. 2-septies (8) Codice della privacy | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the municipality of Montalbano Jonico. An individual had filed a complaint against the municipality with the DPA. He complained that a document was publicly available on the municipality’s website, which contained personal data about himself and his father. Under the ‘Documents and Data’ section of the website, the files of the municipality could be viewed. In this context, it was possible to access a decision on a settlement for the overcoming and removal of architectural barriers in their home by filling out the corresponding search form. The decision clearly contained personal data and information in the text and subject line, such as the name of the complainant and his dependent father, with a reference to his situation as a disabled person. The text of the decision also contained the complainant’s date of birth and place of residence, as well as information about the settlement sum. The DPA considered the the publication with indication of the data to be a violation of the principle of data minimization. | link |
| 893 | IRELAND | Data Protection Authority of Ireland | 2021-08-20 | 1,500 | MOVE Ireland | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) has fined the organization MOVE (Men Overcoming Violence) EUR 1,500. MOVE is a charity working in the field of domestic violence. The organization aims to support the safety and well-being of women and their children who have experienced violence in relationships. For this purpose, participants (men) come to weekly sessions in order to change their behavior. On February 3, 2021, the organization reported a data breach in accordance with Art. 33 GDPR. The organization stated that eighteen SD cards had been lost, which may have contained recordings of group sessions of the MOVE program, in which participants discuss their behavior and attitudes regarding domestic violence with a group leader. Some of the participants could be seen and heard on the recordings. In addition, the recordings included footage of participants discussing their behaviors and feelings regarding current or former partners, other family members, and friends who may have been named. Approximately 80-120 participants could have been affected by the data breach, as well as at least one group leader per recorded session. The DPC found that MOVE had breached its obligation under Art. 32 (1) GDPR by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of personal data through the recording of group sessions. |
link link |
| 894 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-10-06 | 5,300 | Unknown | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg has imposed a fine of EUR 5,300 on a company. The company had installed 75 surveillance cameras on its premises as well as tracking devices in some of its vehicles used by employees to travel to customers. A few of these cameras covered, among other things, parts of a public street and a private neighboring property. During its investigation, the DPA also found that the cameras covered the employee cafeteria, allowing employees to be monitored outside of their working hours. The DPA found this to be a violation of the principle of data minimization. It also found that the controller had not sufficiently complied with its information obligations under Art. 13 GDPR. | link |
| 895 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-10-13 | 13,200 | Unknown | Not assigned | Art. 38 (1) GDPR, Art. 39 (1) b) GDPR | Insufficient involvement of data protection officer | The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller firstly failed to involve the data protection officer in all matters relating to the protection of personal data. Second, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks. | link |
| 896 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-10-13 | 18,000 | Unknown | Not assigned | Art. 37 (7) GDPR, Art. 38 (1), (2) GDPR, Art. 39 (1) b) GDPR | Insufficient involvement of data protection officer | The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters relating to the protection of personal data. Also, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks. Furthermore, the controller failed to provide the data protection officer with the necessary resources to perform his duties. The DPA also noted that the controller’s website did not contain a section dedicated to data protection and that the information notice on data protection was only available in English rather than in one of the official languages of Luxembourg. | link |
| 897 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-10-04 | 5,000 | PREMIUMMEDIA ΠΑΡΑΓΩΓΗ ΟΠΤΙΚΟ-ΑΚΟΥΣΤΙΚΩΝ ΕΡΓΩΝ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ | Industry and Commerce | Art. 21 (3) GDPR, Art. 25 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 5,000 on the company PREMIUMMEDIA ΠΑΡΑΓΩΓΗ ΟΠΤΙΚΟ-ΑΚΟΥΣΤΙΚΩΝ ΕΡΓΩΝ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ. An individual had attempted to unsubscribe from the company’s newsletter mailing list, but failed to do so. The failure to unsubscribe from the lists resulted from an internal technical error of the company. | link |
| 898 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-11-14 | 2,900 | Vodafone România SA | Media, Telecoms and Broadcasting | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR, Art. 3 (1) Law No. 506/2004, Art. 3 (3) a), b) Law No. 506/2004 | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,900 on VODAFONE România S.A.. The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. In the period from November 2020 to June 2021, there had been unauthorized access to personal data of seventy data subjects (mailing of service contracts to wrong email addresses, unauthorized access by employees of the controller to personal data of Vodafone customers without their request). The DPA found that the controller did not take appropriate technical and organizational measures to ensure the security of the processing of personal data. |
link |
| 899 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-12 | 1,500 | Company | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Usage of CCTV camera without proper information. | link |
| 900 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-12 | 3,000 | AD735 DATA MEDIA ADVERTISING S.L. | Media, Telecoms and Broadcasting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Failure to provide requested information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. | link |
| 901 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-10-14 | 78,000 | Bank Millennium S.A | Finance, Insurance and Consulting | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA (UODO) has imposed a fine of EUR 78,000 on Bank Millennium S.A.. The UODO had become aware of a data protection breach following a complaint against the bank. It turned out that correspondence sent by the bank through a courier service containing personal data such as first name, last name, PESEL number, home address, account numbers and identification numbers of customers, had been lost. In this regard, the UODO found that the bank had failed to report the incident to the DPA and provide adequate notice to the data subjects. |
link |
| 902 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-11-12 | 400,000 | Transavia | Transportation and Energy | Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA has fined airline Transavia EUR 400,000. In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia’s systems through two accounts held by the company’s IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 367 cases, the data included medical information of people who had requested, for example, wheelchair transportation or additional services because they were blind or deaf. The DPA noted that a lack of security measures allowed the hacker to access the systems. Thus, it was possible to access the airline’s systems simply by entering the password. The systems did not incorporate multi-factor authentication. Furthermore, the access rights of the accounts were not limited to necessary systems, allowing the hacker to use them to gain access to multiple Transavia systems. The DPA found that Transavia had breached its duty to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. |
link link |
| 903 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-15 | 1,000 | Supermarket | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Usage of CCTV camera without proper information. | link |
| 904 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-15 | 1,000 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on a private individual for the unauthorized installation of a video surveillance camera on their car. The car had been parked on a public street, and therefore the camera was also recording public space. The AEPD found that video surveillance of public space represented a violation of the principle of data minimization. | link |
| 905 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-15 | 30,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Vodafone España SAU. A data subject had filed a complaint with the AEPD against the data controller. The data subject states that he had received invoices and debits on his bank account for the payment of Vodafone services that he had not booked himself. The data subject also stated that he had been asked to pay for these services by the debt collection company I.S.G.F. Informes Comerciales, S.L.. As it turned out, fraudsters had used the data subject’s personal data to conclude a service contract. Vodafone had subsequently canceled the contract for the booked services. Due to a system error, however, the outstanding invoices had not been canceled, which is why they had been forwarded to the collection agency. The AEPD determined that this transmission was unlawful due to the non-existence of a valid contract. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt. | link |
| 906 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2021-10-26 | 380 | Bank | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The Bulgarian DPA has fined a bank EUR 380 for the unlawful transfer of personal data to third parties. | link |
| 907 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-22 | 1,000 | Neighborhood community | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 1000 on a neighborhood community. The reason for this was that the information sign about a video surveillance system did not contain sufficient information as required by Art. 13 GDPR. The sign contained neither a reference to the data controller nor an address to contact if one wishes to exercise their data subjects rights. | link |
| 908 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-15 | 40,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Vodafone España SAU. An individual had filed a complaint with the DPA. The data subject claims to have received text messages from Vodafone in September 2020 informing him that he had debts from services he had ordered from Vodafone. The billing address listed in the text messages corresponded to that of an old house where the data subject had lived with his ex-partner in the past. Vodafone stated that a system error had led to this incident. This resulted in the data subject appearing as the holder of his former partner’s customer account. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 909 | CYPRUS | Cypriot Data Protection Commissioner | 2021-11-12 | 925,000 | WS WiSpear Systems Ltd | Industry and Commerce | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The Cypriot DPA has imposed a fine of EUR 925,000 on WS WiSpear Systems Ltd. The company had collected various data from individuals (Media Access Control addresses and International Mobile Subscriber Identity data) without their knowledge as part of tests and presentations of technologies. In this context, the DPA found a violation of the principle of legality, objectivity and transparency. |
link |
| 910 | FRANCE | French Data Protection Authority (CNIL) | 2021-11-04 | 400,000 | Régie autonome des transports parisiens | Transportation and Energy | Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) imposed a fine of EUR 400,000 on RATP (the operator of the public transport system in Paris). In May 2020, a trade union filed a complaint with the CNIL alleging that the number of strike days exercised by staff were included in files used to prepare promotion decisions. The CNIL then conducted investigations in several RATP bus centers. These led to confirmation of this practice in three RATP bus centers. The CNIL indicated that files for evaluating performance and promotion prospects should only contain data necessary for evaluating employees.In particular, it was sufficient to indicate the total number of days of absence without the need to go into detail and distinguish the days associated with the exercise of the right to strike. It found that the use of data on the number of days staff members were on strike was not necessary for these purposes, and that the RATP thus violated the principle of data minimization set forth in Article 5 (1) (c) GDPR. In addition, the DPA found that the RATP had excessively retained many of its employees’ data. Indeed, the RATP kept files on the evaluation of staff members for more than three years after the promotion commission, although their retention was only required for 18 months after the holding of these commissions. Further, CNIL found that RATP did not adequately differentiate between staff authorization levels, allowing more staff than necessary to access certain data. For this reason, CNIL concluded that RATP failed in its duty to implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. | link link |
| 911 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-22 | 3,000 | Unknown | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a company. The company had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR. | link |
| 912 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-22 | 2000 | ANIVERSALIA NETWORKS, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined ANIVERSALIA NETWORKS, S.L. EUR 2,000 due to the fact that the privacy policy on its website did not comply with the requirements of Art. 13 GDPR. | link |
| 913 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-23 | 3,000 | FUENSANTA S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The controller failed to provide information requested by the Spanish DPA (AEPD) for investigative purposes. | link |
| 914 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-23 | 40,000 | Vodafone España, SAU | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Vodafone España S.A.U. EUR 40,000. An individual had filed a complaint against Vodafone with the DPA because her cell phone line was transferred to a third party without her consent and she was charged amounts from a third party phone line. The reason for this was a technical error in Vodafone’s systems. | link |
| 915 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-11-26 | 2000 | Valoris Center S.R.L. | Industry and Commerce | Art. 29 GDPR, Art. 32 (1) b) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Valoris Center S.R.L.. The controller notified the DPA of a data breach pursuant to Art. 33 GDPR. A call center employee of the controller had accidentally sent a customer an Excel file containing data from other customers of the controller. In the course of the investigation, it was determined that this breach resulted in the unauthorized disclosure of or access to personal data such as email address, username, user ID, phone number, customer name, customer code, customer PIN, with a total of 11169 natural persons affected by the incident. The DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. | link |
| 916 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2021-11-23 | 51,000 | Icelandic Ministry of Industry and Innovation | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf.
The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. |
link |
| 917 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2021-11-23 | 27,200 | YAY ehf. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf.
The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. |
link |
| 918 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-24 | 9,000 | UNIÓN FINANCIERA ASTURIANA S.A. E.F.C. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) fined UNIÓN FINANCIERA ASTURIANA S.A. E.F.C.. The controller had carried out a credit check on the data subject without any contractual basis for doing so. The original fine of EUR 15,000 was reduced to EUR 9,000 due to voluntary payment and admission of guilt. | link |
| 919 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-10-14 | 20,000 | ΚΑΠΑ ΛΑΜΔΑ ΩΜΕΓΑ ΔΙΑΦΗΜΙΣΤΙΚΗ ΕΜΠΟΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ | Industry and Commerce | Art. 6 GDPR, Art. 12 (2) GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Hellenic DPA has fined ΚΑΠΑ ΛΑΜΔΑ ΩΜΕΓΑ ΔΙΑΦΗΜΙΣΤΙΚΗ ΕΜΠΟΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ EUR 20,000. The company had in several cases carried out marketing calls without the consent of the data subjects. Despite several revocations by the data subjects, they continued to receive unsolicited advertising. | link |
| 920 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-10-27 | 15,400 | Unknown | Not assigned | Art. 38 (1), (3) GDPR, Art. 39 (1) a), b) GDPR | Insufficient involvement of data protection officer | The Luxembourg DPA has imposed a fine of EUR 15,400 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters related to the protection of personal data. In addition, contrary to the requirements of the GDPR, the data protection officer did not report directly to the highest management level; instead, there were two levels of hierarchy in between. Also, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was performing their duties appropriately. |
link |
| 921 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-29 | 4,000 | TIGERS MARKET, S.L. | Industry and Commerce | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 4,000 on TIGERS MARKET, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. | link |
| 922 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-29 | 1,000 | Restaurant owner | Accomodation and Hospitalty | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a restaurant owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment. | link |
| 923 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-30 | 1,500 | Neighborhood community | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a neighborhood community. The controller had installed video cameras on their private property in such a way that they could capture images of the public space and the neighbor’s private property. The AEPD considered this to be a violation of the principle of data minimization. |
link |
| 924 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-30 | 5,000 | ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE | Public Sector and Education | Art. 17 (1) GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has fined ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE in the amount of EUR 5,000. A data subject had indicated that he had objected to further newsletter subscription and had requested the controller to delete all of his data. However, he continued to receive advertisements from the data controller. | link |
| 925 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-30 | 20,000 | DAVISER SERVICIOS, S.L. | Transportation and Energy | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 20,000 on DAVISER SERVICIOS, S.L.. The company had been processing biometric data (fingerprints) of employees for access to certain rooms, although less intrusive means (such as key cards) could have been used to protect the privacy of the data subjects. The AEPD found that the controller had violated the principle of data minimization. | link |
| 926 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-30 | 5,000 | ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE | Public Sector and Education | Art. 17 (1) GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has fined ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE in the amount of EUR 5,000. A data subject had indicated that he had objected to further newsletter subscription and had requested the controller to delete all of his data. However, he continued to receive advertisements from the data controller. | link |
| 927 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2021-11-29 | 110,000 | UAB Prime Leasing | Industry and Commerce | Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company’s customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been published on the website of the hacking forum RaidForums.com. This included data such as names, addresses, phone numbers, email addresses, personal identification numbers, driver’s license numbers, type of payment card and the last four digits of the card number of the data subjects.
The DPA’s investigation revealed that the published data originated from an unsecured backup copy of a database. The DPA found that the data breach occurred due to the company’s failure to comply with its obligation to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. The company had, for example, failed to appoint a person with appropriate competence to be responsible for security and risk management. It had also failed to ensure that accesses to database files were logged and evaluated. |
link |
| 928 | ITALY | Italian Data Protection Authority (Garante) | 2021-10-28 | 2000 | OTTO s.r.l. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA (Garante) has imposed a fine of EUR 2,000 on OTTO s.r.l.. During an administrative inspection of a store managed by OTTO, the police found that a video surveillance system with three cameras was installed in the store. However, it found that the controller had not provided sufficient information on the presence of the CCTV. The DPA considered this to be a violation of Art. 13 GDPR. | link |
| 929 | ITALY | Italian Data Protection Authority (Garante) | 2021-10-28 | 2000 | Anfiteatro Flavio s.r.l. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Anfiteatro Flavio s.r.l.. During an administrative inspection of a hotel managed by Anfiteatro Flavio, the police found that a video surveillance system with three cameras was installed in the store. However, it found that the controller had not provided sufficient information on the presence of the CCTV. The DPA considered this to be a violation of Art. 13 GDPR. | link |
| 930 | UNITED KINGDOM | Information Commissioner (ICO) | 2021-11-25 | 585,000 | Cabinet Office | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The UK DPA (ICO) has fined the Cabinet Office EUR 585,000.
On December 27, 2019, the Cabinet Office published a file on GOV.UK containing the names and uncensored addresses of more than 1,000 individuals who had received New Year’s honors. Individuals from a wide range of professions across the United Kingdom were affected, including individuals with a high public profile. After learning of the data breach, the Cabinet Office removed the web link to the file. However, the file was still in the cache and was accessible online to people who had the exact website address. The disclosed personal data was available online for two hours and 21 minutes and had been accessed 3,872 times. The breach occurred due to an error in the setup of the Cabinet Office’s new IT system. The ICO found that the Cabinet Office failed to take appropriate technical and organizational measures to ensure a level of protection appropriate with the risk to data subjects. |
link link |
| 931 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-29 | 2000 | Physician | Health Care | Art. 5 (1) a) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has fined a physician EUR 2,000. A patient had complained to the DPA that the doctor had disclosed his personal data to third parties without authorization. The doctor had recommended medical products to the data subject as part of his treatment. A few days later, the data subject received a call from the marketing consultant behind the recommended products. The data subject pointed out that he had never given his consent to the disclosure of his data.
The Garante states that no specific consent is required for the processing of personal data necessary for medical treatment. Here, however, the data was processed for the purpose of product promotion, and therefore explicit consent would have been required under Art. 9 GDPR. The physician thus processed the data unlawfully. |
link |
| 932 | ITALY | Italian Data Protection Authority (Garante) | 2021-10-14 | 8,000 | Health Protection Agency of Sardinia (ATS) | Health Care | Art. 5 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 8,000 on the Health Protection Agency of Sardinia (ATS). A patient had mistakenly received medical records and clinical documentation from another patient in his own file. | link |
| 933 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-01 | 5,000 | INTRODUCTION BUSINESS CAPITAL MEDIA, S.L. | Industry and Commerce | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 LOPDGDD | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on INTRODUCTION BUSINESS CAPITAL MEDIA, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. | link |
| 934 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-02 | 2000 | IMAGINA FRAN SPORT, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined IMAGINA FRAN SPORT, S.L. EUR 2,000 due to the fact that its privacy policy did not comply with the requirements of Art. 13 GDPR. For instance, the website contained outdated information. | link |
| 935 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-23 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. A data subject had filed a complaint against the data controller due to the fact that telephone lines were registered in his name, although he had never concluded contracts with the company for any of these lines. Vodafone had accidentally assigned the data of the data subject to the contracts of another Vodafone customer, which is why the contracts went under his name. Against this background, the DPA considered the processing of the data subject’s data by Vodafone to be unlawful. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 936 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-23 | 40,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U.. A data subject had filed a complaint with the DPA as the controller had transferred her cell phone line to another person without her consent due to a technical error. In addition, the data subject’s account was debited with amounts that belonged to a third party’s phone line. The DPA found that Vodafone had unlawfully processed the data subject’s data. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 937 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-11-02 | 2000 | COOPERA RC SERVICES, S.L. | Media, Telecoms and Broadcasting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on COOPERA RC SERVICES. The controller had not provided sufficient contact details through which data subjects could exercise their rights. | link |
| 938 | GERMANY | Data Protection Authority of Rhineland-Palatinate | Unknown | 50 | Unknown | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Unlawful use of a dashcam | link |
| 939 | GERMANY | Data Protection Authority of Rhineland-Palatinate | Unknown | 300 | Unknown | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Unlawful use of a dashcam | link |
| 940 | GERMANY | Data Protection Authority of Rhineland-Palatinate | Unknown | 600 | Unknown | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Unlawful use of a dashcam | link |
| 941 | GERMANY | Data Protection Authority of Saxony | 2019 | 500 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | A data controller failed to comply with data subject´s request to access their personal data. | link |
| 942 | GERMANY | Data Protection Authority of Saxony | 2019 | Fine amount between EUR 50 and EUR 800 | Unknown | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Eight fines between EUR 50 and EUR 800 for unlawful use of a dashcam. | link |
| 943 | GERMANY | Data Protection Authority of Niedersachsen | 2019 | Fine amount between EUR 350 and EUR 1000 | Unknown | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Nine fines between EUR 350 and EUR 1,000 for unlawful use of a dashcam. | link |
| 944 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-03 | 1,000 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment. | link |
| 945 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-07 | 24,000 | NBQ Technology, S.A.U. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U.. A data subject filed a complaint with the DPA against the company after they had denied him a financial transaction due to alleged outstanding payments on a loan. As it turned out, an identity thief had obtained the data subject’s data without authorization and applied for a loan from the data controller under pretense of the data subject’s identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the borrower but to the data subject, the AEPD found that the controller had no legal basis for processing the data. The processing was therefore unlawful and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 40,000 was reduced to EUR 24,000 due to the immediate payment and the admission of guilt. |
link |
| 946 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2021-11-25 | 2,750,000 | Dutch Minister of Finance | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) e) GDPR, Art. 8 Wbp | Insufficient legal basis for data processing | The Dutch DPA (AP) has fined the Minister of Finance EUR 2,75 million.
In the context of childcare benefit applications, tax offices had processed data on the dual nationality of applicants for several years. However, the DPA found that the data on dual nationality of Dutch citizens would not have been necessary when assessing an application for childcare benefits. The said data had also been processed for the purpose of combating organized fraud and for automatic classification in the authority’s risk system. However, even for these purposes, the processing would not have been necessary. For this reason, the tax and customs administration should have deleted the data on dual nationality as early as January 2014. Nevertheless, as of May 2018, the dual citizenship data of a total of 1,4 million people were still registered in the systems of the tax and customs administration. The DPA therefore found that the data had been unlawfully processed due to the lack of a valid legal basis. Furthermore the DPA stated that the data subjects had been discriminated against on the basis of their nationality. |
link link |
| 947 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-12-08 | 10,000 | Unknown | Not assigned | Art. 12 (3) GDPR, Art. 14 (1), (2), (3) GDPR, Art. 15 GDPR, Art. 17 (1) c) GDPR, Art. 21 (2) GDPR | Insufficient fulfilment of data subjects rights | The Belgian DPA has imposed a fine of EUR 10,000 against a company. The data subject had repeatedly received mail with advertising content from a company, although he had objected to the processing of his personal data and requested the deletion of his data. However, the company did not respond to inquiries from the data protection authority in this regard. In addition, the company had not sufficiently informed the data subject about the processing of his personal data. | link |
| 948 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-11-24 | 98,000 | Norwegian State Pension Fund (SPK) | Public Sector and Education | Art. 5 (1) c), e) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR | Insufficient legal basis for data processing | The Norwegian DPA has imposed a fine of EUR 98,000 on the Norwegian State Pension Fund (SPK). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The DPA found that the controller had unlawfully collected certain income information since 2016. For example, the controller had collected health-related information on disability pensions, although this was not required. Approximately 24,000 individuals were affected by these incidents. In addition, the DPA found that SPK did not implement routines to review and delete excessive information collected until 2019. | link |
| 949 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-12-13 | 2000 | SC Nobiotic Pharma SRL | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Failure to provide requested information to the Romanian DPA within the required timeframe in violation of Art. 58 GDPR. | link |
| 950 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-12-13 | 6,300,000 | Grindr LLC | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 9 (1) GDPR | Insufficient legal basis for data processing | The Norwegian DPA has fined Grindr LLC EUR 6.3 million. Grindr is a location-based social networking app designed for gay, bi, trans and queer people. In 2020, the Norwegian Consumer Protection Authority filed a complaint against Grindr with the Norwegian DPA, alleging that the portal had shared information about users’ GPS location, IP address, cell phone advertising ID, age and gender with several third parties for marketing purposes.
Under GDPR, consent is required for the sharing of this personal data. However, during its investigation, the DPA found that the consent collected by Grindr was not valid. Users had to accept the privacy policy in order to use the app, but were not explicitly asked whether they would consent to their data being shared with third parties for marketing purposes. In addition, the information about the disclosure of personal data was not clear or accessible enough for users. The DPA points out that this type of data may identify a Grindr user as a member of a sexual minority. Grindr users would sometimes want to use the app anonymously without, for example, giving their full name or uploading a photo of themselves. With the sexual orientation of the users, a special category of personal data, which is subject to a particularly high level of protection, was therefore also affected. The DPA therefore considers the infringement to be a particularly serious case that justifies a deterrent high fine. Business models based on behavior-based marketing are widespread in the digital economy, making it important that the fines for GDPR violations are deterrent. |
link |
| 951 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021-02-12 | 3,000 | Unknown | Not assigned | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Austrian DPA has fined a company EUR 3,000 for failing to provide information requested by the DPA during an investigation. | link |
| 952 | FINLAND | Deputy Data Protection Ombudsman | 2021-12-07 | 608,000 | Psykoterapiakeskus Vastaamo | Health Care | Art. 5 (1) f) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR | Non-compliance with general data processing principles | The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo’s medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker could be identified.
The most likely cause of the medical database leak was an unprotected port on the database where the root user account of the database was not password protected. The patient database server was open to the Internet without firewall protection during the period between November 26, 2017, and March 13, 2019. For this reason, the DPA determined that the personal data were not adequately protected against unauthorized and unlawful processing or accidental loss, destruction, or damage, and that the controller had not implemented basic measures for the secure processing of personal data. As part of its investigation, the DPA also determined that the controller must have known as early as March 2019 that data in the patient information system had been lost and could have been compromised by an external attacker. Vastaamo should have immediately reported the security breach to both the DPA and its patients. However, Vastaamo was significantly late in meeting this obligation. The fine is composed proportionately of EUR 145, 600 for the breach of Art. 33 (1) GDPR, EUR 145, 600 for the breach of Art. 34 (1) GDPR and EUR 316, 800 for the breach of Art. 5 (1) f) GDPR. |
link |
| 953 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-16 | 1,200 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual EUR 1,200 for failing to provide sufficient information about a video surveillance system installed at their property. | link |
| 954 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-12-16 | 13,450 | Municipality of Frederiksberg | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has fined the municipality of Frederiksberg EUR 13,450. On March 1, 2021, the municipality reported a data breach under Art. 33 GDPR.
The municipality’s dental care service had operated a system through which parents could access their children’s dental care letters online. The municipality then extended this access to parents with joint custody. As a result, in several cases, parents gained access to information about the other parent and the child’s address, even though the affected parent and child were registered with name and address protection. |
link |
| 955 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-10-27 | 13,500 | Car importer | Industry and Commerce | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Hungarian DPA imposed a fine of EUR 13,500 on a car importer. A customer of one of the company’s authorized repair shops filed a complaint with the DPA due to receiving unsolicited emails related to customer surveys from the company after a car inspection. The Hungarian DPA found that the controller did not have a valid legal basis to contact the data subject. It also found that the controller had not complied with its duty to inform under Art. 12 GDPR and Art. 13 GDPR. The emails did not contain any contact information of the controller, for example. | link |
| 956 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-14 | 50,000 | IZA OBRAS Y PROMOCIONES, S.A. | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined IZA OBRAS Y PROMOCIONES, S.A. EUR 50,000. An employee had filed a complaint with the DPA against the company, alleging that the controller had unauthorizedly disclosed his personal data to another company from which it had received a construction order. The data subject was working as a construction manager on the project, but was absent from work for a period of time due to illness. The controller therefore informed its client and additionally disclosed the data subject’s email address and certain health information. The DPA determined that the disclosure of this data would not have been necessary and that the controller had therefore violated the principle of data minimization. | link |
| 957 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-12-08 | 30,000 | One Way Private Company | Media, Telecoms and Broadcasting | Art. 28 (3) c) GDPR, Art. 32 (2), (4) GDPR, Art. 11 (1) Νόμος 3471/2006 | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 30,000 on One Way Private Company. The DPA received 17 complaints regarding illegal telephone calls for the purpose of advertising. The DPA found that due to an error in the controller’s application, telephone calls were made to subscribers included in the list for protection against unsolicited telephone advertising ‘Register 11’. The DPA concluded that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. | link |
| 958 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-17 | 2000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 2,000. The data controller had installed video cameras in such a way that they could record images of the public space and the entrance to a residential building. The AEPD considered this a violation of the principle of data minimization. | link |
| 959 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-17 | 2000 | Online retailer | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on an online retailer. The data subject bought a product from the controller’s online store via eBay and paid with Paypal. However, he received the order via Amazon. Since the data subject had not consented to the transfer of his data to Amazon, the DPA concluded that the controller had processed the data unlawfully. | link |
| 960 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-12-17 | 3,900 | T. Stene Transport AS | Transportation and Energy | Unknown | Unknown | The Norwegian DPA has fined T. Stene Transport AS EUR 3,900 due to an unfair credit check on a data subject. | link |
| 961 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021-08-05 | 600 | Private individual | Individuals and Private Associations | Art. 9 GDPR | Insufficient legal basis for data processing | The Austrian DPA has imposed a fine of EUR 600 on a private individual. A private individual had sent a document obtained in a court case between the data subject and himself to the data subject’s employer. This document contained information regarding health-related data of the data subject. At no time had the data subject consented to the forwarding of the document to her employer. | link |
| 962 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-21 | 2000 | FUNDACION ESPANOLA DE MEDICINA ESTETICA Y LONGEVIDAD | Individuals and Private Associations | Art. 7 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 2,000 on FUNDACION ESPANOLA DE MEDICINA ESTETICA Y LONGEVIDAD. The DPA criticized that the data protection notice of the controller did not comply with the requirements of the GDPR. Thus, the information required under Art. 13 GDPR was not sufficiently provided. In addition, the data protection notice did not provide an adequate opportunity to give consent to data processing. | link |
| 963 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-17 | 4,000 | CLUB DEPORTIVO RITMO DE ANDALUCÍA | Individuals and Private Associations | Art. 7 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 2,000 on CLUB DEPORTIVO RITMO DE ANDALUCÍA. The DPA criticized that the data protection notice of the controller did not comply with the requirements of the GDPR. Thus, the information required under Art. 13 GDPR was not sufficiently provided. In addition, the data protection notice did not provide an adequate opportunity to give consent to data processing. | link |
| 964 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-23 | 1,500 | LA OFICINA BAR | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined LA OFICINA BAR. The bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area. The DPA considered this to be a violation of the principle of data minimization. | link |
| 965 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-21 | 6,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 6,000 on a private individual. The person had shared a video on Twitter showing images of a sexual assault by a man on a woman. The purpose of sharing the video was to draw attention to domestic violence against women. The DPA considers the sharing to be unlawful. Even though the person may have had a legitimate interest in sharing the video, the victim’s right to privacy prevails. | link |
| 966 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-22 | 5,000 | Sfam España General s.l. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Sfam España General s.l.. A data subject had filed a complaint with the DPA against the controller for charging her several services that she had not ordered. | link |
| 967 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-22 | 5,000 | HUBSIDE IBÉRICA S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 HUBSIDE IBÉRICA S.L.. A data subject had filed a complaint with the DPA against the controller for charging her several services that she had not ordered. | link |
| 968 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-16 | 60,000 | Banco Bilbao Vizcaya Argentaria S.A. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria S.A.. A data subject filed a complaint with the DPA due to the fact that the controller repeatedly sent him SMS messages about non-payments, although he had no contractual relationship with the controller. The controller stated that the unsolicited SMS messages were sent due to human error on part of its employees. The original fine of EUR 100,000 was reduced to EUR 60,000 due to voluntary payment and admission of guilt. | link |
| 969 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-28 | 2000 | VENTANAS MAKE YOURSELF, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The corporate website did not present a privacy policy on its main page. | link |
| 970 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-28 | 6,000 | REAL CLUB NÁUTICO DE RIBADEO | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on REAL CLUB NÁUTICO DE RIBADEO. The controller had uploaded links to court decisions containing personal data of the data subject on its website and Facebook page. | link |
| 971 | FRANCE | French Data Protection Authority (CNIL) | 2021-12-28 | 180,000 | SLIMPAY | Finance, Insurance and Consulting | Art. 28 GDPR, Art. 32 GDPR, Art. 34 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA (CNIL) has imposed a fine of EUR 180,000 on the payment institution SLIMPAY. In 2015, SLIMPAY conducted an internal research project in which it processed personal data in its databases. When the research project ended in July 2016, the data remained stored on a server, without any security measures and freely accessible on the Internet. The data breach affected about 12 million people. During its investigation, the CNIL found that the company had failed to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk to data subjects. Thus, the server access was not subject to any security measures, so that it was possible to access it via the Internet between November 2015 and February 2020 In addition, the DPA found that the company had failed to inform the data subjects about the data breach. The CNIL also found that in several cases, contracts the company had concluded with processors were inadequately drafted, as they did not include certain envisaged clauses obliging the processors to process personal data in accordance with the requirements of the GDPR. |
link link |
| 972 | FRANCE | French Data Protection Authority (CNIL) | 2021-12-28 | 300,000 | FREE MOBILE | Media, Telecoms and Broadcasting | Art. 12 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient fulfilment of data subjects rights | The French DPA (CNIL) has imposed a fine of EUR 300,000 on FREEE MOBILE.
The CNIL had received numerous complaints regarding the company’s failure to comply with data subjects’ rights. During its investigation, the CNIL found that the company had failed to respond to data subjects’ requests in a timely manner. In addition, the company failed to comply with the data subjects’ right to object, as it continued to send advertisements to the data subjects despite them having exercised their right to object. |
link link |
| 973 | SPAIN | Spanish Data Protection Authority (aepd) | 2021-12-28 | 2000 | Call shop manager | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 2,000 on the manager of a call shop. In the context of a job vacancy, the manager had set up a stand where applicants could submit their application documents for a fee of one euro. In this context, the manager did not properly inform the data subjects about the processing of their personal data as required by Art. 13 GDPR. | link |
| 974 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2021-12-13 | 20,000 | Elektro & Automasjon Systemer AS | Industry and Commerce | Art. 6 (1) f) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined Elektro & Automasjon Systemer AS EUR 20,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so. | link |
| 975 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-02 | 30,000 | Ica s.r.l. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has fined ICA s.r.l. EUR 30,000. The municipality of Collegno had implemented a system developed by ICA through which citizens could pay fines for traffic violations. However, due to a lack of security precautions, it was theoretically possible for unauthorized persons to access personal data stored via the program. For this reason, the DPA found that ICA had failed to implement appropriate technical and organizational measures providing a level of security commensurate with the risk posed to the data subject. | link |
| 976 | ITALY | Italian Data Protection Authority (Garante) | 2021-11-11 | 150,000 | TIM S.p.A. | Media, Telecoms and Broadcasting | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) has fined mobile operator TIM S.p.A. EUR 150,000 for denying a data subject access to his phone data needed to defend himself in a criminal case. Since the data subject received no response to his repeated requests to the company, he turned to the DPA to obtain the data in time for the hearing in the criminal proceedings. | link |
| 977 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2021-12-06 | 6,000 | Telekom Romania Communications SA | Media, Telecoms and Broadcasting | Art. 5 (1) d), f) GDPR, Art. 5 (2) GDPR, Art. 17 GDPR | Non-compliance with general data processing principles | The Romanian DPA (ANSPDCP) imposed a fine of EUR 6,000 on Telekom Romania Communications SA. A data subject had complained that the controller had sent invoices and messages to his email address informing him of another person’s payment arrears. During the investigation, the DPA found that the controller had collected and processed certain personal data in error, resulting in the unlawful disclosure of the personal data. At the same time, the DPA found that the controller had not taken the necessary measures to comply with the data subject’s request for deletion of his personal data. The fine is composed proportionally EUR 5,000 for a breach of Art. 5 (1) d), f) GDPR, Art. 5 (2) GDPR and EUR 1,000 for a breach of Art. 17 GDPR. |
link |
| 978 | FRANCE | French Data Protection Authority (CNIL) | 2021-12-31 | 90,000,000 | Google LLC | Media, Telecoms and Broadcasting | Art. 82 loi Informatique et Libertés | Insufficient legal basis for data processing | On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 90,000,000 on GOOGLE LLC.
The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com. The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them. From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms. In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies. The CNIL also pointed to the fact that the authority had already alerted the GOOGLE companies to this breach in February 2021. In addition to the fine, the CNIL issued an order requiring the company to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay. |
link link |
| 979 | FRANCE | French Data Protection Authority (CNIL) | 2021-12-31 | 60,000,000 | Google Ireland Ltd. | Media, Telecoms and Broadcasting | Art. 82 loi Informatique et Libertés | Insufficient legal basis for data processing | On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000,000 on Google Ireland Ltd.
The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com. The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them. From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms. In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies. The CNIL also pointed to the fact that the authority had already alerted the GOOGLE companies to this breach in February 2021. In addition to the fine, the CNIL issued an order requiring the company to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay. |
link link |
| 980 | FRANCE | French Data Protection Authority (CNIL) | 2021-12-31 | 60,000,000 | Facebook Ireland Ltd. | Media, Telecoms and Broadcasting | Art. 82 loi Informatique et Libertés | Insufficient legal basis for data processing | On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000,000 on Facebook Ireland Ltd.
The CNIL received several complaints regarding the manner in which cookies could be refused on the website of Facebook.com. The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them. From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms. In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies. The CNIL also pointed to the fact that the authority had already alerted the the company to this breach in February 2021. In addition to the fine, the CNIL issued an order requiring the companies to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay. |
link link |
| 981 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-01-05 | 1,000 | Εγνατία Οδός Α.Ε. | Industry and Commerce | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 1,000 on Εγνατία Οδός Α.Ε. The company operated a video surveillance system to monitor the payment of tolls. A car owner, who had received a fine for non-payment of the toll, exercised his right to information granted by the GDPR. He requested the photographic material which had been captured in the context of the fine. He also requested to receive a copy of the documentation of the incident. However, the company refused to provide the information to the data subject. Only after the DPA intervened did the company provide the information, but without enclosing the photographic material. For this reason, the DPA found a violation of Art. 12 (3) GDPR. | link |
| 982 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-11 | 3,000 | Property Owner Community | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation. | link |
| 983 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-11 | 9,000 | EDUCANDO JUNTOS SL | Employment | Art. 6 (1) GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 9,000 on EDUCANDO JUNTOS SL. The controller had published photos of an employee on some of its channels on social networks and its website. However, the controller had published the photos without having obtained the consent of the data subject. For this reason, the data subject repeatedly requested the removal of the photos from the social networks and the website. However, the controller did not comply with this request. The fine is made up of EUR 6,000 for a violation of Art. 6 (1) GDPR and EUR 3,000 for a violation of Art. 17 GDPR. | link |
| 984 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-12-09 | 10,000 | Warsaw University of Technology | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) has fined Warsaw University of Technology EUR 10,000. The university had reported a data breach to the authority pursuant to Art. 33 GDPR. One of the university’s organizational units used an application created by university staff to register for courses and access teaching history, assessment of exam results and billing of fees. In early January 2020, an unauthorized person had downloaded a database from the application that contained personal data of students and faculty (over 5,000 individuals). In its investigation, the DPA found that the Unvierstät had failed to implement appropriate technical and organizational measures that ensured the security of personal data . The DPA also found that the university had not conducted a formal risk assessment. | link link |
| 985 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-12-31 | 25,000 | PLUS REAL ADVERTISEMENT | Industry and Commerce | Art. 13 GDPR, Art. 14 GDPR, Art. 11 Law 3471/2006 | Insufficient fulfilment of information obligations | The Hellenic DPA has imposed a fine of EUR 25,000 on PLUS REAL ADVERTISEMENT. The controller had conducted advertising calls without the consent of the data subjects. In addition, it did not properly inform the data subjects about the processing of their personal data, thereby violating its information obligations. | link |
| 986 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-12-31 | 30,000 | INFO COMMUNICATION SERVICES | Industry and Commerce | Art. 13 GDPR, Art. 14 GDPR, Art. 11 Law 3471/2006 | Insufficient fulfilment of information obligations | The Hellenic DPA has imposed a fine of EUR 30,000 on INFO COMMUNICATION SERVICES. The controller had conducted advertising calls without the consent of the data subjects. In addition, it did not properly inform the data subjects about the processing of their personal data, thereby violating its information obligations. | link |
| 987 | IRELAND | Data Protection Authority of Ireland | 2021-12-02 | 60,000 | Irish Teacher Council | Public Sector and Education | Art. 5 (1) GDPR, Art. 32 (1) GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA has imposed a fine of EUR 60,000 on the Irish Teaching Council. The Council notified the DPA of a data breach under Art. 33 of the GDPR.
Accordingly, two employees of the Council accessed a phishing email that allowed them to set up an automatic forwarding system from their email accounts to a malicious email account. As a result, 323 emails were forwarded to the unauthorized external email address between February 17, 2020 and March 6, 2020. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject. The DPA therefore found that the Council had failed to implement appropriate technical and organizational measures to ensure a level of protection for data subjects’ personal data commensurate with the risk. In addition, the DPA found that the Council failed to report the data breach in a timely manner. |
link |
| 988 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2022-01-14 | 8,000,000 | REWE International AG | Industry and Commerce | Unknown | Unknown | The Austrian DPA has imposed a fine of EUR 8 million on REWE International AG. Just in the summer of 2021, the subsidiary ‘Unser Ö-Bonus Club GmbH’ received a fine of EUR 2 million. According to the ‘Salzburger Nachrichten’ newspaper, the fine is based on various violations of the GDPR. Further details about the incident are not known at the moment. | link |
| 989 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-13 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR. | link |
| 990 | GREECE | Hellenic Data Protection Authority (HDPA) | 2021-12-29 | 75,000 | Greek Ministry of Tourism | Public Sector and Education | Art. 13 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 37 GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 75,000 on the Greek Ministry of Tourism. A data breach had occurred at the authority. According to the DPA, an attempt by a citizen to enter his or her credentials on the authority’s online platform resulted in the display of someone else’s credentials, including full name, tax number, social security number, postal address, phone number, email address, and fields indicating a disability. The DPA found that the ministry failed to implement adequate technical and organizational measures to secure personal data. The ministry failed to report the incident to the DPA. The DPA considered this to be a violation of Article 33 of the GDPR. The DPA’s investigation also found that the Ministry of Tourism had not appointed a data protection officer, even though an email address of the authority’s data protection officer was provided on the above-mentioned platform for communication with users of the platform. This email address, as it turned out, was not active. |
link |
| 991 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-02 | 7,000 | Società Med Store Saronno s.r.l. | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has fined Società Med Store Saronno s.r.l. EUR 7,000. The nursing home notified the DPA of a data breach pursuant to Art. 33 GDPR. The facility had suffered a cyber attack by a hacker who gained access to personal data and published it. This included publishing radiological images of patients on his Twitter account. The DPA’s investigation revealed that the home had only secured the data with simple passwords. For this reason, the DPA found that the home had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk. | link |
| 992 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-02 | 30,000 | Casa di cura Fondazione Gaetano e Piera Borghi s.r.l. | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has fined Casa di cura Fondazione Gaetano e Piera Borghi s.r.l. EUR 30,000. The nursing home notified the DPA of a data breach pursuant to Art. 33 GDPR. The facility had suffered a cyber attack by a hacker who gained access to personal data and published it. This included publishing radiological images of patients on his Twitter account. The DPA’s investigation revealed that the home had only secured the data with simple passwords. For this reason, the DPA found that the home had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk. | link |
| 993 | ITALY | Italian Data Protection Authority (Garante) | 2021-11-25 | 6,000 | Società H San Raffaele Resnati s.r.l. | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 6,000 on Società H San Raffaele Resnati s.r.l. The DPA initiated an investigation against the health care provider after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from two other patients due to an error of an employee. | link |
| 994 | BELGIUM | Belgian Data Protection Authority (APD) | 2021-12-16 | 75,000 | Bank | Finance, Insurance and Consulting | Art. 38 (6) GDPR | Insufficient involvement of data protection officer | The Belgian DPA has imposed a fine of EUR 75,000 on a bank. The DPA identified a conflict of interest regarding the data protection officer. In addition to his work as data protection officer, he was also head of a department to which he had to report in his capacity as data protection officer. The DPA considered this to be a violation of Art. 38 (6) GDPR. | link |
| 995 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2021-12-21 | 1,250,000 | Lisbon City Council | Public Sector and Education | Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 (1) a) GDPR, Art. 13 (1), (2) GDPR, Art. 35 (3) GDPR | Insufficient legal basis for data processing | The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of the demonstrations. The data revealed, among other things, the political opinion , religious or philosophical beliefs or sexual orientation of the data subjects. The DPA found that the transfer of the data would not have been necessary for the entities to properly perform their public tasks. Thus, the processing took place without a sufficient legal basis. In addition, the DPA found that the municipality had carried out the processing without informing the data subjects, without establishing a policy for the retention of their personal data, and without conducting a data protection impact assessment. |
link |
| 996 | MALTA | Data Protection Commissioner of Malta | 2022-01-17 | 65,000 | C-Planet (IT Solutions) Limited | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 14 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 34 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Malta has imposed a fine of EUR 65,000 on C-Planet (IT Solutions) Limited. The DPA had initiated an investigation against C-Planet in April 2020 after being informed of a data breach. The DPA noted as a result that C-Planet had violated Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 14 GDPR and Art. 5 (1) f) GDPR in the context of data processing. The DPA also found that C-Planet failed to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk and that this led to the data breach. This constitutes a violation of Art. 32 GDPR. |
link |
| 997 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-18 | 56,000 | VODAFONE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on VODAFONE ESPAÑA, S.A.U. due to insufficient legal basis for data processing. The data subject states that two telephone connections were registered in his/her name. However, the data subject had never signed contracts with the company for any of these connections. In fact, the contracts in question were concluded by fraudsters using the personal data of the data subject. Nevertheless, the personal data were entered into the company’s information systems without verifying whether the contracts had been lawfully and actually concluded by the data subject, whether he/she had given his/her consent to the collection and subsequent processing of his/her personal data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to immediate payment. | link |
| 998 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-14 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera that was also capturing foreign private space of a neighbour. | link |
| 999 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-17 | 2000 | MEETING PUERTO C.B. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on MEETING PUERTO C.B.. The data controller had unlawfully published a picture of the complainant with his partner on Facebook and Instagram, which was accompanied by insulting comments. | link |
| 1000 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-17 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,500 on a private individual. The person had installed video cameras in the apartment building where he lives, which recorded, among other things, common areas of all residents. The DPA considered this a violation of the principle of data minimization. | link |
| 1001 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-12-01 | 6,800 | Unknown | Employment | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 6,800 on a company. The company had installed a video surveillance system to protect the company’s assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee’s work area, the smoking area that employees frequently used and parts of the public space. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its employees and third parties about the video surveillance. | link |
| 1002 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-18 | 15,000 | GARLEX SOLUTIONS, S.L. | Transportation and Energy | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on GARLEX SOLUTIONS, S.L.. The data subject had received a call from the company to renew their electricity supply contract. Subsequently, the data subject received an SMS with a link to an electricity supply contract in which their personal data had already been entered. The data subject could not explain how the company had come into possession of the data, since they never provided it and had certainly not consented to its processing. | link |
| 1003 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-11-09 | 1,500 | Unknown | Employment | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,500 on a company. The company had installed a video surveillance system to ensure that their customers would not have to wait when their front desk staff was not present. However, the cameras also constantly captured parts of two employee’s work areas. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its employees and third parties about the video surveillance. |
link |
| 1004 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-14 | 2,400 | PHARMA TALENTS, S.L.U. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine against PHARMA TALENTS, S.L.U. A data subject had filed a complaint against the company after he found a database on one of the company’s websites containing personal data about himself and other hundreds of health sector professionals, including email address and telephone number. Both the website and the database were freely accessible. The DPA found that the company had failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to data subjects, since not even a username and password were required to access the database. The original fine of EUR 4,000 was reduced to EUR 2,400 due to voluntary payment and admission of guilt. | link |
| 1005 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-16 | 0 | Enel Energia S.p.A | Transportation and Energy | Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 130 (1), (2), (4) Codice della privacy | Insufficient legal basis for data processing | Originial fine summary: The Italian DPA has fined Enel Energia S.p.A EUR 26.5 million for numerous breaches of the GDPR. Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA finds that the controller illegally processed the personal data of millions of users for telemarketing purposes. The DPA found, among other things, that data subjects received unsolicited promotional calls in the name of and on behalf of Enel Energia, in some cases even recorded calls. Some of the data subjects still received advertising calls, even though they had already requested Enel Energia to delete their personal data several times or had objected to their processing for advertising purposes. In particular, the DPA found that Enel Energia had not provided data subjects with the required and timely feedback on their requests to exercise their rights of access and opposition. In addition, the DPA found that the company had not sufficiently cooperated with the DPA during the investigation. For example, Enel Energia failed to respond to various inquiries from the DPA. In assessing the fine, the DPA considered the following factors aggravating: the seriousness of the violations, the duration and repetition of the violations, as well as the large number of persons affected and the negligence of the conduct. Update: The Court of Rome overturned the fine of EUR 26.5 million. | link |
| 1006 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-01-20 | 3,000 | Kaufland România SCS | Industry and Commerce | Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA (ANSPDCP) has imposed a fine of EUR 3,000 on Kaufland Romania SCS.
The DPA initiated an investigation based on a complaint from an individual stating that the controller had not provided them with a complete copy of the video recordings for a certain period of time when they had been in the store premises. The DPA stated that the controller is obliged to disclose the video images of the data subject after they excercise their right of access, and that the controller may disclose the images by taking measures to blur, if necessary, those images that may violate the rights and freedoms of other natural persons. |
link |
| 1007 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-21 | 2000 | Website operator | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) imposed a fine of EUR 2,000 on a website operator for the lack of a privacy policy on its website, in violation of Art. 13 GDPR. | link |
| 1008 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-21 | 1,200 | Property Owner Community | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a property owners’ community EUR 1,200. A property manager had sent a copy of the general meeting minutes to the director of the security company ‘CMM Seguridad’. The document the said document contains the names and addresses of residents, a list of defaulters and the accounts with all income and expenses of the community.
According to the controller, the purpose of sending the minutes in question to the security company was to inform them about the members of the Board of Directors appointed at the respective ordinary general meeting. Therefore, the controller should have limited to only providing this information or to transmitting the minutes document after it had been duly anonymized. For this reason, the DPA notes that the transmission of the full minutes would not have been necessary. |
link |
| 1009 | IRELAND | Data Protection Authority of Ireland | 2021-12-09 | 110,000 | Limerick City and County Council | Public Sector and Education | Art. 13 GDPR, Art. 12 GPDR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Irish DPA has fined Limerick City and County Council EUR 110,000. As part of an investigation, the DPA conducted an audit of the processing of personal data by the council or on its behalf using video surveillance systems, automatic license plate recognition, body-worn cameras and other technologies that can be used to monitor individuals. In doing so, it found that the Council had violated a number of data protection laws in its use of the technologies. However, the fine was issued due to GDPR violations.
The DPA found that the Council violated Art. 13 GDPR in relation to the processing of data by traffic cameras. The Council had failed to provide information on the identity of the data controller, the contact details of the data protection officer, the purposes of the processing and the bodies from which further information required under Art. 13 GDPR may be obtained. In addition, the Council failed to provide this information in an easily accessible manner such as on signs near the cameras. Further, the DPA concluded that the Council failed to post a video surveillance policy in an clear and plain language as well as in an easily accessible area of the Council’s website. The DPA thus found an infringement of Art. 12 GDPR. Lastly, the Council has denied requests for access to personal data processed by surveillance cameras used in traffic management. For this reason, the DPA found that the Council violated Art. 15 GDPR. |
link link |
| 1010 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-02 | 5,000 | Azienda USL di Parma | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) fined Azienda USL di Parma EUR 5,000. A patient filed a complaint with the DPA because she had mistakenly received two reports of diagnostic tests on two other patients in her medical record. | link |
| 1011 | FINLAND | Deputy Data Protection Ombudsman | 2021-12-16 | 6,500 | Travel agency | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 17 GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Finnish DPA has imposed a fine of EUR 6,500 on a travel agency.
A customer of the travel agency informed the DPA to suspect that the company might not process the data of its customers in a data protection compliant manner. During its investigation, the DPA found that the travel agency had not ensured secure processing of personal data. For example, visa application forms filled out by customers were publicly accessible on the travel agency’s web server. In addition, the travel agency had not complied with a customer’s request to delete their data from the systems. |
link link |
| 1012 | FINLAND | Deputy Data Protection Ombudsman | 2021-12-16 | 52,000 | Motor insurance center | Finance, Insurance and Consulting | Art. 5 (1) a), c) GDPR, Art. 25 (2) GDPR | Non-compliance with general data processing principles | The Finnish DPA has fined a motor insurance center EUR 52,000.
The controller had excessively requested patient data from within the healthcare system for the purpose of processing claims. However, much of the data was not necessary to process the claims. For example, the DPA found that the motor vehicle insurance center had also collected patient visit notes to determine whether the health care provider had billed for visits that were not related to the examination or treatment of injuries caused by the accident. The DPA notes that the Finnish Motor Insurance Act does not justify direct access to all patient data, but that the information requested must be necessary for the processing of the claim. For this reason, the authority recognized a violation of the principles of legality and transparency as well as data minimization in practice. |
link link |
| 1013 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2022-01-26 | 28,500 | Uppsala regional board | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board.
The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden. The regional board had transmitted sensitive personal data and personal identity numbers via email. The actual transmission of the emails was encrypted, but the information in the emails was not. The emails in question contained patient data that was automatically sent to the appropriate health administrators in the region, as well as patient data that was manually sent to researchers and physicians in the region. For this reason, the DPA found that the regional board had not taken adequate technical and organizational measures to protect the data from unauthorized access, for example. |
link link |
| 1014 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2022-01-26 | 152,000 | Uppsala hospital board | Health Care | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 152,000 on the Uppsala hospital board.
The fine is the result of an investigation by the Uppsala Region (the regional board and the hospital board). DPA had received two reports of incidents involving personal data from Uppsala region. The incidents involved sensitive personal health data that was transferred unencrypted to recipients inside and outside Sweden. Accordingly, Uppsala University Hospital had sent emails containing patient data to patients and senders in third countries without encryption. In addition, the hospital administration had stored sensitive personal data in the Outlook email hosting service. For this reason, the DPA found that the hospital board had not taken sufficient technical and organizational measures to protect the data from unauthorized access. |
link link |
| 1015 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-16 | 10,000 | Centro di Medicina preventiva s.r.l. | Health Care | Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 37 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has fined Centro di Medicina preventiva s.r.l. EUR 10,000. The controller reported a database under Art. 33 GDPR in connection with a cyberattack by a hacker group. During the cyberattack, the hacker managed to gain access to a list of patient data. The hacker then published this list that contained personal data, including sensitive data, of patients and radio-diagnostic tests on Twitter. The DPA found that the controller had not implemented appropriate technical and organizational measures to ensure the security of the personal data. For example, the medical center’s server disclosed the requested personal data during a query without verifying the identity and credentials of the requester, allowing unauthenticated connections to reach from outside the medical center. |
link |
| 1016 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-16 | 20,000 | Corradi s.r.l. | Employment | Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 157 Codice della privacy | Non-compliance with general data processing principles | The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. | link |
| 1017 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2021-12-03 | 843 | Lawyer | Finance, Insurance and Consulting | Art. 5 (1) a), b) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR | Insufficient legal basis for data processing | The Hungarian DPA imposed a fine of EUR 843 on a lawyer for having unauthorizedly disclosed documents containing personal data of his client in the course of criminal proceedings. | link |
| 1018 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-02-01 | 1,000 | SC Grupex 2000 SRL | Health Care | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Romanian DPA (ANSPDCP) has fined SC Grupex 2000 SRL EUR 1,000. The controller unlawfully uploaded videos of patients on its website. | link |
| 1019 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-31 | 1,500 | Property Owner Community | Real Estate | Art. 6 GDPR | Insufficient legal basis for data processing | Use of CCTV cameras in building complex without obtaining the consent of all the property owners. | link |
| 1020 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-31 | 5,000 | Cyrana España General S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Cyrana España General S.L. EUR 5,000. The controller had sent an invoice to the data subject although no contractual relationship existed. | link |
| 1021 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-01-31 | 5,000 | INCOPROSOL, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined INCOPROSOL, S.L. EUR 5,000. The controller had recorded a telephone conversation with a customer without obtaining the customer’s consent. | link |
| 1022 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-01-27 | 1,200 | Researcher | Individuals and Private Associations | Art. 5 (1) a), c), f) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Belgian DPA has fined a researcher EUR 1,200. The fine was issued in connection with another fine against the NGO EU DisinfoLab. The researcher was employed at the NGO. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the ‘Benalla affair.’ For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the data. The DPA noted that publication of the data could potentially expose data subjects to the risk of discrimination or discredit because of the non-anonymized political profiling. In addition, the files also contained information about the religious beliefs, ethnic origin, or sexual orientation of the individuals whose accounts were analyzed. For this reason, the DPA concluded that several obligations of the GDPR, such as lawfulness of processing, transparency to data subjects, and data security, were violated. | link link |
| 1023 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-01-27 | 2,800 | EU DisinfoLab | Individuals and Private Associations | Art. 5 (1) a), c), f) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Belgian DPA has fined the NGO EU DisinfoLab EUR 2,700. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the ‘Benalla affair.’ For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the data. The DPA noted that publication of the data could potentially expose data subjects to the risk of discrimination or discredit because of the non-anonymized political profiling. In addition, the files also contained information about the religious beliefs, ethnic origin, or sexual orientation of the individuals whose accounts were analyzed. For this reason, the DPA concluded that several obligations of the GDPR, such as lawfulness of processing, transparency to data subjects, and data security, were violated. | link link |
| 1024 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-01-27 | 6,000,000 | Cosmote Mobile Telecommunications S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 (1) GDPR, Art. 26 GDPR, Art. 28 GDPR, Art. 35 (7) GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 6 million on Cosmote Mobile Telecommunications S.A.. Cosmote had reported a data breach to the DPA pursuant to Art. 33 GDPR. A hacker had penetrated the controller’s systems and obtained and subsequently leaked data from Cosmote customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident.
For this reason, the DPA found that Cosmote had failed to implement adequate technical and organizational measures to ensure the proper execution of the data anonymization process. In addition, Cosmote did not conduct a sufficient data protection impact assessment and did not properly inform data subjects about the processing of their data. Finally, the DPA found that Cosmote did not clearly regulate the allocation of roles in data processing with its subsidiary, OTE Group. In calculating the fine, the DPA aggravatingly took into account the very long duration of the breaches (6 years), the large number of data subjects, as well as the fact that no pseudonymization measures of the data were implemented over a long period of time. |
link |
| 1025 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-01-27 | 3,200,000 | OTE Group | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 3.2 million on Cosmote subsidiary OTE Group. Among other things, OTE Group had contributed to Cosmote’s security infrastructure. Cosmote had reported a data breach to the DPA under Article 33 of the GDPR. A hacker had been able to penetrate Cosmote’s systems due to a lack of security measures and obtained and subsequently leaked data from customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident.
For this reason, the DPA found that OTE Group had failed to implement adequate technical and organizational measures to ensure a level of security commensurate with the risk to data subjects. |
link |
| 1026 | ITALY | Italian Data Protection Authority (Garante) | 2021-11-25 | 400,000 | B&T S.p.A. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 400,000 on B&T S.p.A. Two data subjects had complained to the DPA about unsolicited SMS advertising. In addition, they stated that it was not possible for them to make use of their right to information and right to object. During the course of the investigation, Garante discovered that B&T had contracted a marketing company to send promotional SMS messages to potential customers. The marketing company had then engaged other providers, which in turn had acquired their databases from third parties. As it turned out, the other providers had obtained the data of the contacted persons from unchecked and illegal lists of foreign companies, some of whose information came from registrations on information portals or online sweepstakes. In this context, the DPA pointed out that companies commissioning advertising campaigns must always make sure that the companies commissioned to do so are working correctly and that consumer data is being used lawfully. | link link |
| 1027 | ITALY | Italian Data Protection Authority (Garante) | 2021-11-25 | 200,000 | Aimon Srl | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, Art. 12 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 200,000 on Aimon Srl. Two data subjects had complained about unsolicited SMS advertising from B&T S.p.A. to the DPA. In the course of the investigation, Garante discovered that B&T had contracted Aimon to send promotional SMS messages to potential customers. Aimon then contracted other providers, which in turn had purchased their databases from third parties. As it turned out, the other providers had obtained the data of the contacted individuals from unverified and illegal lists of foreign companies, some of whose information came from registrations on information portals or online gambling. The DPA found that Aimon had thus processed the data unlawfully. | link link |
| 1028 | GERMANY | Data Protection Authority of Saarland | 2020 | Unknown | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Several cases in which police officers have accessed data in a police database for private research purposes. | link |
| 1029 | GERMANY | Data Protection Authority of Saarland | 2020 | 10,000 | Restaurant | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Excessive use of video surveillance in violation of the principle of data minimization. | link |
| 1030 | GERMANY | Data Protection Authority of Hessen | 2020 | 300 | Employee at a Covid 19 testing center | Individuals and Private Associations | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | An employee at a Covid 19 testing center used the data of a tested person to contact them via WhatsApp for private purposes. | link |
| 1031 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2019-11 | 5,000 | Restaurant | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Excessive use of video surveillance in violation of the principle of data minimization. | link |
| 1032 | GERMANY | Data Protection Authority of Brandenburg | 2020 | Fine in four-digit amount | Operator of a ballet school | Individuals and Private Associations | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 7 (1) GDPR | Insufficient legal basis for data processing | The operator of a ballet school had published photos of underage students on their website and Facebook page without the consent of the legal guardians. | link |
| 1033 | GERMANY | Data Protection Authority of Brandenburg | 2020 | Fine in three-digit amount | Medical assistant | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | A medical assistant at a doctor’s office stored a patient’s telephone number in her mobile phone and then contacted him for private purposes. | link |
| 1034 | GERMANY | Data Protection Authority of Hessen | 2020 | Fine in five-digit amount | Corporation | Industry and Commerce | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to the data subject’s request for access to their data in a timely manner. | link |
| 1035 | GERMANY | Data Protection Authority of Hamburg | 2020 | 10,000 | Clearview AI Inc. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The DPA from Hamburg has fined Clearview AI Inc. EUR 10,000 for failing to provide information requested by the DPA during an investigation. | link |
| 1036 | GERMANY | Data Protection Authority of Hamburg | 2020 | 300 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer has accessed data in a police database for private research purposes. | link |
| 1037 | GERMANY | Data Protection Authority of Hamburg | 2020 | 400 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer has accessed data in a police database for private research purposes. | link |
| 1038 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 400 and EUR 600 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer has accessed data in a police database for private research purposes. | link |
| 1039 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 400 and EUR 600 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer has accessed data in a police database for private research purposes. | link |
| 1040 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 400 and EUR 600 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer has accessed data in a police database for private research purposes. | link |
| 1041 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 300 and EUR 400 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group. | link |
| 1042 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 300 and EUR 400 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group. | link |
| 1043 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 300 and EUR 400 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group. | link |
| 1044 | GERMANY | Data Protection Authority of Hamburg | 2020 | 3,000 | Restaurant | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Excessive use of video surveillance in violation of the principle of data minimization. | link |
| 1045 | GERMANY | Data Protection Authority of Hamburg | 2020 | Unknown | Company | Industry and Commerce | Art. 6 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises that it guarantees one hundred percent anonymity. On the platform, users can upload photos of underwear. In most cases, smartphones or other mobile devices were used to take the photos. The camera apps of the smartphones or GPS modules of the cameras often store additional information in the image file alongside the actual image as a standard setting. Based on this data, a fairly precise localization is possible. A review by the DPA revealed that the company had not cleaned up the residual information or metadata in the uploaded photos. Consequently, the data could be entered into any map service and the exact location where the photo was taken could be determined. The number of data subjects involved was approximately around 760 women between the ages of 18 and 50. For this reason, the DPA found that the company had failed to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. In addition, the DPA concluded that the company had unlawfully processed the associated data by uploading the photos without cleaning them. | link |
| 1046 | GERMANY | Data Protection Authority of Hamburg | 2020 | 13,000 | Company | Industry and Commerce | Art. 26 (2) GDPR | Insufficient data processing agreement | The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the course fees incurred. Some time later, he registered for a course at another company of the same parent company and was rejected there. As a reason, he was told that he still had arrears with the company whose courses he had already attended. Following a complaint filed by the individual against the company, the DPA launched an investigation. It found that those companies shared a common database. It pointed out that the maintenance of a common customer database by several, legally independent companies, leads to joint responsibility according to Art. 26 GDPR. According to Art. 26 (2) GDPR, this requires an agreement that reflects the respective actual functions and relationships of the jointly responsible parties towards data subjects. However, such an agreement did not exist. | link |
| 1047 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-02 | 2000 | ASESORES DE SEGURIDAD PRIVADA, S.L. | Finance, Insurance and Consulting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 2,000 on ASESORES DE SEGURIDAD PRIVADA, S.L.. The DPA criticized that the controller did not sufficiently inform the data subject about data processing, as required by Art. 13 GDPR. | link |
| 1048 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 50 and EUR 100 | Restaurant | Accomodation and Hospitalty | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data. | link |
| 1049 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 50 and EUR 100 | Restaurant | Accomodation and Hospitalty | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data. | link |
| 1050 | GERMANY | Data Protection Authority of Hamburg | 2020 | Fine amount between EUR 50 and EUR 100 | Restaurant | Accomodation and Hospitalty | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data. | link |
| 1051 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-02-02 | 0 | IAB Europe | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 24 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 32 (1), (2) GDPR, Art. 37 GDPR | Insufficient legal basis for data processing | The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the ‘Transparency & Consent Framework (TCF)’ with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol.
The OpenRTB protocol is a protocol for ‘real-time bidding,’ which is the automated online auction of user profiles for the sale and purchase of advertising space on the Internet. When users visit a website that contains an ad space, technology companies, through an automated auction system, can bid in real time for that ad space to display personalized advertising. When users visit a website for the first time, an interface appears through which they can consent to the collection and sharing of their personal information or object to various types of processing. As part of the TCF, a consent management tool appears during this process. The tool allows the user to object to certain types of data processing. The TCF registers the user’s preferences through the tool by generating a TC string and sends it to all partners participating in the OpenRTB system. Based on this TC string, user profiles are compiled, which are then passed on to advertisers. This makes it visible to them what kind of data processing the users have agreed to. Within the scope of its investigation against IAB, the DPA identified a number of violations of the GDPR. It found that the TC strings already constituted personal data and therefore IAB was required to have a legal basis for processing these data. However, IAB was unable to demonstrate any such legal basis. In addition, IAB did not properly inform users about the functioning of the TCF. For example, the information provided to users was too generic and vague to understand the scope of the data processing. Furthermore, IAB had not maintained a register of its processing activities, had not appointed a data protection officer, as well as had not conducted a data protection impact assessment. Appendix: The Belgian Market Court annuled the imposed fine of EUR 250,000 but upheld the violations found and sanctions imposed. |
link |
| 1052 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-04 | 900 | Private person | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization). | link |
| 1053 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-04 | 300,000 | SEGURCAIXA ADESLAS, S.A. DE SEGUROS Y REASEGUROS | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 17 GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) fined SEGURCAIXA ADESLAS, S.A. DE SEGUROS Y REASEGUROS. in the amount of EUR 300,000. The data subject had received marketing emails from the controller despite being registered in the Robinson advertising exclusion list. The sending of the emails continued even after the data subject asked for their data to be deleted. | link |
| 1054 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-17 | 10,000 | ASL Latina | Health Care | Art. 5 (1) f) GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) fined ASL Latina EUR 10,000. The controller had mistakenly sent documents containing health data of the data subject to an uninvolved third party. | link |
| 1055 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-01 | 3,940,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined Vodafone España, S.A.U. EUR 3.94 million. Nine Vodafone customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Vodafone and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Vodafone had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders due to a lack of sufficient security measures. | link |
| 1056 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-01 | 70,000 | ORANGE ESPAÑA VIRTUAL, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined ORANGE ESPAÑA VIRTUAL, S.L. EUR 70,000. Two Orange España Virtual customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Orange España Virtual and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA ,Orange España Virtual had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders. | link |
| 1057 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-01 | 700,000 | Orange Espagne S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined Orange Espagne S.A.U. EUR 700,000. Two Orange Espagne customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Orange Espagne and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Orange Espagne had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders. | link |
| 1058 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-01 | 200,000 | XFERA MÓVILES, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined XFERA MÓVILES, S.A. EUR 200,000. Two Xfera customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Xfera and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Xfera had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders. | link |
| 1059 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-01 | 900,000 | TELEFÓNICA MÓVILES ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined TELEFÓNICA MÓVILES ESPAÑA, S.A.U. EUR 900,000. Four Telefónica customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Telefónica and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Telefónica had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders. | link |
| 1060 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-07 | 1,000 | Cafe operator | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The cafe used CCTV cameras which also captured the public space outside resulting in a violation of the so called principle of data minimisation. | link |
| 1061 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-04 | 2000 | Private individual | Individuals and Private Associations | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had published audiovisual material of a court trial on Twitter without obtaining the consent of the witnesses and parties to the trial that could be seen on it. | link |
| 1062 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-07 | 10,000 | PINTODIS, S.L. | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined PINTODIS, S.L. EUR 10,000. The controller had installed several video cameras which also covered the food areas and changing rooms of their employees. The Spanish DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary. | link |
| 1063 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-16 | 100,000 | Ubi Banca spa | Finance, Insurance and Consulting | Art. 5 (1) a), c) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 100,000 on Ubi Banca spa (now Intesa Sanpaolo spa). A data subject had filed a complaint with the DPA for receiving a letter from the controller, with the envelope stating ‘anomalous credit Chieti’. However, the letter did not contain payment reminders but only information about the transparency of banking and financial services. For this reason, the DPA found that the controller had violated the principles of lawfulness and transparency as well as the principle of data minimization. After all, the term on the envelope could enable third parties to obtain information about the recipient’s financial situation, regardless of the contents in the envelope. | link |
| 1064 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-16 | 20,000 | FCA Italy s.p.a. | Industry and Commerce | Art. 12 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined FCA Italy s.p.a. EUR 20,000. A former customer of the controller had asked the controller to provide him with the transcripts of telephone conversations between him and the customer service he had previously contacted regarding a malfunction of the instruments of one of his vehicles, as well as the documents relating to this case. However, the controller did not comply with this request. | link |
| 1065 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-13 | 7,500 | Azienda Sanitaria Locale Frosinone | Health Care | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined Azienda Sanitaria Locale Frosinone EUR 7,500. In the course of its investigation against the medical facility, the Garante found that their privacy policy showed significant deficiencies. For example, the facility had indicated several purposes for processing the data, but the relevant legal bases for doing so were not always indicated. Those legal bases that were stated were often incorrect or contradictory. In addition, the facility did not provide sufficient information on the storage periods of the collected data. | link |
| 1066 | ITALY | Italian Data Protection Authority (Garante) | 2021-12-16 | 1,000 | Università Telematica Internazionale Uninettuno | Public Sector and Education | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 1,000 on Università Telematica Internazionale Uninettuno. A professor had filed a complaint with the DPA against the educational institution. The professor had applied for a position at the university and submitted his CV for this purpose. The university then published it without blacking out certain personal data that concerned his personal sphere. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1067 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-13 | 4,000 | Medicina & Lavoro s.r.l. | Health Care | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to the data subject’s request for access to their data in a timely manner. | link |
| 1068 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-13 | 14,000 | Azienda sanitaria unica regionale Marche | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 14,000 on Azienda sanitaria unica regionale Marche. The DPA launched an investigation against the health department following media reports of deficiencies in the system used to collect and manage Covid 19 screening data. The health department used an app that generated QR codes for people who were tested for Covid-19. The QR code was generated based on a progressive criterion rather than on a random basis. Thus, each person was assigned a number. Because of this, it would have been possible for unauthorized persons to change a digit and gain access to another person’s profile and thus personal data. The DPA found that the health authority failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. | link |
| 1069 | POLAND | Polish National Personal Data Protection Office (UODO) | 2021-12-01 | 4,000 | Pactum Poland Sp. z o.o. | Industry and Commerce | Art. 31 GDPR, Art. 58 (1) e) GDPR | Insufficient cooperation with supervisory authority | Fine for not answering requests for further information of the supervisory authority in due time following a data breach. | link |
| 1070 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-02-01 | 5,000 | Etterforsker1 Gruppen AS | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) fined Etterforsker1 Gruppen AS EUR 5,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so. | link |
| 1071 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-14 | 1,600 | RECLAMADOR, S.L. | Finance, Insurance and Consulting | Art. 17 GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine RECLAMADOR, S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 1000 for a breach of Art. 17 GDPR and EUR 1000 for a breach of Art. 21 LSSI. The original fine in the amount of EUR 2,000 has been reduced to EUR 1,800 due to immediate and voluntary payment. | link |
| 1072 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-13 | 1,000 | Villa Masi Residenza per anziani | Health Care | Art. 13 GDPR | Insufficient fulfilment of information obligations | Inexistence of signalization regarding the use of CCTV systems in a nursing care facility. | link |
| 1073 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-11 | 2,000,000 | Amazon Road Transport Spain S.L. | Transportation and Energy | Art. 6 (1) GDPR, Art. 10 GDPR, Art. 10 LOPDGDD | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined Amazon Road Transport Spain S.L. EUR 2,000,000. The AEPD had received a complaint from a trade union against the company. Amazon Road required certificates confirming the absence of criminal records when hiring drivers. Amazon Road believed that these certifications were not subject to Art. 10 GDPR. However, contrary to Amazon Road’s interpretation, the AEPD determined that these data do fall under Art. 10 GDPR. During its investigation, the AEPD concluded that the processing of these data consequently did not comply with the requirements of Art. 10 GDPR. For this reason, the DPA came to the conclusion that Amazon Road had processed the data on the absence of criminal records without a valid legal basis. | link |
| 1074 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-16 | 6,000 | Private individual | Individuals and Private Associations | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on a private individual. The data subject had filed a complaint against the data controller for publishing images of herself in a bikini on a website without prior authorization. The data subject had originally uploaded the images of herself in a bikini to the second-hand platform Vinted, where she offered the bikini for sale. | link |
| 1075 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-13 | 1,000 | A.S.L. Napoli 1 Centro | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 1,000 on A.S.L. Napoli 1 Centro. An employee at the health authority had filed a complaint with the DPA against the authority.An employee at the health authority had filed a complaint with the DPA against the authority. The health authority had published a press release on its website containing personal data of the data subject and information about a disciplinary procedure.The health authority believed that the publication was lawful since the data subject had already given this information to the press, which in turn had published a report on the matter. However, the DPA concluded that the authority still needed a valid legal basis for the publication, regardless of whether the information had already been published on other media. | link |
| 1076 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-27 | 2000 | Private club ‘Ruian’ | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 2,000 on the private club ‘Ruian’. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1077 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-02-15 | 30,000 | ΛΙΜΕΝΟΣ ΗΡΑΚΛΕΙΟΥ Α.Ε. | Individuals and Private Associations | Art. 12 (1), (2) GDPR, Art. 15 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 30,000 on the ΛΙΜΕΝΟΣ ΗΡΑΚΛΕΙΟΥ Α.Ε. organization. A data subject who had suffered a car accident on the organization’s premises filed a complaint against the organization with the DPA. The organization operated a video surveillance system which, among other things, also recorded the car accident. In connection with the accident, the data subject requested the organization to grant them access to the recordings. However, the organization did not comply with this request. | link |
| 1078 | ITALY | Italian Data Protection Authority (Garante) | 2022-01-27 | 40,000 | T.S.M. s.r.l. | Industry and Commerce | Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 157 Codice della privacy, Art. 166 (2) Codice della privacy | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 40,000 on T.S.M. s.r.l.. A data subject had filed a complaint with the DPA against the company for failing to comply with their requests to delete their data and object to the future processing of their personal data. | link |
| 1079 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-18 | 2,500 | Private person | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 2,500 on a private individual. The controller had installed video surveillance cameras at his house which, among other things, also covered the public space and neighbor properties. The DPA considered this to be a violation of the principle of data minimization. In addition, the information signs regarding the video surveillance were blurred and thus not well readable. The DPA considered this to be a breach of the duty to inform pursuant to Art. 13 GDPR. | link |
| 1080 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-21 | 1,500 | RESTATURANTE FUENTEBRO, S.C. | Accomodation and Hospitalty | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined RESTATURANTE FUENTEBRO, S.C. EUR 1,500 for failing to provide information signs about CCTV surveillance in the establishment. | link |
| 1081 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-21 | 1,000 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment. | link |
| 1082 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-02-22 | 1,000 | Civil law firm ‘Sabou, Burz & Cuc’ | Finance, Insurance and Consulting | Art. 5 (1) a), b), c), f) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has fined the civil law firm ‘Sabou, Burz & Cuc’ EUR 1,000. The DPA launched an investigation after a client complained that the controller had published their personal data in a WhatsApp group used by several lawyers of a bar association without their prior consent. The DPA found that the controller had processed the data without a valid legal basis, as they had published the data for a purpose other than that originally agreed with the data subject. | link |
| 1083 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-02-22 | 3,000 | IAMSAT Muntenia SA | Employment | Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 3,000 on IAMSAT Muntenia SA.
The DPA launched an investigation following a complaint from a former employee who claimed that the controller continued to process their personal data even after the termination of their employment contract in 2020. The data subject had previously stated that they would not agree to the continued use of their email address and that they objected to the processing of their personal data by the controller or/and by third parties after the termination of their employment contract. In the course of its investigation, the DPA also found that the controller had not informed its employees, including the data subject, in advance and comprehensively about the processing of their personal data by a video surveillance system at the workplace. |
link |
| 1084 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-22 | 1,000 | MALAGATROM, S.L.U. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on MALAGATROM, S.L.U. for failing to comply with an order issued by the DPA. | link |
| 1085 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-01-19 | 117,000 | Santander Bank Polska S. A. | Finance, Insurance and Consulting | Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Santander Bank Polska S.A. EUR 118,000 for failing to notify data subjects of a data breach. A former employee of the bank managed to gain unauthorized access to a database for electronic services. Among other things, this allowed numerous Santander customers’ data to be accessed. Due to the high risk for the data of the data subjects, the bank would have been obliged to inform them of the data breach. However, the bank deliberately refrained from doing so and continued to state that it would not comply with this obligation in the future. The DPA noted that this constituted a major intrusion for the data subjects, as they did not have the opportunity to take appropriate steps to protect their rights. |
link link |
| 1086 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-22 | 3,000 | Hotel operator | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a hotel operator. The controller had installed video surveillance cameras which, among other things, also covered the public space and parts of the hotels pool area. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV. | link |
| 1087 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-23 | 1,200 | FRUTAS Y VERDURAS LOS CAMPEONES, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on FRUTAS Y VERDURAS LOS CAMPEONES, S.L.. The controller had installed a video surveillance system, however, without having placed signs informing about the use of video surveillance. | link |
| 1088 | FINLAND | Deputy Data Protection Ombudsman | 2021-12-26 | 5,000 | Medical clinic | Health Care | Art. 5 (1) a) GDPR, Art. 12 (1), (2), (3), (4) GDPR, Art. 13 (1), (2) GDPR, Art. 15 (1), (3) GDPR, Art. 25 GDPR | Insufficient fulfilment of information obligations | The Finnish DPA has fined a medical clinic EUR 5,000. A customer of the clinic had complained to the DPA that he had not received access to his medical records from the clinic following a request for information. In addition, the clinic failed to adequately inform its clients about the processing of personal data. Specifically, the DPA points out that the clinic did not inform its clients about the extent to which it was acting as a data controller for patient data generated by its activities. |
link |
| 1089 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2022-01-14 | 525,000 | DPG Media Magazines B.V. | Media, Telecoms and Broadcasting | Art. 12 (2) GDPR | Insufficient fulfilment of data subjects rights | The Dutch DPA has imposed a fine of EUR 525,000 on DPG Media Magazines B.V.
The DPA had received several complaints regarding the way the controller handled requests from customers. Customers who wanted to know what kind of personal data the controller stored, or wanted to have their data deleted, first had to upload or send in proof of identity. The DPA determined that sending in proof of identity would not have been necessary for the purpose of processing the request. In addition, the mailing process presented an excessive hurdle for data subjects to exercise their rights. |
link link |
| 1090 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-02-23 | 1,500 | WORLDWIDE CLASSIC CARS NETWORK S.L. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on WORLDWIDE CLASSIC CARS NETWORK S.L.. The controller had installed video surveillance cameras which, among other things, also covered parts of the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV. | link |
| 1091 | GERMANY | Data Protection Authority of Sachsen-Anhalt | 2020-10-24 | 200 | Private Individual | Individuals and Private Associations | Art. 5 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | Original summary: The DPA of Saxony-Anhalt imposed a fine of EUR 200 on a private individual. The controller had taken photos of vehicles and, in some cases, their drivers and emailed them to the city of Magedburg in an unencrypted form as part of reports of violations of the Road Traffic Regulations. | link |
| 1092 | CROATIA | Croatian Data Protection Authority (azop) | 2022-03-08 | 124,245 | Energy company (name not available at the moment) | Transportation and Energy | Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The fined energy company owns petrol stations and sells fuel to customers. The data subject is a customer who filed a consumer complaint relating to inaccurate measuring and consequently charging of fuelled petrol at one of the petrol stations. The data subject requested a copy of its personal data, i.e. a copy of the video surveillance footage relating to a specific time and area. The energy company justified rejecting the request by: (i) lack of written request by competent authorities to deliver the footage, (ii) lack of justified purpose for the request, and (iii) claiming that providing a copy of the footage would adversely affect rights and freedoms of the station’s personnel and other customers. Following issuance of the DPA’s general opinion to the customer on the obligation of the controllers to provide surveillance footage to the data subjects filmed on such footage, the energy company informed the customer on the inability to provide the footage as the video surveillance footage archives are being erased after seven days. Due to the violation of fundamental rights of the data subject the DPA imposed a fine of HRK 940,000.00. The clarification on the fine amount notes that the DPA has taken into consideration not only the indirect damages to the customer, but also the potential financial gains of the company that has indirectly avoided damages that could have arisen in the course of a consumer dispute and the fact that by deleting the footage, the company has eliminated potentially important evidence. | link |
| 1093 | CROATIA | Croatian Data Protection Authority (azop) | 2022-03-08 | 89,250 | Retail company (name not available at the moment) | Industry and Commerce | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | A retail company, i.e. the data controller, reported the breach of personal data to the DPA informing that its employees have recorded video surveillance footage via mobile phone which was unauthorised and contrary to the company’s internal acts and instructions. The recording was made public by leaking to social media and consequently other media outlets. The DPA determined that the data controller did not take adequate actions to prevent its employees from creating the footage. Although the company did undertake certain measures such as adopting internal acts on access to video surveillance footage, educating employees and implementing confidentiality statements, the DPA determined the company did not ensure – neither before nor after the disclosure of the unauthorised footage – appropriate organisational and technical security measures for the purpose of minimising risk of such or similar data breaches. In addition, the data controller did not regularly monitor or inspect efficiency of the technical and organisational measures implemented for the purpose of maintaining confidentiality, integrity and accessibility of personal data. Thus, the DPA imposed a fine of HRK 675,000.00 for the failure to take appropriate technical measures and clarified that this fine should also have general preventive effects and raise awareness among the data controllers and processor on the obligations concerning data processing. | link |
| 1094 | IRELAND | Data Protection Authority of Ireland | 2022-03-15 | 17,000,000 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Art. 5 (2) GDPR, Art. 24 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) has imposed a fine of EUR 17 million on Meta Platforms Ireland Limited (former Facebook Ireland Limited).
The decision is based on twelve notifications of data breaches that occurred between June 7, 2018 and December 4, 2018. The outcome of the DPC’s investigation revealed that Meta had violated Article 5 (2) GDPR and Article 24 (1) GDPR. In the course of its investigation, the DPC found that Meta failed to demonstrate that it had taken appropriate technical and organizational measures to protect the data of EU users. The fine proceedings involved cross-border data processing, which is why the decision was subject to the co-decision procedure under Art. 60 GDPR involving all other European supervisory authorities as co-decision-makers. Although two European DPAs objected to the DPC’s draft decision, a consensus was ultimately reached. Accordingly, the DPC’s decision reflects the collective views of the DPC and the other European DPAs. |
link |
| 1095 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 10,000 | Costampress S.p.A. | Employment | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The company had left the e-mail account of the data subject active even after the termination of his employment and did not provide sufficient information about this. | link |
| 1096 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-03-10 | 2000 | Operatorul Briza Land S.R.L. | Industry and Commerce | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA (ANSPDCP) has fined Operatorul Briza Land S.R.L. EUR 2,000. The controller failed to properly respond to a request for information. | link |
| 1097 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2022-03-08 | 7,000 | Hörpu tónlistar- og ráðstefnuhúss ohf. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has fined Hörpu tónlistar- og ráðstefnuhúss ohf. EUR 7,000.
The DPA had received a complaint regarding the concert hall’s collection of ID number and date of birth information as part of an electronic ticket purchase. The incident occurred prior to the start of the Covid-19 pandemic, when the registration of personal data for contact tracking in the context of event visits was not yet required. |
link |
| 1098 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 20,000,000 | Clearview Al Inc. | Industry and Commerce | Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory.
The company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation. The DPA launched an investigation into the company after it became known that Clearview – contrary to initial claims – also enabled searches of Italian nationals and residents. The DPA found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. For example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated the principle of purpose limitation, by processing users’ data for purposes other than those for which they had been made available online. Finally, it violated the principle of storage limitation by not specifying a time period for data storage. |
link link |
| 1099 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 3,500 | Azienda socio sanitaria territoriale Melegnano e della Martesana | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 3,500 on Azienda socio sanitaria territoriale Melegnano e della Martesana. The DPA initiated an investigation against the controller after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from another patient in his digital medical record. | link |
| 1100 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 10,000 | Region of Tuscany | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 10,000 on the Region of Tuscany. The region had notified the DPA of a data breach pursuant to Art. 33 GDPR.
The region stated that it had inadvertently published personal data of 3,548 applicants for administrative assistant positions. The data concerned information that the applicants had shared as part of a pre-selection test for the application. The region had mistakenly published a URL through which personal data and the results of the test could be viewed. |
link |
| 1101 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 10,000 | Scanshare S.r.l. | Public Sector and Education | Art. 28 (2) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 10,000 on Scanshare S.r.l.. That fine is related to a fine imposed on the Region of Tuscany. The region stated that it had inadvertently published personal data of 3,548 applicants for administrative assistant positions. The data concerned information that applicants had provided as part of a pre-selection test for application. Scanshare had been entrusted with organizing the pre-selection test. Due to an error on the part of Scanshare, a URL was erroneously published through which the personal data and the results of the test could be viewed. |
link |
| 1102 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 2000 | Comune di Guidizzolo | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The community published information about a court case on its website, including personal data such as the name and professional information of a data subject. | link |
| 1103 | GERMANY | Data Protection Authority of Bremen | 2022-03-03 | 1,900,000 | BREBAU GmbH | Real Estate | Art. 5 (1) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The DPA of Bremen has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH.
BREBAU GmbH had processed upwards of 9,500 datasets about potential tenants without a valid legal basis. In particular, the DPA found that the controller had processed particularly sensitive data as defined by Art. 9 GDPR. For example, the controller unlawfully processed information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects. BREBAU GmbH also deliberately ignored requests from data subjects for transparency about the processing of their data. In imposing the fine, the DPA took into account, as an aggravating factor, the extraordinary depth of the violation of the fundamental right to data protection. However, because BREBAU GmbH cooperated fully during the investigation, made efforts to mitigate the damage, clarified the facts on its own and ensured that such violations would not be repeated, the amount of the fine could be reduced. |
link |
| 1104 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-01-19 | 1,000,000 | Fortum Marketing and Sales Polska S.A. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 28 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 1 million on Fortum Marketing and Sales Polska S.A..
The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data. The data breach occurred at the time of the introduction of a change in the company’s IT environment. The change was made by a processing agent. As part of the change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons succeeded in accessing the data. The DPA also found that the processor failed to pseudonymize and encrypt the data. In addition, the processing agent had been using real customer data, rather than test data, to test the changes to the system. For this reason, the DPA concluded that the controller failed to take appropriate technical and organizational measures to ensure the protection of personal data. In addition, the DPA found that the controller would have been required to monitor the work of the processor to ensure that the protection of personal data is continuously guaranteed. |
link link |
| 1105 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-01-19 | 53,000 | PIKA Sp. z o.o. | Industry and Commerce | Art. 28 (3) c), f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has fined PIKA Sp. z o.o. in the amount of EUR 53,000.
The fine is related to a fine imposed on Fortum Marketing and Sales Polska S.A.. PIKA was acting as a processor for Fortum. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data.The data breach occurred at the time of the introduction of a change in the company’s IT environment by PIKA. As part of this change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons were able to access the data. For this reason, the DPA concluded that PIKA had failed to take appropriate technical and organizational measures to ensure the protection of personal data. |
link |
| 1106 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-03-25 | 6,700 | Danish National Genome Center | Health Care | Art. 36 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 6,700 on the Danish National Genome Center. The center had conducted a data protection impact assessment that revealed circumstances that could pose a high risk to the rights of data subjects. The DPA imposed the fine because the center had processed personal data without first consulting the DPA, even though the impact assessment had revealed a high risk to data subjects. The center has complied with all the DPA’s requests and has shown good cooperation with the authority. |
link link |
| 1107 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-03-09 | 2000 | Employer | Employment | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 2,000 on an employer. An employee had filed a complaint due to the employer’s failure to comply with the employee’s right to object. The employee had objected to continuous monitoring of his online courses offered via zoom. However, the employer had continued the monitoring. In addition, the DPA found that the employer could not provide a sufficient legal basis for processing the data. | link |
| 1108 | CYPRUS | Cypriot Data Protection Commissioner | 2022-03-22 | 4,000 | English School Cyprus | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 4,000 on the English School in Cyprus. The school had reported a data breach to the DPA under Art. 33 GDPR. A teacher had used the email address of the students’ parents for a purpose other than that for which the email addresses were originally collected. The DPA found that the school had failed to take adequate technical and organizational measures to ensure the protection of personal data and to prevent such incidents. | link |
| 1109 | CYPRUS | Cypriot Data Protection Commissioner | 2022-03-21 | 5,000 | English School staff union (ESSA) | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 5,000 on the English School staff union (ESSA). The school had notified the DPA of a data breach under Art. 33 GDPR. A teacher, also a member of the staff union, had used the email addresses of the parents of the students for a purpose other than the one for which the email addresses had originally been collected. The DPA found that the staff union had failed to take appropriate technical and organizational measures to ensure the protection of personal data and to prevent such incidents. | link |
| 1110 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-03-25 | 2000 | Kaufland Romania SCS | Industry and Commerce | Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 2,000 on Kaufland Romania SCS.
A data subject had filed a complaint with the DPA concerning the controller’s failure to comply with their request to provide copies of recordings of the video surveillance system in which the data subject could be seen. In the course of its investigation, the DPA determined that the controller had violated its duty to provide information, especially since the recordings were available. |
link |
| 1111 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-03-28 | 2000 | Condor SA | Industry and Commerce | Art. 32 (1), (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on Condor SA.
The controller had suffered a data breach in which unauthorized persons gained access to several documents containing personal data of employees and former employees such as place of work, surname, first name, position, salary and bank details. During its investigation, the DPA found that the controller had not taken appropriate technical and organizational measures that would ensure the protection of personal data. |
link |
| 1112 | SWEDEN | Data Protection Authority of Sweden | 2022-03-28 | 720,000 | Klarna Bank AB | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 12 (1) GDPR, Art. 13 (2) f) GDPR, Art. 14 (2) g) GDPR | Insufficient fulfilment of information obligations | The Swedish DPA has imposed a fine of EUR 720,000 on Klarna Bank AB. Klarna is a financial company that processes a large number of personal data in various ways. As part of its investigation, the DPA found that Klarna had not properly complied with its information obligations. For example, Klarna did not provide sufficient information on its website about the purpose and legal basis for the processing of personal data. In addition, with regard to the transfer of data to Swedish and foreign credit agencies, Klarna provided incomplete information about the recipients of the personal data. Klarna also failed to provide information about third countries where personal data is transferred to. Finally, the DPA found that Klarna insufficiently informed data subjects about their rights under the GDPR. |
link link |
| 1113 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-03-09 | 2000 | Foreign language school | Employment | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA imposed a fine of EUR 2,000 on an employer (owner of a private foreign language school). An employee, who works as a language teacher in the school, had filed a complaint with the DPA against their employer. The reason for this was that the controller continued to constantly monitor the employee during their online courses via the platform ‘Zoom’, despite their objection.
Therefore, the DPA found that the controller had violated its duty to comply with the data subject’s right to object. In addition, the DPA found that the controller had not properly informed the data subject about the processing of his personal data pursuant to Art. 13 GDPR. |
link link |
| 1114 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-04-05 | 1,300,000 | Danske Bank | Finance, Insurance and Consulting | Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Danish DPA has imposed a fine of EUR 1.3 million on Danske Bank. The DPA had opened an investigation against the bank after it informed the DPA that it had a problem with the deletion of personal data.
During the investigation, the DPA found that the bank had failed to document the rules for deletion and storage of personal data in more than 400 systems. Consequently, the bank was unable to prove that such rules, which are required under the GDPR, existed. The DPA considered this to be a breach of the bank’s accountability obligation under Art. 5 (2) GDPR. |
link |
| 1115 | IRELAND | Data Protection Authority of Ireland | 2022-04-05 | 463,000 | Bank of Ireland | Finance, Insurance and Consulting | Art. 32 GDPR, Art. 33 GDPR, Art. 34 GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA has fined the Bank of Ireland EUR 463,000.
The bank had reported 22 data breaches to the DPA under Article 33 GDPR. As part of its investigation, the DPA found that the bank had provided false information to the Central Credit Register due to a mix-up of bank customers’ account data. This error had the potential to have a negative impact on the creditworthiness of the data subjects. The DPA found that the personal data breach had occurred due to inadequate technical and organizational measures on the part of the bank. In addition, the bank did not immediately inform the data subjects and the DPA about the data breach. |
link link |
| 1116 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-04-04 | 200,000 | Brussels Airport Zaventem | Transportation and Energy | Art. 5 (1) c) GDPR, Art. 6 (1) e) GDPR, Art. 9 (2) g) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR, Art. 13 (2) e) GDPR, Art. 35 (1), (3), (7) b) GDPR | Insufficient legal basis for data processing | The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000.
The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal basis for processing this health data. Health data constitute sensitive data according to Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR. One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the present case, the processing was based on a protocol which did not meet these requirements. In addition, the DPA found deficiencies in the data protection impact assessment. Moreover, the airport failed to properly inform the data subjects about the processing of the data. |
link |
| 1117 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-04-04 | 100,000 | Brussels Airport Charleroi | Transportation and Energy | Art. 5 (1) a), b) GDPR, Art. 6 (1) c) GDPR, Art. 6 (3) GDPR, Art. 9 (2) i) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c) GDPR, Art. 13 (2) e) GDPR, Art. 35 (1), (7) GDPR | Insufficient legal basis for data processing | The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000.
The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal basis for processing this health data. Health data constitute sensitive data according to Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR. One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the present case, the processing was based on a protocol which did not meet these requirements. In addition, the DPA found deficiencies in the data protection impact assessment. Moreover, the airport failed to properly inform the data subjects about the processing of the data. |
link |
| 1118 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-04-04 | 20,000 | Ambuce Rescue Team | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Belgian DPA has fined Ambuce Rescue Team EUR 20,000. The fine is related to the fines against Brussels Airport Charleroi and Brussels Airport Zaventem.
Due to the Covid 19 pandemic, the airports used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then asked to answer questions about possible coronavirus symptoms. In this process, Ambuce Rescue Team provided the questionnaires. Specifically, the DPA found that there was no valid legal basis for processing this health data. Health data are sensitive data in the sense of Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR. One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the cases at hand, the processing was based on a protocol that did not meet these requirements. |
link |
| 1119 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2022-02-24 | 565,000 | Dutch Foreign Ministry | Public Sector and Education | Art. 13 (1) e) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA has imposed a fine of EUR 565,000 on the Dutch Foreign Ministry. As part of its investigation, the DPA found that the National Visa Information System (NVIS) suffered from significant security deficiencies. This is particularly serious as the Foreign Ministry has processed an average of 530,000 visa applications per year over the last three years and the personal data processed in the course of the applications was therefore inadequately secured. The data included sensitive information such as fingerprints, name, address, place of residence, country of birth, purpose of travel and nationality. Due to the inadequate security measures, it would have been possible for unauthorized persons to access the data. According to DPA, the Foreign Ministry had been aware of the security flaws in the visa system for some time. Despite this knowledge, the Ministry did not adjust the security measures in time. For this reason, the DPA finds that the Ministry acted with gross negligence. The DPA also found that the Foreign Ministry did not adequately inform individuals who applied for visas that their personal information would be shared with other parties. |
link link |
| 1120 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-04-07 | 500 | Property owners’ association | Real Estate | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has fined a property owners’ association EUR 500 for failing to provide information requested by the DPA during an investigation. | link |
| 1121 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-04-01 | 7,500 | Company | Employment | Art. 5 (1) a) GDPR, Art. 6 (1) f) GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 18 GDPR, Art. 21 GDPR, Art. 28 GDPR | Insufficient fulfilment of data subjects rights | The Belgian DPA has imposed a fine of EUR 7,500 on a company.
A former managing director had filed a complaint against the company with the DPA. In the context of being dismissed, the former managing director deleted all data on the work laptop before handing over the technical equipment. For this reason, the former managing director requested to exercise their right to delete, restrict the processing of their personal data and object. However, the company refused the request. In the course of its investigation, the DPA found that the company had breached its obligation under the GDPR to grant the former managing director the exercise of these rights. In addition, the DPA found that due to the lack of a valid legal basis at the time of the restoration, the company unlawfully processed the data. |
link |
| 1122 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 5,000 | Arte del vivere S.r.l. | Individuals and Private Associations | Art. 12 GDPR, Art. 17 GDPR, Art. 157 Codice della privacy | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 5,000 on Arte del vivere S.r.l.. A data subject filed a complaint with the DPA as his personal data had been published on the website www.mondoshiatsu.com operated by the controller. The data subject had been automatically included in the Shiatsu Portal after having participated in a one-year Shiatsu training. However, as he had never worked in this field, he repeatedly requested the deletion of his data. However the controller had not fulfilled the request despite the fact that they had promised to delete the data. | link |
| 1123 | ITALY | Italian Data Protection Authority (Garante) | 2022-02-10 | 1,500 | Studio Colli Aniene Verderocca S.r.l. | Industry and Commerce | Art. 12 (3) GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 1,500 on Studio Colli Aniene Verderocca S.r.l.. A data subject had filed a complaint with the DPA for unsolicited telephone advertising. In addition, the data subject stated that he had not received a response to his request for information and deletion regarding the processing of his personal data. | link |
| 1124 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2022-04-07 | 3,700,000 | Dutch Tax and Customs Administration | Public Sector and Education | Art. 5 (1) a), b), d), e) GDPR, Art. 6 (1) GDPR, Art. 32 (1) GDPR, Art. 35 (2) GDPR | Non-compliance with general data processing principles | The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA
As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, and criminal personal data as part of the list maintenance. The DPA initially found that the administration did not have a valid legal basis for processing the data contained in the list. For this reason, the data were processed unlawfully. Further, the DPA found that the information in the list was often incorrect, so that a large number of individuals were falsely registered as possible fraudsters. In addition, the investigation revealed that the maintenance of the list led to discrimination against some individuals, as the risk of fraud was determined on the basis of the nationality and appearance of the data subjects, among other factors. For example, donations to mosques were considered a risk factor for fraud. Furthermore, the DPA found that the administration violated its obligation under the GDPR to implement appropriate technical and organizational measures that ensure adequate protection of the personal data it collects. Indeed, the administration had inadequately secured the personal data. The DPA also found that the administration had violated the principle of storage limitation by storing the data for a longer time contrary to the retention period established for the personal data in the list. Furthermore, the DPA found that the processing of the data in the list had not been necessary for the administration to properly perform its tasks. The processing was therefore disproportionate. Also, the administration had not sufficiently defined the purposes underlying the processing and thus violated the principle of purpose limitation. The fine is composed as follows: EUR 1 million for a breach of Art. 5 (1) a) GDPR and Art. 6 (1) GDPR; |
link link |
| 1125 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-12 | 500 | Homeowners Association | Real Estate | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 500 on a homeowners’ association.
The executive board of the owners’ association had publicly posted a list of defaulting owners. The DPA considered this to be a violation of the principle of confidentiality and integrity set out in Art. 5 (1) f) GDPR. |
link |
| 1126 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-04-18 | 1,000 | IKEA România S.R.L. | Industry and Commerce | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 1,000 on IKEA România S.R.L.. A data subject had complained to the DPA that IKEA had failed to comply with their requests to delete the data subject’s personal data from their IKEA user account in a timely manner. The DPA found that IKEA Romania had violated Art. 12 (3) GDPR. | link |
| 1127 | ITALY | Italian Data Protection Authority (Garante) | 2022-03-10 | 10,000 | Azienda USL Toscana Centro | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 32 GDPR, | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has imposed a fine of EUR 10,000 on Azienda USL Toscana Centro. The DPA initiated an investigation against the controller after it reported a data breach under Art. 33 GDPR. The controller had mistakenly sent patient medical records to the wrong patients. The DPA therefore found that the health care facility had not taken sufficient technical and organisational measures to protect personal data. | link |
| 1128 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-18 | 1,800 | FLORAQUEEN FLOWERING THE WORLD S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined FLORAQUEEN FLOWERING THE WORLD S.L. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and acknowledgement of guilt. | link |
| 1129 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-11 | 150,000 | BASER COMERCIALIZADORA DE REFERENCIA, S.A. | Transportation and Energy | Art. 6 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined BASER COMERCIALIZADORA DE REFERENCIA, S.A., EUR 150,000. A customer of the company had filed a complaint with the DPA since their electricity supply contract was modified without their consent. This resulted in an increase in the electricity supply. In the course of its investigations, the DPA found that a fraudster had pretended to be the data subject by providing the name and ID number of the data subject. In this way, they were able to modify the data subject’s contract.
According to the DPA, the controller had not properly verified the identity of the fraudster before modifying the contract and, due to a lack of sufficient security measures, had not made sure that the inquirer was actually the data subject. |
link |
| 1130 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-13 | 8,000 | RAMONA FILMS, S.L. | Industry and Commerce | Art. 13 GDPR, Art. 22 (2) LSSI | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) fined RAMONA FILMS, S.L. for failing to ensure that the company’s privacy policy complied with the requirements of Art. 13 GDPR. Specifically, the website contained outdated information and referred to laws that were not in effect. In addition, the DPA found deficiencies in cookie use. The original fine of EUR 10,000 was reduced to EUR 8,000 due to immediate payment and acknowledgement of guilt. | link |
| 1131 | ITALY | Italian Data Protection Authority (Garante) | 2022-03-10 | 6,000 | Azienda sanitaria provinciale di Caltanissetta | Health Care | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 37 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Azienda sanitaria provinciale di Caltanissetta EUR 6,000. The data subject had asked the controller, in the context of legal proceedings, to send any communication regarding this matter only to their personal email inbox. Nevertheless, the controller had sent communications to the data subject’s business email address.
In addition, the data subject had requested access to their data. However, the controller did not properly comply with this request. In the course of its investigation, the DPA also found that the health care facility had failed to notify the DPA of the name and contact details of a new data protection officer and to update them on its website. |
link |
| 1132 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-04-04 | 10,000 | Piraeus Bank | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 33 GDPR, Art. 34 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 10,000 on Piraeus Bank. The bank had mistakenly sent a document containing data of the data subject to a third party. This error was based on a wrongly provided e-mail address by a co-owner of the account. Although the bank became aware of this error, they did not stop sending the communications to the third party, but instead instructed the data subject to exercise their right to correct the inaccurate data. As a result of its investigation, the DPA found that the bank had violated the principle of confidentiality for failing to stop sending the communications. The DPA also found that the bank had failed to report the data breach to the DPA and the data subject in a timely manner. |
link |
| 1133 | ITALY | Italian Data Protection Authority (Garante) | 2022-03-10 | 8,000 | Agenzia Regionale per la Tutela dell’Ambiente dell’Abruzzo | Employment | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 10 GDPR, Art. 2-ter Codice della privacy, Art. 2-octies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA (Garante) has fined the Agenzia Regionale per la Tutela dell’Ambiente dell’Abruzzo EUR 8,000. A former employee of the environmental agency had filed a complaint with the DPA due to the fact that the agency had freely published documents containing his personal data on its website. The documents contained, among other things, information about the individual’s previous employment and criminal information. | link |
| 1134 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-18 | 9,000 | JIMBO NETWORKS, S.L. | Industry and Commerce | Art. 6 (1) GDPR, Art. 13 GDPR, Art. 22 (2) LSSI | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine on JIMBO NETWORKS, S.L.. During its investigation, the DPA found numerous deficiencies on a website operated by the controller.
For example, the controller processed data from visitors to the website without their explicit consent. In addition, the privacy policy on the website did not comply with the requirements set out in Art. 13 GDPR. The privacy policy contained outdated information and referred to laws that were not in effect. Furthermore, the DPA found deficiencies in cookie use. The original fine of EUR 15,000 was reduced to EUR 9,000 due to immediate payment and acknowledgement of guilt. |
link |
| 1135 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-18 | 1,800 | Website operator | Industry and Commerce | Art. 6 (1) GDPR, Art. 13 GDPR, Art. 22 (2) LSSI | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine on the operator of the website link During its investigation, the DPA found numerous deficiencies on a website operated by the controller.
For example, the controller processed data from visitors to the website without their explicit consent. In addition, the website did not contain any type of privacy policy. The DPA therefore found that the controller violated its duties set out in Art. 13 GDPR. The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and acknowledgement of guilt. |
link |
| 1136 | FRANCE | French Data Protection Authority (CNIL) | 2022-04-15 | 1,500,000 | DEDALUS BIOLOGIE | Health Care | Art. 28 GDPR, Art. 29 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA (CNIL) has imposed a fine of EUR 1.5 million on DEDALUS BIOLOGIE. DEDALUS distributes software solutions for medical analysis laboratories. In February, the press revealed a data leak at DEDALUS that resulted in the leak of nearly 500,000 individuals’ data. The leaked data included information on the surnames, first names, social security number, name of the treating physician, data on medical examinations and illnesses of the data subjects. During its investigation, the CNIL found several violations of the GDPR. Namely, DEDALUS had violated Art. 29 GDPR by extracting more data than required in the course of processing on behalf of two laboratories. In addition, the DPA found that DEDALUS had failed to implement appropriate technical and organizational measures to ensure the security of personal data. This constitutes a violation of Art. 32 GDPR. For example, no specific procedure for data migration operations had been implemented. Also, the leaked data had not been stored in encrypted form on the server. In addition, the DPA found that DEDALUS lacked authentication for access to the public area of the server. The absence of such security measures was one of the main causes of the data leak. Further, the DPA found that the contractual documents between DEDALUS and its customers did not comply with the requirements set forth in Art. 28 GDPR. The DPA took into aggravating consideration the seriousness of the violations committed, in particular the security breaches, as well as the large number of individuals affected, when imposing the fine. |
link link |
| 1137 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-04-04 | 5,000 | Mayor | Employment | Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | The Hellenic DPA has fined a mayor EUR 5,000. The mayor had sent documents of an employee of the municipality to third parties without the employee’s consent. The DPA considered this to be a violation of Art. 5 (1) a) GDPR. | link |
| 1138 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-03-02 | 13,500 | Company | Industry and Commerce | Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 (2) GDPR, Art. 17 (1) b) GDPR | Insufficient legal basis for data processing | The Hungarian DPA imposed a fine of EUR 13,500 on a company. An individual had filed a complaint with the DPA, stating that the company had published personal data such as their name, address, telephone number without their consent. Furthermore, the company had not responded to a deletion request from the individual. | link |
| 1139 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-19 | 600 | DOOR2DOOR SPAIN, S.L. | Transportation and Energy | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine on DOOR2DOOR SPAIN, S.L.. The controller had failed to implement measures repeatedly ordered by the DPA in due time. Also, the controller had failed to provide the DPA with information that was requested. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility by the controller. | link |
| 1140 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-23 | 1,200 | MOVALIA TRASLADOS, S.L.U. | Industry and Commerce | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on MOVALIA TRASLADOS, S.L.U.. During its investigation, the DPA found numerous deficiencies on a website operated by the controller. For example, the controller processed data from visitors to the website without their explicit consent. Furthermore, contrary to the controller’s obligation under Art. 13 GDPR, the website did not have a privacy policy. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and acknowledgement of guilt. | link |
| 1141 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-27 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR. | link |
| 1142 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-22 | 5,600 | Physician | Health Care | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has fined a physician. The physician had used recordings of a patient’s treatment for advertising purposes. However, the patient had not consented to this. For this reason, the DPA found that the doctor had processed the data without a valid legal basis. The original fine of EUR 7,000 was reduced to EUR 5,600 due to immediate payment. | link |
| 1143 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-29 | 4,200 | CLÍNICA DENTAL SAN FRANCISCO, S.L. | Health Care | Art. 17 GDPR, Art. 21 LSSI | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine on CLÍNICA DENTAL SAN FRANCISCO, S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data. The original fine of EUR 7,000 was reduced to EUR 4,200 due to immediate payment and admission of responsibility by the controller. | link |
| 1144 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-29 | 16,000 | LABORATORIOS GONZÁLEZ, S.L. | Health Care | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined LABORATORIOS GONZÁLEZ, S.L.. The laboratory had sent the results of a Covid-19 test that the data subject had taken not only to them but also to their boss without their consent. The original fine of EUR 20,000 was reduced to EUR 16,000 due to immediate payment. | link |
| 1145 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-05-03 | 4,000 | Megareduceri TV S.R.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Failure to provide requested information to the Romanian DPA within the required timeframe in violation of Art. 58 GDPR. | link |
| 1146 | CYPRUS | Cypriot Data Protection Commissioner | 2021-09-17 | 10,000 | Mediterranean Hospital of Cyprus | Health Care | Art. 31 GDPR, Art. 58 (1) a) GDPR | Insufficient cooperation with supervisory authority | The Cypriot DPA has fined Mediterranean Hospital of Cyprus EUR 10,000 for failing to provide information requested by the DPA during an investigation. | link |
| 1147 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-28 | 1,500 | CAFFE VECCHIO, S.L. | Employment | Art. 5 (1) f) GDPR, Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined CAFFE VECCHIO, S.L. EUR 1,500. A former employee of the café had filed a complaint with the DPA. The operator of the café had responded to negative online reviews regarding the café, disclosing personal data of the former employee. In addition, the operator published information on the reasons for the termination of the employment relationship. | link |
| 1148 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-05-04 | 4,000 | Concordia Capital IFN S.A. | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has fined Concordia Capital IFN S.A. EUR 4,000. The controller had unlawfully installed audio and video cameras in the offices of its employees. The video surveillance was intended to protect the company’s employees and goods. The DPA however stated that the controller violated Art. 5 GDPR and Art. 6 GDPR, as such extensive surveillance was not necessary. | link |
| 1149 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-02-02 | 30,000 | Lillestrøm Municipality | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality.
The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data. |
link |
| 1150 | ITALY | Italian Data Protection Authority (Garante) | 2022-03-24 | 10,000 | Brav s.r.l. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 10,000 on Brav s.r.l.. The operator of the online platform had reported a data breach to the DPA pursuant to Art. 33 GDPR. Unauthorized persons had managed to access the platform used by the Genoa Police for the management of traffic violations, as well as the personal data contained therein. According to the City of Genoa, it was possible to gain unauthorized access to the platform due to the fact that certain employees had unauthorizedly disclosed the password for accessing the platform, in violation of official regulations. For this reason, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. The controller should have ensured that passwords were changed regularly to prevent unauthorized persons from gaining access to personal data. |
link |
| 1151 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-05-04 | 10,000 | Nationale Maatschappij der Belgische Spoorwegen | Transportation and Energy | Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (2) GDPR, Art. 21 (2), (3), (4) GDPR | Insufficient legal basis for data processing | The Belgian DPA has imposed a fine of EUR 10,000 on the Belgian national railroad company (Nationale Maatschappij der Belgische Spoorwegen). A Twitter user who had received an e-mail newsletter from the railroad company had filed a complaint with the DPA. According to the Twitter user, the newsletter did not include an option to unsubscribe. During its investigation, the DPA found, first, that that there was no valid legal basis for the processing of personal data through the newsletter. Contrary to the railroad company’s view, the DPA concluded that the newsletter was not necessary for the performance of the contracts between passengers and the company and that this performance interest therefore did not constitute a legal basis for the processing. Furthermore, the DPA found that the data subjects’ right to object was not sufficiently taken into account, as it was not possible to unsubscribe from the newsletter directly via the e-mails. |
link |
| 1152 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-03 | 5,000 | MISTORE CANARIAS, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on MISTORE CANARIAS, S.L.. A person who had made a purchase from the company had filed a complaint against the company with the DPA. According to the person, her personal data such as surname, first name and bank account details were collected during the purchase. In the course of the purchase, she was offered products from three other companies, which she rejected. Nevertheless, the controller transmitted her data to the three companies without her consenting to such transmission. | link |
| 1153 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-28 | 15,000 | MEDEROS MOVITEN, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on MEDEROS MOVITEN, S.L.. The data subject had signed a mobile service contract with the company. However, the company also invoiced the data subject for services to which the data subject had not consented. The contracts for these services contained the personal data of the data subject but no signature. Due to the lack of a valid contract, the DPA determined that the company illegally processed the personal data of the data subject for the contracts in question and thus violated Art. 6 (1) GDPR. | link |
| 1154 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2022-05-03 | 36,000 | City of Reykjavík | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system ‘Seesaw’ at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students’ private affairs. During its investigation, the DPA found that the purpose of the processing of the children’s data had not been sufficiently clearly defined. In this context, the DPA also found a breach of the principle of proportionality and data minimization. In addition, the DPA concluded that the city had not implemented adequate technical and organizational measures regarding the protection of personal data. This would have been necessary given the high risk that the data might be transferred to and processed in the United States. In determining the fine, mitigating consideration was given to the fact that no damage was caused by the data breaches. |
link |
| 1155 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-09 | 1,200 | CONTIMAG INVEST, S.L. | Accomodation and Hospitalty | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined CONTIMAG INVEST, S.L. EUR 1,200 for failing to provide sufficient information on video surveillance in one of the restaurants it operates | link |
| 1156 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-10 | 300 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a store owner. The controller had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR. | link |
| 1157 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-04-28 | 40,000 | Working Capital Management España, S.L. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 40,000 on the credit information agency Working Capital Management España, S.L.. A data subject had filed a complaint with the AEPD against the company. Fraudulent third parties had taken out a loan with NBQ Technology, S.A.U. in the name of the data subject without the data subject actually entering into a contract. After the data subject subsequently did not make payments, NBQ disclosed the data subject’s information to Working Capital Management. The AEPD determined that Working Capital Management, has processed the data subjects data illegally since the personal data was entered into the company’s information systems without checking whether the data subject had given their consent to the processing of their personal data. | link |
| 1158 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-26 | 1,000 | ASST di Lodi | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has imposed a fine of EUR 1,000 on ASST di Lodi.
The healthcare facility had reported a data breach to the DPA pursuant to Art. 33 GDPR. A patient had provided two contacts for their medical affairs. The facility had been explicitly authorized to obtain medical information of the patient from these two persons in case of emergency. During its investigation, the DPA found that the healthcare facility processed the data subject’s information without the data subject’s consent and, therefore, without a valid legal basis. In addition, the DPA concluded that the healthcare facility had not taken appropriate technical and organizational measures to protect personal data in order to prevent such incidents. |
link |
| 1159 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 40,000 | Azienda ospedaliera di Perugia | Health Care | Art. 5 (1) a), f) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 GDPR, Art. 30 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000.
During an investigation at the healthcare facility, the DPA found multiple GDPR violations. The DPA’s investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers. The healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured. This made it possible to record and store users’ browsing data, thus identifying those users and, as such, potential whistleblowers. With respect to the processing of personal data, the health facility had failed to inform the employees in advance. In addition, the DPA found that the healthcare facility had not conducted a data protection impact assessment and had not registered the processing in the register of processing activities. Thus, no sufficient assessment of the risks to the rights and freedoms of the data subjects had been carried out. ‘ |
link link |
| 1160 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 40,000 | ISWEB S.p.A. | Industry and Commerce | Art. 28 GDPR | Insufficient data processing agreement | The Italian DPA imposed a fine of EUR 40,000 on ISWEB S.p.A.. The fine is related to a fine against the healthcare facility Azienda ospedaliera di Perugia. ISWEB had provided the healthcare facility with the web application for its whistleblower system.
During an investigation at the healthcare facility, the DPA identified multiple GDPR violations related to the whistleblower system. The DPA’s investigation took place as part of a series of inspections addressing whistleblower system data processing at employers. In relation to ISWEB, the DPA found that they had used an external provider to host the whistleblower systems. However, ISWEB failed to provide the external provider with specific instructions for the processing of data subjects’ data, as well as to inform the health care facility of the same. |
link link |
| 1161 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-05-12 | 13,400 | Civilstyrelsen | Public Sector and Education | Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen.
A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media. Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach, contrary to its obligation under Art. 33 GDPR. The DPA concluded that the agency had not taken appropriate technical and organizational measures to protect personal data. Encryption of removable media, for example, is a necessary and required security measure, especially if the removable media contain sensitive information such as personal data. |
link |
| 1162 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-11 | 600 | Bar owner | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a bar owner EUR 600. The bar operated a video surveillance system in which the observation angle of the cameras extended into the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1163 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-05-12 | 1,000 | LORIS FUEL SHOP SRL | Industry and Commerce | Art. 29 GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on the gas station operator LORIS FUEL SHOP SRL.
A person had filed a complaint with the DPA because pictures of him were published on Facebook. The images originated from a video surveillance system installed in one of the controller’s gas stations. During its investigation, the DPA found that the controller had not taken sufficient technical and organizational measures to ensure the confidentiality of the personal data generated through the CCTV system installed in the gas stations. This resulted in unauthorized third parties filming the images from the video cameras and subsequently publishing them on social networks. |
link |
| 1164 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-12 | 500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, neighboring properties. The AEPD considered this to be a violation of the principle of data minimization. | link |
| 1165 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-12 | 2000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had shared a video on WhatsApp showing images of a violent attack on the data subject without having obtained the data subject’s consent. | link |
| 1166 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-11 | 6,000 | Homeowners Association | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on a homeowners’ association. An apartment owner who had been a resident for 15 years had filed a complaint with the DPA due to the fact of having to show ID before using the communal pool. This request for personal data was based on measures to combat the covid-19 pandemic. During its investigation, the DPA found that the collection of the pesonal data through the ID check was unnecessary given the fact that the data subject had been a resident for 15 years, and thus violated the principle of data minimization set forth in Art. 5 (1) c) GDPR. Furthermore, the DPA found that the data subject had not been sufficiently informed about the processing of their personal data. |
link |
| 1167 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-02-02 | 1,000 | Café owner | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA from Luxembourg has imposed a fine of EUR 1,000 on a café owner. The owner had installed two video surveillance cameras in the café for the purpose of protecting company assets and the safety of customers and employees. Those cameras, however, constantly captured parts of the employee’s work areas. The DPA found this to be a violation of the principle of data minimization. It also found that the owner had not sufficiently complied with its information obligations under Art. 13 GDPR. | link |
| 1168 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-13 | 170,000 | Mercadona S.A. | Industry and Commerce | Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 170,000 on the supermarket chain Mercadona S.A.. An individual had filed a complaint with the DPA. The individual had suffered an accident in one of the supermarkets and had asked Mercadona to provide the recordings of the accident from the video surveillance system in order to claim damages. However, Mercadona did not comply with this request. After the lawyer of the data subject asked Mercadona again to provide the recordings, Mercadona replied that the images had already been deleted. | link |
| 1169 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-03-29 | 1,300 | Workshop | Industry and Commerce | Art. 5 (1) b), c) GDPR, Art. 6 (1) f) GDPR, Art. 13 (1), (2) GDPR | Non-compliance with general data processing principles | The Hungarian DPA has imposed a fine of EUR 1,300 on a workshop. The workshop had installed a video surveillance system to protect the company’s assets. However, the cameras also captured parts of the employee’s work area. The DPA found that the recording of the employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA also found that the workshop had not sufficiently complied with its information obligations under Art. 13 GDPR. The workshop referred to the consent given by the employees as the legal basis for the video surveillance. However, the DPA concluded that the workshop could not base the video surveillance on consent, as voluntary consent in the employee-employer relationship is questionable. Instead, the workshop should have based the video surveillance on a legitimate interest. | link |
| 1170 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-05-18 | 5,000 | Kredyt Inkaso Investments RO S.A | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 33 GDPR | Insufficient legal basis for data processing | The Romanian DPA has fined Kredyt Inkaso Investments RO S.A. EUR 5,000. A data subject had filed a complaint with the DPA against the controller for having disclosed their personal data and that of their minor child to medical institutions without authorization and without the data subject having any relationship with the institutions. During its investigation, the DPA found that the controller had disclosed data such as home address, professional status, as well as data from the employment contract. In addition, the DPA found that the controller had not notified the DPA of the data breach in a timely manner required by Art. 33 GDPR. |
link |
| 1171 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-05-17 | 1,500 | MAYR MELNHOF PACKAGING ROMANIA S.R.L. | Industry and Commerce | Art. 5 (1) b), c) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 1,500 on MAYR MELNHOF PACKAGING ROMANIA S.R.L.. The controller had installed video surveillance cameras in the premises for the purpose of protecting company assets and the safety of employees. During its investigation, the DPA also found that the cameras covered the employee cafeteria and smoking area, allowing employees to be monitored outside of their working hours. The DPA states that the recording of the employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA found this to be a violation of the principle of data minimization. | link |
| 1172 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-17 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras on his property which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1173 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-17 | 8,000 | TIGERS MARKET, S.L. | Industry and Commerce | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 8,000 on TIGERS MARKET, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. | link |
| 1174 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-17 | 18,000 | RAMONA FILMS, S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA (AEPD) has fined RAMONA FILMS, S.L. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 30,000 was reduced to EUR 18,000 due to immediate payment and acknowledgement of guilt. |
link |
| 1175 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-17 | 4,000 | INSEKT FOOD S.L. | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on INSEKT FOOD S.L.. A data subject hat filed a complain with the DPA against the controller due to the fact that the controller had published personal data of the data subject in three WhatsApp groups. As a result, all 541 members of these WhatsApp groups were granted unauthorized access to certain personal data of the data subject (surname, first name, address). | link |
| 1176 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-18 | 10,000,000 | Google LLC | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 10 million on GOOGLE LLC. Two data subjects had complained to the DPA that Google had disclosed their personal data to third parties without authorization.
In the course of the lengthy investigation, the DPA found that Google had passed on personal data of data subjects to the so-called Lumen project. Lumen is a project run by the Berkman Klein Center for Internet & Society at Harvard University. The project began in 2002 for the purpose of collecting requests relating to the removal of content from websites within and outside of the United States. This data may then be accessed by researchers and other interested parties. Users of Google-operated platforms such as YouTube or Google Drive have the option of requesting that content about themselves on the platforms be removed. For this purpose, Google has provided various contact and complaint forms. However, the data of the data subjects who use these forms was automatically transmitted to the Lumen project. In this context, the DPA also found that Google did not sufficiently enable data subjects to exercise their right to erasure of their data. When assessing the fine, the DPA took into account as aggravating factors that the data was not only disclosed, but also transferred to a third country without giving the data subjects the possibility to object to it. This deprived the data subjects of control over the handling of their personal data. In addition, the DPA found that the transfer took place over a very long period of time. |
link |
| 1177 | ITALY | Italian Data Protection Authority (Garante) | 2022-03-10 | 10,000 | Alfa Shipyard s.r.l. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Italian DPA has imposed a fine of EUR 10,000 on Alfa Shipyard s.r.l.. The controller had failed to implement measures ordered by the DPA in due time. | link |
| 1178 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-18 | 600 | SCF ZHU, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has fined SCF ZHU, S.L. due to a lack of sufficient data processing information in relation to video surveillance on business premises. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility. | link |
| 1179 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-17 | 42,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Vodafone España S.A.U.. A data subjects had filed a complaint with the AEPD against the controller. The data subject complained about receiving invoices even though there was no longer a contractual relationship between them and the controller. However, although the data subject had objected to the continued receipt of messages as there were no more invoices outstanding and the controller had confirmed this, the sending continued. The DPA therefore found, that the controller processed the data subejct’s data without a valid legal basis. The original fine of EUR 70,000 was reduced to EUR 42,000 due to immediate payment and admission of guilt. | link |
| 1180 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-05-24 | 5,000 | MED LIFE S.A. | Health Care | Art. 32 (1) b), (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 5,000 on MED LIFE S.A.. The company had disposed of documents containing sensitive patient data in a publicly accessible garbage can. An individual had found these documents and filed a complaint with the DPA. During its investigation, the DPA found that MED Life had not taken adequate technical and organizational measures to protect personal data and avoid such incidents. | link |
| 1181 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-03-15 | 9,700 | Company | Employment | Art. 6 (1) GDPR, Art. 13 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Norwegian DPA has imposed a fine of EUR 9,700 on a company. The DPA had received a complaint from a former employee of the company. Background of the complaint is the fact that after the employee’s termination, both professional and private e-mails from the employee’s mailbox were automatically forwarded to an e-mail address administrated by the managing director. During its investigation, the DPA found that the controller had automatically forwarded the e-mails without a valid legal basis. Also, the controller did not inform the former employee about the processing of the data by forwarding the e-mails, contrary to its obligation under Art. 13 GDPR. Finally, the DPA found that the controller did not properly comply with a request of objection to the processing submitted by the former employee. | link link |
| 1182 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-20 | 2000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had taken photos of a group of minors as well as police officers without their consent and later uploaded them to Facebook. | link |
| 1183 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-20 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras in his car which, among other things, also covered parts of a community garage. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1184 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-20 | 2000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual operating three websites EUR 2,000. During its investigation, the DPA found that all three websites lacked a field for giving consent to the processing of personal data. In addition, the DPA found that the privacy policies on the websites were missing any reference to the identity of the data controller and to the right of data subjects to withdraw their consent to data processing. | link |
| 1185 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 50,000 | Palumbo Superyacht Ancona s.r.l. | Employment | Art. 5 (1) a), e) GDPR, Art. 13 GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 157 Codice della privacy, Art. 166 (2) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Palumbo Superyacht Ancona s.r.l. EUR 50,000. The company had blocked an employee’s company email account without permission. The employee had reported the incident to the company and asked for the restoration of the e-mail inbox, which contained both private and business e-mails. However, the company did not comply with this request. In the course of its investigation, the DPA found further violations. For example, the company did not respond to a request for information from the DPA and violated the principle of limiting data retention. |
link link |
| 1186 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 20,000 | Made in Italy s.r.l.s. | Industry and Commerce | Art. 6 GDPR, Art. 7 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 130 (3) Codice della privacy, Art. 157 Codice della privacy, Art. 166 (2) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA (Garante) has imposed a fine of EUR 20,000 on Made in Italy s.r.l.s.. A data subject had filed a complaint with the DPA after receiving promotional calls from the data controller, even though they had not consented to it. Even after the data subject had objected to the sending, the controller did not stop the calls. The data subject then requested information about the origin of the data and the deletion of this data. However, the controller did not respond to this request. Also, the controller had not sufficiently cooperated with the DPA in the course of the investigation. | link link |
| 1187 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 10,000 | Findomestic Banca spa | Finance, Insurance and Consulting | Art. 5 (1) a), c) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 10,000 on Findomestic Banca spa. A customer had filed a complaint with the DPA regarding a breach of confidentiality related to the financial institution. The controller had unauthorizedly sent several payment reminders to the data subject’s wife regarding a loan taken out by the data subject. The wife had indeed guaranteed a loan taken out by the data subject, however not the loan in question. | link link |
| 1188 | UNITED KINGDOM | Information Commissioner (ICO) | 2022-03-10 | 115,000 | Tuckers Solicitors LLP | Finance, Insurance and Consulting | Art. 5 (1) a) f) GDPR | Non-compliance with general data processing principles | The UK DPA (ICO) has fined law firm Tuckers Solicitors LLP EUR 115,000. Tuckers suffered a ransomware attack on its systems, which resulted in a personal data breach. As part of its investigation, the DPA determined that Tuckers had failed to take appropriate technical and organizational measures to protect personal data. This failure left its systems vulnerable to malicious attacks. The attackers managed to encrypt 972,191 individual files of which 24,712 were related to court proceedings and to siphon off 60 files and publish them in underground data marketplaces. The files contained both personal and special category data, such as medical records, witness statements, names and addresses of witnesses and victims, and the alleged crimes of data subjects. | link |
| 1189 | FINLAND | Deputy Data Protection Ombudsman | 2022-04-29 | 8,300 | Telemarketing company | Media, Telecoms and Broadcasting | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Finnish DPA has imposed a fine of EUR 8,300 on a telemarketing company for non-compliance with a DPA order. A customer of the company had requested access to the recording of a sales call. However, the company did not comply with the request and therefore the DPA ordered the company to grant the customer access to the recordings. Later, the customer reported that despite the DPA’s order, they still had not received the recording of the call. | link |
| 1190 | UNITED KINGDOM | Information Commissioner (ICO) | 2022-05-18 | 9,000,000 | Clearview Al Inc. | Industry and Commerce | Art. 5 (1) a), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 22 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals’ profiles can be enriched with information associated with those images, such as image tags and geolocation. Clearview AI no longer offers its services in the UK, but it does in other countries, which means that the company continues to use personal data of UK residents.
In the course of its investigation the DPA found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. Furthermore, in order to exercise their rights under the GDPR, such as the right of access under Art. 15 GDPR, data subjects had to provide Clearview with additional personal data by submitting a photograph of themselves that could be matched against the Clearview database. According to the DPA, this constitutes a significant impediment and deterrent to the exercise of such rights. In addition, the DPA found that the company had violated several principles of the GDPR. For example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated violated the principle of storage limitation by not providing a data retention policy and thus not being able to ensure that personal data is not held for longer than necessary. Further, Clearview failed to conduct a privacy impact assessment despite the high risk to data subjects’ data. |
link link |
| 1191 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-05-25 | 50,000 | Roularta Media Group | Media, Telecoms and Broadcasting | Art. 5 (1) e) GDPR, Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 7 (1), (3) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 24 GDPR | Insufficient legal basis for data processing | The Belgian DPA has imposed a fine of EUR 50,000 on Roularta Media Group. As part of its investigation, the DPA found that the cookie management on two websites operated by Roularta did not comply with the GDPR. In order to use cookies, controllers must obtain prior consent from the user, except in cases where the cookies are strictly necessary for website operation. The DPA found that consent to the processing of personal data through cookies on websites operated by Roularta was not valid, as not all necessary conditions were met. As such, about 60 cookies that were not required had been placed by the websites on visitors’ devices even before they had given their consent. Roularta had also failed to sufficiently inform users about cookies. In addition, the boxes for consent to the placement of cookies by third parties were checked in advance, although users must always actively consent. In addition, the DPA found that users could not revoke their consent to cookie placement as easily as they had given it. | link link |
| 1192 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 10,000 | E-Mac Professional s.r.l. | Industry and Commerce | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to the data subject’s request for access to their data in a timely manner. | link |
| 1193 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 1,000 | Educationest s.r.l. | Employment | Art. 5 (1) a), e) GDPR, Art. 6 (1) b), c) GDPR | Insufficient legal basis for data processing | The Italian DPA has fined Educationest s.r.l. EUR 1,000. The daycare center had sent an email to the families of the children in its care, informing them of the pregnancy and the maternity leave of one of the educators. The daycare center had written the e-mail to prevent rumors about the teacher’s absence ( e.g. a covid illness) and to protect her. However, the educator had not consented to the disclosure of her pregnancy status. The DPA therefore found that Educationest had unlawfully processed the educator’s data and violated Art. 5 GDPR and Art. 6 GDPR. | link |
| 1194 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-31 | 1,600 | CORON ISLAND SLU | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,600 on CORON ISLAND SLU. A customer had filed a complaint with the DPA against the restaurant. The customer had asked for a bill in her name after a meal. However, the manager explained that an invoice could only be issued if the customer provided her telephone number. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1195 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-01 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera that was also capturing foreign private space of a neighbour and the public space. | link |
| 1196 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 10,000 | Italian Ministry of Defense | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 10 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy, Art. 2-octies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 10,000 on the Italian Ministry of Defense. An employee of the ministry had filed a complaint with the DPA. During its investigation, the DPA found that two emails had been forwarded without authorization. These e-mails contained, among other things, sensitive information on the health status of the data subject as well as information on legal proceedings. |
link |
| 1197 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 50,000 | Istituto Nazionale Assicurazione Infortuni sul Lavoro | Public Sector and Education | Art. 5 (1) a), f) GDPR, Art. 6 (1) e) GDPR, Art. 9 (2) g) GDPR, Art. 32 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Istituto Nazionale Assicurazione Infortuni sul Lavoro (Public Accident Insurance for workers) EUR 50,000. As part of its investigation, the DPA found that on three occasions the accident and occupational illnesses of other employees were publicly viewable on an online system of the insurance carrier. The incident occurred due to an outdated version of the system. The DPA concluded that the insurance carrier had not sufficiently fulfilled its duty to take appropriate technical and organizational measures to prevent personal data breaches. The insurance carrier should have ensured that updated and secure online systems were used. |
link |
| 1198 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-06-03 | 2000 | Kaufland Romania SCS | Industry and Commerce | Art. 29 GDPR, Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on Kaufland România SCS. The controller had reported two data breaches to the DPA pursuant to Art. 33 GDPR.
An employee who processed a complaint had not followed the internal procedure for handling complaints, allowing a security guard to view and misuse the complainant’s data. In addition, the controller had mistakenly forwarded the data in a customer order form to an unauthorized third party. This led to the disclosure of personal data (first name, last name, e-mail address, telephone number) of the affected Kaufland customer. For this reason, the DPA found that the controller had not taken appropriate technical and organizational measures to ensure the protection and security of personal data. |
link |
| 1199 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-03 | 1,000 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment. | link |
| 1200 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-03 | 360 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 360 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1201 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-06-08 | 1,500 | Wens Experience SRL | Industry and Commerce | Art. 28 (2) GDPR | Insufficient data processing agreement | The Romanian DPA has imposed a fine of EUR 1,500 on Wens Experience SRL.
In the course of its investigation, the DPA found that Wens Experience, in the course of acting as a processor on behalf of the controller, had engaged another processor to process employee data without having obtained prior authorization from the controller. This constitutes a violation of Art. 28 (2) GDPR. |
link |
| 1202 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-03 | 3,000 | LODEJU, S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on the restaurant operator LODEJU, S.L.. The controller had installed video surveillance cameras in its premises which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1203 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-06-06 | 3,500 | Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. | Industry and Commerce | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. EUR 3,500. The controller had suffered a data breach during which a certificate of employment containing personal data of an employee got lost. The controller failed to report this data breach to the DPA and thus violated Art. 33 GDPR. | link link |
| 1204 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 2,500 | ‘Isabella Gonzaga’ high school | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexties Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 2,500 on the ‘Isabella Gonzaga’ high school. The school had published a document, which also contained personal health data of some teachers, on an online platform for the teaching staff. The document contained information on benefits linked to the health status of teachers who were entitled to such benefits. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1205 | GERMANY | Data Protection Authority of Hessen | 2021 | 1,800 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer repeatedly had accessed data in a police database for private research purposes. | link |
| 1206 | GERMANY | Data Protection Authority of Hessen | 2021 | 500 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague. | link |
| 1207 | GERMANY | Data Protection Authority of Hessen | 2021 | 600 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer had accessed data in police databases for private research purposes in order to obtain information about his ex-wife’s new address. He discovered where his ex-wife had moved to in the meantime. The officer then actually went to his ex-girlfriend’s new apartment and met her in front of the entrance to the new house. This frightened his ex-wife so much that she reported the incident to the police. | link |
| 1208 | GERMANY | Data Protection Authority of Hessen | 2021 | 400 | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer had accessed data in police databases for private research purposes. The officer had purchased a notebook for private use on an Internet platform. Since the seller did not agree to negotiations about the method of payment, the officer used a police information system to obtain information about the seller. The police officer then sent several messages to the seller in which he provided him with certain personal data, that he had obtained through his research in the police database. The goal was to reinforce his demand for an alternative payment method by mentioning the information obtained. | link |
| 1209 | GERMANY | Data Protection Authority of Hessen | 2021 | 170 | Restaurant | Accomodation and Hospitalty | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | In order to identify a guest who had not paid, several visitors were contacted by employees of a restaurant. For this purpose, the telephone numbers provided by the guests as part of the Covid contact tracing tracing were used. Since the guests had provided their data solely for infection control purposes, the DPA considered the contacting for the purpose of identifying the guest to be a violation of the principle of purpose limitation (Art. 5 (1) b) GDPR). | link |
| 1210 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Unknown | Accomodation and Hospitalty | Unknown | Unknown | In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. A restaurant employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imposed a fine. | link |
| 1211 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Unknown | Public Sector and Education | Unknown | Unknown | In order to combat the Covid 19 pandemic, a cemetery had put out an open list in which visitors had to enter their contact data. A cemetery employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imposed a fine. | link |
| 1212 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer repeatedly had accessed data in a police database for private research purposes. | link |
| 1213 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer used a witness’s personal data to contact her personally. | link |
| 1214 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer had accessed data in a police database for private research purposes. The police officer queried his stepson’s investigative process in order to prepare him for his testimony and to convince the officer in charge of the case of a different crime sequence. | link |
| 1215 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer had accessed data in a police database for private research purposes. The police officer had queried the new partner of a friend’s ex-wife because he feared that well-being of the common child might be in endangered by the new partner. | link |
| 1216 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Police officer | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A police officer had accessed data in a police database for private research purposes. The police officer accused in a criminal case intended to use the information from the police database to prepare for his testimony in court. | link |
| 1217 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Job center employee | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A job center employee had accessed data in social database systems and in the civil register for private research purposes. The employee wanted to prove that two of her colleagues had a relationship with each other and checked the registration addresses of both of them. | link |
| 1218 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Job center employee | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A job center employee had accessed data in social database systems and in the civil register for private research purposes. | link |
| 1219 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Medical clinic | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA from Berlin has imposed a fine on a medical clinic. The clinic had installed 21 cameras in its premises for the purpose of protection against crime and property damage. This made it possible to monitor employees and patients around the clock. The clinic relied on consent given by employees and information signs as the legal basis for the video surveillance. However, the DPA concluded that the clinic could not base the video surveillance on consent, as voluntary consent in the employee-employer relationship is questionable. Also, clearly visible notices of the video surveillance do not allow the conclusion that the patients, by entering the monitored premises, legally express their consent to the observation. The DPA could not find any other evidence that would justify such extensive video surveillance of the clinic. | link |
| 1220 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Beverage retailer | Industry and Commerce | Unknown | Unknown | The DPA from Berlin imposed a fine against a beverage retailer. The retailer operated a video surveillance system in which the observation angle of the cameras extended into the public space. | link |
| 1221 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Attorney | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA from Berlin has imposed a fine on an attorney. The attorney had been in dispute with a client for several years over a monetary claim. For two years, he published the first and last names, the residential addresses of the client and his family members, as well as various unredacted parts of files on his blog – and invoked the press privilege. However, this was not a purely exclusive journalistic publication. Rather, the attorney was concerned with accelerating the payment of the monetary amount to which he believed he was entitled. Since the attorney could therefore not refer to the press privilege as the legal basis for the data processing, the DPA found that he had unlawfully processed the data of the data subjects. | link |
| 1222 | GERMANY | Data Protection Authority of Berlin | 2021 | Unknown | Clinic | Health Care | Unknown | Insufficient involvement of data protection officer | The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on the other hand, he had to monitor the clinic’s compliance with data protection law. The DPA also noted that such a dual role carries the risk that patients and employees would be hesitant to seek the assistance of the data protection officer, also the hospital director, with critical questions about the processing of personal data. | link |
| 1223 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 2000 | Comune di Partanna | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The community published information about a court case on its website, including personal data such as the name and professional information of a data subject. | link |
| 1224 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Fine in three-digit amount | Physician | Health Care | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg imposed a fine on a physician. The father of a minor patient had filed a complaint with the DPA because the physician had transmitted numerous data on his child to a central billing office. The data included information on the child’s name, address, date of birth, health insurance number, medical services provided and diagnoses made. The physician had passed on the data without the parents’ consent and thus without a valid legal basis. | link |
| 1225 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Fine in four-digit amount | Company | Industry and Commerce | Unknown | Unknown | The DPA of Brandenburg has imposed a fine on a company. An individual had filed a complaint with the DPA based on the fact that the company produced a video recording in which the complainant could be seen. The complainant then contacted the company and asked it to delete the video and to refrain from publishing it on the Internet. Nevertheless, the company published the video on its website as well as on several social networks.
Moreover, even when the DPA asked the company to delete the video, the company only deleted the video from its website, but not from the social networks. Only after the DPA demanded the company to delete the video again, did the company actually comply and deleted the video from the social networks as well. |
link |
| 1226 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-09 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera that was also capturing foreign private space of a neighbour and the public space. | link |
| 1227 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 2000 | Ekss s.r.l. | Accomodation and Hospitalty | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined the restaurant operator Ekss s.r.l. EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR. | link |
| 1228 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 40,000 | Il Sole 24 Ore S.p.a. | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 9 GDPR, Art. 12 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined the newspaper Il Sole 24 Ore S.p.a. EUR 40,000. The newspaper had published an article on the recognition by the Italian authorities of a U.S. judge’s decision on the adoption of a child by a same-sex couple. By mistake, the newspaper also published personal data on the couple and the adopted child. The couple then demanded the deletion of the personal data and access to information about the processing of the personal data. The newspaper deleted the personal data, but failed to comply with the data subjects’ right of access. | link |
| 1229 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Fine in four-digit amount | Real estate agent | Real Estate | Art. 6 GDPR, Art. 12 GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a fine on a real estate agent. The real estate agent had contacted an individual and offered him to sell a property he owned. Since the individual himself had not passed on his data to the real estate agent, he asked for information on the origin of the data and for the data to be deleted. The real estate agent informed the data subject that she had deleted the data. However, she did not comply with the data subject’s right to access the data. Half a year later, the data subject again received a message from the real estate agent, despite the confirmed deletion of his data. For this reason, the DPA determined that the real estate agent had processed the data of the data subject without a valid legal basis and thus unlawfully. |
link |
| 1230 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-06-15 | 3,000 | S.C. Wine Point S.R.L. | Industry and Commerce | Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on S.C. Wine Point S.R.L.. A data subject had filed a complaint with the DPA for having received an advertising e-mail from the controller, which contained a distribution list in which the e-mail addresses of 810 other persons, as well as their own, were visible to the other recipients. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to ensure the confidentiality of the personal data processed. | link |
| 1231 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-09 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual EUR 10,000. The individual had created a humiliating and discriminatory video of three siblings based on their skin color, and shared it on her Instagram profile as well as on WhatsApp. | link |
| 1232 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 20,000 | Nos s.r.l.s. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Italian DPA fined Nos s.r.l.s. in the amount EUR 20,000. Nos acted as a processor for Vodafone and did advertising for the telecommunications company.
For this purpose, Nos had acquired as well as processed personal data from the companies Kdata ltd. and Dynamic Web Solution ltd. In the course of its investigation, the DPA found that the data subjects had neither consented for such use nor were they informed about it by Nos. |
link |
| 1233 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-06-16 | 0 | SA Rossel & Cie | Media, Telecoms and Broadcasting | Art. 6 (1) a) GDPR, Art. 7 (1) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | Original fine summary: The Belgian DPA has imposed a fine of EUR 50,000 on the media company SA Rossel & Cie. During its investigation, the DPA found GDPR violations on three websites operated by the company. For instance, the company had placed cookies that were not required without the consent of the website visitors. Also, the company considered visiting other websites as consent for further cookie placement on these pages. In addition, the boxes for the consent of third-party cookies were already pre-ticked. Furthermore, the cookie policy was incomplete and difficult to access for the visitor. Finally, the DPA found that the company was placing new cookies despite users revoking their cookie consent. Update: On February 22th, 2023, the fine has been overturned by the Market Court. | link |
| 1234 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-05-16 | 14,500 | Arbeidstilsynet | Public Sector and Education | Art. 6 (1) e) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has fined the Norwegian Labor Inspectorate ‘Arbeidstilsynet’ EUR 14,500. The controller had carried out a credit check on the data subject without any valid legal basis for doing so. | link |
| 1235 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 70,000 | Ospedale San Raffaele s.r.l. | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 70,000 on the healthcare facility Ospedale San Raffaele s.r.l.. The hospital had reported two data breaches to the DPA under Art. 33 GDPR.
In the first case, the neurology department of the hospital had sent a newsletter in an open distribution list, which resulted in the email addresses of the recipients being visible to all recipients. Of the 499 email addresses affected, 321 email addresses related to patients and 46 related to family members/caregivers of patients, which allowed these individuals to be identified by name. In the second case, a surgical department had sent a newsletter in an open distribution list, so again the recipients’ email addresses were visible to all recipients. Of the 90 e-mail addresses affected, 75 e-mail addresses referred to patients and/or family members/caregivers of the patients, which meant that these individuals could be identified by name. The DPA considered this to be a violation of the principle of ‘integrity and confidentiality,’ which requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures. With regard to the calculation of the fine, the DPA took into aggravating account the fact that the data breach also affected data relating to the health of the persons concerned. |
link |
| 1236 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-16 | 1,000 | SCOTCH CORNER BAR | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 58 (2) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined the bar operator SCOTCH CORNER BAR EUR 1,000. The controller had installed a CCTV which also covered parts of the public space. Furthermore the controller failed to provide the DPA with information that was requested. | link |
| 1237 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-17 | 1,000 | Company | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a company EUR 1,000 for failing to provide information signs about CCTV surveillance in its premises. | link |
| 1238 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-06-20 | 1,000 | SC Interactions Marketing SRL | Industry and Commerce | Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on SC Interactions Marketing SRL. The controller had sent advertising messages by e-mail to several people on behalf of another company. One of the recipients had filed a complaint with the DPA due to the fact that the controller had sent the advertising messages in an open distribution list, making the email addresses of all recipients visible to the other recipients. | link |
| 1239 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-06-20 | 7,000 | Asociația de Proprietari Aviației Park | Real Estate | Art. 5 (1) a), c), e) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has fined Asociația de Proprietari Aviației Park, operator of a residential facility, EUR 7,000.
The controller had processed personal data (surname, first name, ID number and series, destination, arrival time, departure time, remarks) of delivery persons and/or couriers without a valid legal basis. In addition, the DPA found that the controller did not sufficiently inform the data subjects about the processing of their personal data. Furthermore, the DPA found that the controller did not establish a retention period for the personal data processed by a video surveillance system and kept them longer than necessary. |
link |
| 1240 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-24 | 180 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a store owner EUR 180 for failing to provide information signs about CCTV surveillance in the establishment. | link |
| 1241 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-06-22 | 134,000 | Gyldendal A/S | Media, Telecoms and Broadcasting | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | The Danish DPA has fined publisher Gyldendal A/S EUR 134,000.
During its investigation, the DPA found that the company had kept the data of approximately 685,000 unsubscribed members of Gyldendal’s book clubs longer than necessary. Instead of deleting the data of the deregistered book club members, Gyldendal kept the data in a database. The data of approximately 395,000 of the former members affected were kept for more than 10 years. In addition, the DPA found that Gyldendal did not have a procedure or guidelines for data deletion. |
link |
| 1242 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-22 | 3,000 | Zito Auto di Gianfranco Zito | Industry and Commerce | Art. 5 (1) a), c) GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 3,000 on the company Zito Auto di Gianfranco Zito. The company had installed video surveillance cameras which monitored, among other things, public spaces and employees. The DPA considered this to be a violation of the principle of data minimization (Art. 5 (1) c) GDPR). | link |
| 1243 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-05-31 | 2,100 | Stołeczny Ośrodek dla Osób Nietrzeźwych | Health Care | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Polish DPA has imposed a fine of EUR 2,100 on ‘Stołeczny Ośrodek dla Osób Nietrzeźwych’, a center for people suffering from alcoholism. During its investigation, the DPA found that video surveillance cameras were installed at the facility. The surveillance system recorded both images and sound of the residents. The facility justified the video surveillance system on the basis of purposes related to the safety and health of alcohol-impaired individuals. However, the DPA concluded that these purposes did not constitute a sufficient legal basis and that the center unlawfully processed the residents’ personal data. | link |
| 1244 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-02-08 | 634,000 | Budapest Bank Zrt. | Finance, Insurance and Consulting | Art. 5 (1) a), b) GDPR, Art. 6 (1), (4) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 (1), (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR | Insufficient legal basis for data processing | The Hungarian DPA (NAIH) has fined Budapest Bank Zrt. EUR 634,000. NAIH reports that the bank used an artificial intelligence-driven software solution to automate the evaluation of customers’ emotional state. The speech evaluation system determined which customers needed to be recalled based on the customer’s mood. The bank operated the application to prevent complaints and to keep customers.
The bank did not inform the data subjects, that the processing of their data serves, among other things, for customer retention purposes, meaning that customers were not in a position to object to the processing. As a result, the rights of the data subjects regarding adequate information and the right to object were not guaranteed. The DPA also found that the bank’s legitimate interest as a legal basis for processing the personal data was not sufficiently substantiated as the bank had not sufficiently examined the interests of the data subjects. The bank thus processed the data without a valid legal basis. |
link |
| 1245 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-28 | 1,000 | Company | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a company. The company had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR. | link |
| 1246 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-23 | 30,000 | CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt. | link |
| 1247 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-23 | 30,000 | RADIO TELEVISION MADRID, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on RADIO TELEVISION MADRID, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt. | link |
| 1248 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-06-30 | 2000 | Continental Automotive Romania SRL | Industry and Commerce | Art. 24 GDPR, Art. 32 (1) d) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on Continental Automotive Romania SRL. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had discovered 135 unauthorized and improperly configured surveillance cameras on its premises, which, among other things, captured images of employees in the production area. These cameras were connected to unofficial and unprotected camera systems. For this reason, the DPA found that the controller had not taken appropriate technical and organizational measures to ensure the security of employees’ personal data. |
link |
| 1249 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-28 | 3,000 | FLY FUT, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine against FLY FUT, S.L., a company specialized in drone footage at soccer matches in the amount of EUR 3,000. A father had filed a complaint with the DPA because the company had filmed his underage daughter playing soccer during a match at a local club without his consent. For this reason, the DPA found that the controller had processed the daughter’s data without a valid legal basis. | link |
| 1250 | UNITED KINGDOM | Information Commissioner (ICO) | 2022-06-09 | 91,000 | Tavistock & Portman NHS Foundation Trust | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The UK DPA (ICO) has fined the Tavistock and Portman NHS Foundation Trust EUR 91,000. The Tavistock and Portman NHS Foundation Trust is a mental health specialist trust located in London.
In early September 2019, the trust wanted to run a contest asking patients at the adult gender identity clinic to provide artwork to decorate a renovated clinic building. For this, two emails were inadvertently sent with an open distribution list (one to 912 recipients and the second to 869 recipients). It was clear from the content of the email that all recipients were patients of the clinic. The trust immediately recognized the error and unsuccessfully attempted to recall the emails. As part of its investigation, the IOC determined that the trust had no technical or organizational measures in place to prevent or mitigate this highly predictable human error. The ICO rated the harm to affected individuals as high given that information about the affected individuals’ relationship with a gender identity clinic is very sensitive personal information. Due to immediate implementation of security measures and extensive cooperation with the ICO, the fine was reduced from EUR 910,000 to EUR 91,00. |
link link |
| 1251 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-06-29 | 3,000 | Pediatric psychologist | Health Care | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Hellenic DPA has fined a pediatric psychologist EUR 3,000. The psychologist had not properly cooperated with the DPA during an investigation. | link |
| 1252 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-01 | 500 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 500 for the unauthorized installation of a video surveillance camera on their property. The cameras recorded public space and a neighboring property. The AEPD therefore found that such video surveillance constituted a violation of the principle of data minimization. | link |
| 1253 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-05-24 | 42,000 | Alquiler Seguro SA | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 42,000 on Alquiler Seguro SA. The company had advertised a job for which the data subject had applied.
As part of the application process, the company had requested information about the creditworthiness of the data subject from a credit agency. However, the person concerned had never consented to such a query of their creditworthiness by Alquiler Seguro nor had they been informed about it. For this reason, the DPA found that Alquiler Seguro had processed the data of the data subject without a valid legal basis and thus violated Art. 6 (1) GDPR. |
link |
| 1254 | FINLAND | Deputy Data Protection Ombudsman | 2022-05-09 | 85,000 | Otavamedia Oy | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR, Art. 12 (1), (2), (3), (4), (6) GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 25 GDPR | Insufficient fulfilment of data subjects rights | The Finnish DPA has imposed a fine of EUR 85,000 on Otavamedia Oy.
The DPA had received eleven complaints regarding Otavamedia between 2018 and 2021. Namely, the complaints primarily concerned the lack of response to inquiries from data subjects. Otavamedia explained that some of the privacy requests had not been fulfilled due to a technical problem with email management. During the incident, messages received in the privacy inquiry email box were not forwarded to customer service representatives. The situation had only been discovered after seven months. In this context, the DPA noted that Otovamia should have tested the new e-mail system before using it in order to be able to guarantee the response to the requests and the rights of the data subjects. Analogous request were possible, but the request form had to be signed by the data subjects for identification purposes. However, Otavamedia was not processing the signature data in any other contexts, so the signature could not even be cross-checked. |
link link |
| 1255 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-06-24 | 2000 | Parliamentary election candidate | Public Sector and Education | Art. 12 GDPR, Art. 11 Law 3471/2006 | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 2,000 on a parliamentary election candidate.
A data subject had filed a complaint with the DPA because of receiving unsolicited election advertising via SMS from the politician. The data subject had given the politician, who was a minister before the election, their own contact details, but not for the purpose of election advertising. The politician had therefore processed the data for a purpose other than that agreed, without the data subject having consented to this or having been informed about it. The data subject thereupon requested the deletion of their data as well as the ceasing of the SMS sending. However, the politician did not comply with this request and the SMS continued to be sent. |
link |
| 1256 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-06-20 | 2000 | WIND Ελλάς Τηλεπικοινωνίες ΑΕΒΕ | Media, Telecoms and Broadcasting | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has fined WIND Ελλάς Τηλεπικοινωνίες ΑΕΒΕ EUR 2,000.
A customer of the company had sent an email requesting access to the footage recorded by the store’s cameras on which they appeared. The data subject never received a response to this request. Only when the authority asked for a response did the controller reply that the data subject’s request could not be fulfilled because the recorded material had been deleted. The DPA considered this to be a violation of Art. 15 GDPR. |
link |
| 1257 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 46,000 | Azienda Sanitaria Locale Roma | Health Care | Art. 5 (1) c) GDPR, Art. 6 (1) c), d) GDPR, Art. 6 (2), (3) GDPR, Art. 9 (1), (2), (4) GDPR, Art. 2-ter (1), (2) Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Azienda Sanitaria Locale Roma EUR 46,000. The healthcare facility had published the names and health information of 1337 patients on its website. In most cases, this involved the health records of the data subjects, including medical documents, disability assessments, tests, technical reports, etc…. In this context, the DPA found that the healthcare institution had processed the data unlawfully as well as violated principle of data minimization. |
link |
| 1258 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 100,000 | Intesa Sanpaolo S.p.A | Finance, Insurance and Consulting | Art. 5 (1) a), f) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 100,000 on Intesa Sanpaolo S.p.A.. The bank had unlawfully disclosed data of the data subject to unauthorized third parties (the father of the data subject ). The data subject’s father, a former employee of the bank, had been authorized to access his daughter’s bank data until she reached the age of majority. However, the father had demanded access to his daughter’s data, who in the meantime had already reached the age of majority. An employee of the bank suspected that the father still had authorization and for this reason passed on the daughter’s data. | link |
| 1259 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-03-04 | 195,000 | Norwegian Parliament | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has fined the Norwegian Parliament EUR195,000.
The parliament had suffered a data breach in which unauthorized persons gained access to the email accounts of members of parliament and parliamentary administrative staff. The attackers had succeeded in siphoning off the data, including personal data on bank accounts, dates of birth and health-related data. For this reason, the DPA found that the parliamentary administration had not taken appropriate technical and organizational measures to achieve a sufficient level of security. |
link link |
| 1260 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-06 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject stated that, unauthorized third parties had gained access to her Vodafone account and had concluded a new contract in their name, as well as purchased an iPhone 12. The DPA notes that the controller had not adequately verified whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1261 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-05 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the video surveillance and thus violated Art. 13 GDPR. The fine is made up of EUR 300 for a violation of Art. 5 (1) c) GDPR and EUR 300 for a violation of Art. 13 GDPR. | link |
| 1262 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-06 | 3,000 | ASOCIACIÓN DE AFICIONADOS Y PEQUEÑOS ACCIONISTAS UNIDAD HERCULANA | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on ASOCIACIÓN DE AFICIONADOS Y PEQUEÑOS ACCIONISTAS UNIDAD HERCULANA for the lack of a privacy policy on its website, in violation of Art. 13 GDPR. | link |
| 1263 | FRANCE | French Data Protection Authority (CNIL) | 2022-06-23 | 1,000,000 | TotalEnergies Electricité et Gaz France | Transportation and Energy | Art. 14 GDPR, Art. 15 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 1,000,000 on TotalEnergies Electricité et Gaz France.
As part of its investigation, the DPA found that the controller had violated its information obligations under Art. 14 GDPR by failing to provide data subjects with sufficient information during telephone contact about the processing of their personal data for advertising purposes. In addition, the company did not comply with the data subjects’ requests to object to the processing of their personal data for advertising purposes. Furthermore, the controller did not respond to requests from data subjects in a timely manner, contrary to its obligation under Art. 12 GDPR. |
link link |
| 1264 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-12 | 20,000 | Bazar di Hu Xiaoyan | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Insufficient fulfilment of information obligations | The Italian DPA has imposed a fine of EUR 20,000 on the company ‘Bazar di Hu Xiaoyan’. The controller had operated video surveillance cameras in its premises without a required permit. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. | link |
| 1265 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 2000 | Oroklini Municipal Council | Public Sector and Education | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Cypriot DPA has fined the Oroklini Municipal Council EUR 2,000 for not properly cooperating with the DPA during an investigation. | link link |
| 1266 | CYPRUS | Cypriot Data Protection Commissioner | 2022-02-04 | 10,000 | Εκδοτικού Οίκου Δίας | Media, Telecoms and Broadcasting | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Cypriot DPA has imposed a fine of EUR 10,000 on the publisher Εκδοτικού Οίκου Δίας. A public figure had filed a complaint with the DPA. The publisher had published incorrect information about the data subject’s financial situation on a website. In the course of its investigation, the DPA, weighing the publisher’s right to freedom of expression against the data subject’s right to privacy and protection of personal data, found that the publisher had unlawfully processed the data of the data subject. | link |
| 1267 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 1,500 | Physician | Health Care | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Cypriot DPA has imposed a fine of EUR 1,500 on a physician. The DPA had conducted an investigation against the physician for the unlawful operation of a video surveillance system. For investigative purposes the DPA had requested information from the physician, which the physician did not provide to the DPA. For this reason, the DPA found that the physician had violated Art. 31 GDPR due to lack of cooperation with the DPA. | link link |
| 1268 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-07-13 | 20,000,000 | Clearview Al Inc. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 27 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 20,000,000 on Clearview AI Inc. The non-profit organization ‘Homos Digitalis’ had filed a complaint with the DPA on behalf of the data subject. The company holds a database of more than 20 billion facial images (including those of greek residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals’ profiles can be enriched with information associated with those images, such as image tags and geolocation. In the course of its investigation the DPA found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. Also, the DPA found that the company had not provided the data subject with access to their personal data and thus violating Art. 15 GDPR. Furthermore, Cleaview had violated the principle of transparency by failing to adequately inform users about the processing of their data. | link |
| 1269 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-07-06 | 12,450 | Głównego Geodetę Kraju | Public Sector and Education | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has imposed a fine of EUR 12,450 on the public cartography institute Głównego Geodetę Kraju. The institute had suffered a data breach in which numerous land register numbers were visible on the institute’s website for more than 48 hours. The land register number allows a number of owners’ data to be determined, including their first and last names, the names of their parents and the address of the property. The institute had failed to report the breach to the DPA, with the result that it learned of the incident through media reports. The institute also failed to inform the data subjects of the incident. For this reason, the DPA found that the controller violated Article 33 (1) GDPR and Article 34 (1) GDPR. | link |
| 1270 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-07-14 | 67,200 | SIRIUS (law firm) | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 67,200 on the law firm SIRIUS. The law firm had suffered a cyber attack in which hackers gained access to the firm’s servers and encrypted them. This gave them access to information about the firm’s clients and business partners. During its investigation, the DPA found that the law firm lacked basic security measures, which increased the risk of unauthorized access to client data. The firm’s systems, for example, did not contain sufficient verification measures, such as multi-factor logins. |
link |
| 1271 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 2000 | Turkish City | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined the owner of the store ‘Turkish City’ EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR. | link |
| 1272 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-01 | 300 | Private Individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 300 for the unauthorized installation of a video surveillance camera on their property. The cameras recorded public space and a neighboring property. The AEPD therefore found that such video surveillance constituted a violation of the principle of data minimization. | link |
| 1273 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 5,000 | Cyprus Judo Federation | Individuals and Private Associations | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Cypriot DPA has imposed a fine on the Cyprus Judo Federation. The father of a member had filed a complaint with the DPA because the judo coach of his minor son had published photographic and audiovisual material on a social media platform without his prior consent. During the course of the investigation, the trainer did not sufficiently cooperate with the DPA, which therefore imposed a fine of EUR 5,000 for a violation of Art. 31 GDPR. | link link |
| 1274 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-22 | 7,000 | Azienda Socio Sanitaria Territoriale Dei Sette Laghi | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA (Garante) has imposed a fine of EUR 7,000 on the healthcare facility Azienda Socio Sanitaria Territoriale Dei Sette Laghi. A patient had mistakenly received medical records and clinical documentation from another patient in his own file. | link |
| 1275 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Fine in three-digit amount | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA from Brandenburg imposed a three-digit fine on a company employee. The individual had sent an Excel spreadsheet with employee data of 56 employees to her private e-mail address from her official computer, although this was not necessary for her official activities. For this reason, the DPA determined that the employee had unlawfully transferred the other employees’ data. The spreadsheet included, in addition to the full names of the employees, an overview of vacation days already taken and remaining, sick days accrued, wage data, overtime worked and social security contributions. | link |
| 1276 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Fine in three-digit amount | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a three-digit fine on a company employee. The employee had forwarded application documents received by his employer from his work e-mail address to his private e-mail address without authorization in order to get suggestions for the design of his own applications. He had not previously anonymized the resumes, so they continued to include all of the applicants’ personal and professional data. Since sending the application documents to his private e-mail address was not part of his work duties, the DPA determined that the forwarding was unlawful. | link |
| 1277 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Fine in four-digit amount | Physician | Health Care | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a four-digit fine on a doctor of child and adolescent psychotherapy. The doctor had set up a Whatsgroup with 230 participants to communicate their new office address. A mother of a former minor patient had filed a complaint with the DPA over this, because the doctor had not obtained consent for the group. All group members were disclosed the phone numbers of other members. In some cases, group members were able to draw conclusions that children from families known to them were or had been in treatment with the physician. For this reason, the DPA determined that the doctor had unlawfully processed the data of the WhatsApp group members due to a failure to obtain consent. | link |
| 1278 | ITALY | Italian Data Protection Authority (Garante) | 2021-01-27 | 10,000 | City of Rome (Roma capitale) | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) Art. 6 (2) GDPR, Art. 6 (3) b) GDPR GDPR, Art. 2-ter (1), (3) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 10,000 on the city of Rome (Roma capitale). The city had published a document on the municipal website stating that a mother had not paid canteen fees. The document contained personal data of the mother and her minor child. The city stated that, in the absence of a permanent address of the mother to which the notice could have been sent, it had published the document to notify the homeless mother of the debt. However, the DPA found that this could not be considered a sufficient legal basis for processing the personal data, and thus the city unlawfully processed the data. | link |
| 1279 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Unknown | Police department | Public Sector and Education | § 32 Absatz 1 BbgDSG | Insufficient legal basis for data processing | A police officer had accessed data in a police database for private research purposes. The police officer queried the investigation process of a friend against the background of a judicial hearing. Via WhatsApp, he shared what information he had become aware of through his unauthorized retrievals. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDPR. | link |
| 1280 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Unknown | Police department | Public Sector and Education | § 32 Absatz 1 BbgDSG | Insufficient legal basis for data processing | A police officer had unlawfully disclosed personal data of a drunk driving incident to the offender’s mother during a chance encounter. He thought that the mother, as his employer, could prevent a repeat offense by withdrawing the offender’s car. However, the mother constitutes an unauthorized third party, meaning that the police officer was not allowed to disclose the information. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDPR. | link |
| 1281 | GERMANY | Data Protection Authority of Brandenburg | 2021 | Unknown | Police department | Public Sector and Education | § 32 Absatz 1 BbgDSG | Insufficient legal basis for data processing | A police officer had unlawfully accessed data in a police database. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDPR. | link |
| 1282 | GERMANY | Data Protection Authority of Hamburg | 2021 | Fine in six-digit amount | Company | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector. The company had failed to take appropriate technical and organizational measures to ensure a level of data security protection appropriate to the risk when sending doctors’ letters. As a result, doctor’s letters were to a person who, although practicing a medical profession, was not the doctor providing further treatment for the affected patients. Instead, the letters were intended for a general practitioner with the same name as the recipient. The company had been informed of the incorrect mailing several times in the past by the unauthorized recipient. Nevertheless, it had failed to take organizational and technical measures to ensure that these incidents would not recur. In assessing the fine, the DPA took into aggravating account the fact that the data processed involved health data and that such data is particularly sensitive. |
link |
| 1283 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-13 | 132,000 | DKV Seguros y Reaseguros, S.A.E. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on DKV Seguros y Reaseguros, S.A.E.. An individual had filed a complaint with the DPA after receiving multiple e-mails from the controller containing information from an unknown person. The controller had sent 51 emails with medical certificates containing the names, surnames and data on medical tests of the data subjects to the wrong recipient. The complainant had alerted the controller to the wrong mailing several times, but the controller did not respond until it learned of the complaint to the DPA. The controller had not reported the data breach to the DPA. In the course of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure a level of data protection security appropriate to the risk. The original fine of EUR 220,000 was reduced to EUR 132,000 due to voluntary payment and admission of responsibility. |
link |
| 1284 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-19 | 600 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 600 on a private individual. The individual had failed to implement measures repeatedly ordered by the DPA in due time. | link |
| 1285 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-19 | 5,000 | Bar owner | Accomodation and Hospitalty | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined a bar owner EUR 5,000. The owner had unlawfully shared recordings from the CCTV in the bar via WhatsApp and other social media platforms. | link |
| 1286 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-19 | 2000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of 2,000 euros on a private individual. The individual had installed video cameras in the apartment building where they live that recorded, among other things, the common areas of all residents. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1287 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-19 | 4,000 | Bookstore employee | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish Data Protection Agency has imposed a fine of EUR 4,000 on an employee of a bookstore. An individual had filed a complaint with the DPA because he had received an invoice from another person containing that person’s personal data. The employee had inadvertently sent the invoice to the wrong recipient. | link |
| 1288 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-18 | 56,000 | BANKINTER, S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 56,000 on BANKINTER, S.A.. The controller had inadvertently sent a report on the data subject’s investment portfolio to a third party. The controller states that the mis-sending occurred due to a computer error. For this reason, the DPA determined that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR. | link |
| 1289 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 10,000 | Afragola municipality | Employment | Art. 5 (1) a), c) GDPR, Art. 12 (3), (4) GDPR, Art. 2-ter Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 10,000 on Afragola municipality. A former employee of the municipality had filed a complaint with the DPA because the municipality had published his resume with personal data on the municipality’s website, even though the employment relationship had ended. In addition, the former employee had filed a request to object to the disclosure of his personal data. However, the municipality had not responded to the request. | link |
| 1290 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-12 | 6,000 | Villabate municipality | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 37 (1) a) GDPR, Art. 37 (7) GDPR, Art. 38 (6) GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Villabate municipality EUR 6,000. The municipality had disclosed personal data of a former employee to unauthorized third parties without a valid legal basis. The DPA also found that the municipality had not appointed a data protection officer. | link |
| 1291 | ITALY | Italian Data Protection Authority (Garante) | 2021-03-25 | 6,000 | Convitto Nazionale Statale ‘Giordano Bruno’ di Maddaloni (boarding school) | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 2-ter (1), (3) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 1,000 on the Convitto Nazionale Statale ‘Giordano Bruno’ di Maddaloni (CE) boarding school. The boarding school had published a document on its website containing personal data of the data subject without legal basis. | link |
| 1292 | CROATIA | Croatian Data Protection Authority (azop) | 2022-07-21 | 4,000 | Car dealership | Industry and Commerce | Art. 27 (1) Zakona o provedbi Opće uredbe o zaštiti podataka | Insufficient fulfilment of information obligations | The Croatian DPA has fined a car dealership EUR 4,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. | link |
| 1293 | CROATIA | Croatian Data Protection Authority (azop) | 2022-07-21 | 285,000 | Telecommunications company | Media, Telecoms and Broadcasting | Art. 25 (1) GDPR, Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Croatian DPA has fined a telecommunications company EUR 285,000. The company had suffered a data breach. Attackers had managed to access data from about 100,000 data subjects.
During its investigation, the DPA found that such a breach was facilitated by the company’s failure to implement adequate technical and organizational security measures for the processing of personal data. For example, the processing systems lacked access restrictions. In assessing the fine, it was taken into aggravating account that the company is one of the leading telecommunications companies in Croatia and therefore, due to the high volume of data processed there, the risk of an attack on the systems was to be expected. For this very reason, the company should have paid more attention to ensuring that sufficient safety measures were taken. |
link |
| 1294 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 16,000 | Region of Tuscany | Public Sector and Education | Art. 5 (1) c) GDPR, Art. 6 (1) c) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 2-ter (1), (3) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 16,000 on the Region of Tuscany. The region had published documents on its website containing information on professionals from the tourism sector who had applied for emergency aid in the context of the covid-19 pandemic. The documents showed, among other things, the name, address of the data subjects as well as the amount of aid granted. | link |
| 1295 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 4,000 | Università Agraria di Nettuno | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 4,000 on the Università Agraria di Nettuno. A former employee of the university had filed a complaint with the DPA due to the fact that the university published a document that contained his personal data. The document revealed information relating to a legal dispute between the data subject and the university. During its investigation, the DPA found that in the absence of a valid legal basis, the publication was unlawful. | link |
| 1296 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-12 | 2000 | Singh Market | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined the owner of the store ‘Singh Market’ EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR. | link |
| 1297 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 70,000 | Azienda sanitaria universitaria Friuli Centrale | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA imposed a fine of EUR 70,000 on the healthcare facility Azienda sanitaria universitaria Friuli Centrale. Employees of the healthcare facility had accessed patients’ health data even though they were not involved in the treatment of the patients and such access was not required. During its investigation, the DPA found that the healthcare facility’s IT platform allowed any employee to access patients’ personal data, even if they did not actually treat certain patients. In addition, the DPA found that the health care facility’s IT platform did not install systems that indenfied improper use of the personal data. | link |
| 1298 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 50,000 | Azienda sanitaria universitaria Friuli Occidentale | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA imposed a fine of EUR 50,000 on the healthcare facility Azienda sanitaria universitaria Friuli Occidentale. Employees of the healthcare facility had accessed patients’ health data even though they were not involved in the treatment of the patients and such access was not required. During its investigation, the DPA found that the healthcare facility’s IT platform allowed any employee to access patients’ personal data, even if they did not actually treat certain patients. In addition, the DPA found that the health care facility’s IT platform did not install systems that indenfied improper use of the personal data. | link |
| 1299 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-22 | 12,000 | Comune di Napoli Corpo di Polizia Municipale | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 88 GDPR, Art. 113 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined the police authority ‘Comune di Napoli Corpo di Polizia Municipale’ EUR 12,000. The police authority had sent a list of names, addresses, tax numbers, contact details and appointments for Covid-19 tests of employees to various administrative units via e-mail. The authority referred to the consent given by the employees as the legal basis for the data processing. However, the DPA concluded that the authority could not rely on consent, as voluntary consent is questionable in the employee-employer relationship. | link |
| 1300 | GERMANY | Data Protection Authority of Hamburg | 2021 | 5,000 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Hamburg imposed a fine of EUR 5,000 on a private individual. The individual had filmed numerous young women in public. Some of the recorded female persons were apparently younger than 14 years. In several cases, the individual approached the filmed persons to within a few centimeters and followed them with the camera for up to 38 minutes. During a search of the backpack, the police officers found a digital camera and eight memory cards. The seized memory cards contained a total of 156 video files. In the course of its investigation, the DPA found that the individual had processed the personal data of the young women he had filmed, although no effective consent had been given. | link |
| 1301 | GERMANY | Data Protection Authority of Hamburg | 2021 | 12,500 | Energy supplier | Transportation and Energy | Unknown | Unknown | The DPA of Hamburg has imposed a fine of EUR 12,5000 on an energy supplier. The company had outsourced and sold its heating energy division. Customers affected by the transfer were informed about the transfer of their electricity supply contracts and given the right to object. In the event of a declared objection, no personal data of the customers should be transferred to the new company. However, despite customers having duly declared their objection, their data was transferred to the new company. | link |
| 1302 | GERMANY | Data Protection Authority of Hamburg | 2021 | 12,500 | Energy supplier | Transportation and Energy | Unknown | Unknown | The DPA of Hamburg has imposed a fine of EUR 12,5000 on an energy supplier. The company had outsourced and sold its heating energy division. Customers affected by the transfer were informed about the transfer of their electricity supply contracts and given the right to object. In the event of a declared objection, no personal data of the customers should be transferred to the new company. However, despite customers having duly declared their objection, their data was transferred to the new company. | link |
| 1303 | GERMANY | Data Protection Authority of Hamburg | 2021 | 10,100 | Car trading group | Industry and Commerce | Unknown | Insufficient legal basis for data processing | The DPA of Hamburg has imposed a fine of EUR 10,110 on a car trading group. The company had informed the customer base that the reasons for the restructuring there was the absence of an employee due to illness. The company informed approximately 3,000 customers, among other things, of the exact date on which the employee’s inability to work occurred and that the situation would continue for an indefinite period of time. The DPA found that the company did not present a valid legal basis for such transfer of personal health data, and therefore transferred the data unlawfully. | link |
| 1304 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-22 | 40,000 | ESVETEL, S.L. | Media, Telecoms and Broadcasting | Art. 28 GDPR, Art. 48 (1) b) LGT | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on ESVETEL, S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. | link |
| 1305 | GERMANY | Data Protection Authority of Niedersachsen | 2022-07-26 | 1,100,000 | Volkswagen | Industry and Commerce | Art. 13 GDPR, Art. 28 GDPR, Art. 30 GDPR, Art. 35 GDPR | Insufficient fulfilment of information obligations | The DPA of Lower Saxony has imposed a fine of EUR 1. 1 million on Volkswagen.
The company had installed cameras on a test vehicle. The vehicle was being used to test and train the functionality of a driving assistance system to prevent traffic accidents. For this purpose, the traffic around the vehicle was recorded with the cameras. However, Volkswagen failed to provide information in accordance with Art. 13 GDPR about the data processing by the cameras attached to the vehicle. The DPA further found that, contrary to its obligation under Art. 28 GDPR, Volkswagen had not concluded a processing agreement with the company that carried out the journeys. Also, no data protection impact assessment pursuant to Art. 35 DSGVO had been carried out and the technical and organizational protection measures had not been outlined in the list of processing activities. Volkswagen has cooperated extensively with the DPA. |
link |
| 1306 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-06-22 | 3,000 | Company | Employment | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA of Luxembourg (CNPD) has imposed a fine of EUR 3,000 on a company. The company had installed a video surveillance system for the purpose of protecting company property and staff. However, the cameras also constantly captured parts of employee’s work areas. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its employees about the video surveillance. | link |
| 1307 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-06-30 | 1,400 | Company | Not assigned | Art. 5 (1) e) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company’s assets, optimal fleet management and optimize the workflow, among other things. Some of the location data collected by the controller was stored for a year. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of storage limitation. In addition, the DPA found that the controller had not sufficiently informed the data subjects about the processing of the location data and had thus violated its information obligations pursuant to Art. 13 GDPR. | link |
| 1308 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-22 | 500 | CINCON S.C. | Industry and Commerce | Art. 13 (2) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 500 on CINCON S.C.. The company had failed to provide the information required by Art. 13 GDPR on a form through which potential customers could access a free course. | link |
| 1309 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-06-30 | 1,000 | Company | Not assigned | Art. 5 (1) a) GDPR, Art. 12 (1), (7) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company. The company had installed a video surveillance system that recorded both employees and third parties. During its investigation, the DPA found that the company had breached its information obligations under Art. 12 GDPR and Art. 13 GDPR. | link |
| 1310 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-06-30 | 1,000 | Company | Not assigned | Art. 5 (1) a) GDPR, Art. 12 (1), (7) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company. The company had installed a video surveillance system that recorded both employees and third parties. During its investigation, the DPA found that the company had breached its information obligations under Art. 12 GDPR and Art. 13 GDPR. | link |
| 1311 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-27 | 300 | Private Person | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Usage of CCTV camera that was also capturing foreign private space of a neighbour and the public space. | link |
| 1312 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-26 | 15,000 | TELEFÓNICA MÓVILES ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | A former customer had received e-mails containing electronic bills even after they had terminated their contract with the company resulting in a processing of personal data without sufficient legal basis. | link |
| 1313 | GERMANY | Data Protection Authority of Niedersachsen | 2022-07-28 | 900,000 | Hannoversche Volksbank | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Lower Saxony has imposed a fine of EUR 900,000 on Hannoversche Volksbank.
The bank had analyzed data from active and former customers without their consent. For this purpose, the bank analyzed digital usage behavior and evaluated, among other things, purchases in app stores, the frequency of use of bank statement printers and the total number of transfers in online banking compared to the use of in-branch services. In addition, the results were cross-checked with a credit agency, where they were further supplemented. The aim was to identify customers with an increased willingness to use digital media and to address them more intensively via electronic communication channels for promotional purposes. Most customers were provided with information in advance. However, the DPA found that this did not replace the required consent. In determining the fine, it was taken into account that the bank did not make further use of the results of its evaluations. In addition, the bank cooperated with the DPA during the investigation. |
link |
| 1314 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-26 | 2,500 | Homeowners Association | Real Estate | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined a homeowners association EUR 2,500 for publishing information (name, surname, apartments) regarding several owners on their website. | link |
| 1315 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-26 | 800 | EFS MANTENIMIENTO Y SERVICIOS TÉCNICOS, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined EFS MANTENIMIENTO Y SERVICIOS TÉCNICOS, S.L. EUR 800. A trade union had filed a complaint with the DPA because the company had unauthorizedly shared information of one of its employees with the works council. The information shared caused the employee to be placed in a disadvantageous position. The DPA considered this to be a violation of the principles of integrity and confidentiality. | link |
| 1316 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-29 | 11,000 | Territorial Administration of the Government of Genoa | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) Art. 6 (2) GDPR, Art. 6 (3) b) GDPR GDPR, Art. 2-ter (1), (3) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 11,000 on the Territorial Administration of the Government of Genoa. The department had published a file on its website that contained a table listing information on the lawyers of two companies and their adult cohabiting family members (about a hundred people in total). In the course of its investigation, the DPA found that the department had published the information without a valid legal basis. | link |
| 1317 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-07-06 | 2,120 | University Hospital of the Medical University of Warsaw | Health Care | Art. 33 GDPR, Art. 34 GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has imposed a fine of EUR 2,120 on the University Hospital of the Medical University of Warsaw. The university hospital had suffered a data breach in which a patient had received a referral from a doctor that contained, among other things, personal data (name, address, etc.) of another patient. The DPA found that neither the doctor nor the hospital informed the patient or the DPA about the data breach. | link link |
| 1318 | FRANCE | French Data Protection Authority (CNIL) | 2022-07-07 | 175,000 | UBEEQO INTERNATIONAL | Transportation and Energy | Art. 5 (1) c), e) GDPR, Art. 12 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) has fined the company UBEEQO INTERNATIONAL EUR 175,000.
The vehicle rental company had collected geolocation data on rented vehicles at every 500 meters. The company stated that they had collected the data to monitor the condition of the fleet, to locate the vehicle in case of theft, and to assist customers in case of an accident, among other reasons. However, the DPA found that none of these purposes justified the collection of geolocation data in such detail. For this reason, the DPA found a violation of the principle of data minimization pursuant to Art. 5 (1) c) GDPR. The DPA also found that the company had stored the vehicle data for an excessively long period of time. The data was kept for the duration of the business relationship with a customer and then for another three years after the termination of the vehicle rental. In addition, personal data of users who had been inactive for more than eight years were still stored in the company’s databases. The CNIL found that this long retention constituted a violation of Art. 5 (1) e) GDPR. Finally, the DPA found that users were not adequately informed during the registration process on the company portal, and that the company thus violated Art. 12 GDPR. |
link link |
| 1319 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-01 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1320 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-02 | 42,000 | Banco Bilbao Vizcaya Argentaria S.L. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The company had repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of their data. The original fine of EUR 70,000 was reduced to EUR 42,000 due to voluntary payment and admission of responsibility. | link |
| 1321 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-08-02 | 30,200 | Krokatjønnvegen 15 AS | Real Estate | Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has fined Krokatjønnvegen 15 AS EUR 30,200. The controller had carried out credit checks on two data subject without any contractual basis for doing so. | link |
| 1322 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-08-04 | 2000 | Sephora Cosmetics România SA | Industry and Commerce | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 2,000 on Sephora Cosmetics România SA. A data subject had received promotional SMS from Sephora despite having objected several times to the processing of her personal data for marketing purposes and Sephora having confirmed the termination of the SMS sending. | link |
| 1323 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-04 | 2000 | JAÉN SENTIDO Y COMÚN | Not assigned | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 2,000 on JAÉN SENTIDO Y COMÚN. The controller had sent an e-mail to 241 people in an open distribution list, making the email addresses of all recipients visible to the other recipients. | link |
| 1324 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-29 | 3,000 | ESTUDIOS EUROPEOS DE POSTGRADO Y EMPRESA, S.L. | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 3,000 on ESTUDIOS EUROPEOS DE POSTGRADO Y EMPRESA, S.L.. An employee had filed a complaint with the DPA. The employee stated that she had been given access to a company email account when she was hired. However, upon accessing the account, she discovered that the email account was not actually her account, but rather the email account of another employee. Thus, she was able to access all emails sent and received by the other employee. During its investigation, the DPA determined that the controller had not properly configured the account and had therefore breached its duty to implement appropriate technical and organizational measures to protect personal data. | link |
| 1325 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-01 | 9,600 | LAST LAP, S.L. | Industry and Commerce | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on LAST LAP, S.L.. Last Lap organizes the San Silvestre road running race. Race participants were required to show their vaccination certificate or provide a PCR or antigen test before the race. During its investigation, the DPA found that the company did not have an effective legal basis for processing the health data. The original fine of EUR 16,000 was reduced to EUR 9,600 due to voluntary payment and admission of responsibility. | link |
| 1326 | ITALY | Italian Data Protection Authority (Garante) | 2022-08-01 | 26,000 | Policoro municipality | Public Sector and Education | Art. 5 (1) a), e) GDPR, Art. 5 (2) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 38 (6) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 26,000 on Policoro municipality. The municipality had installed a video surveillance system without, however, providing sufficient information about the surveillance. In addition, the DPA found that the municipality had not established a retention period for the video surveillance recordings and kept them for an excessive period of time. In addition, the DPA found that the municipality had not fulfilled its obligations in appointing a data protection officer. The municipality had appointed its attorney as data protection officer, which the DPA found constituted a conflict of interest. | link |
| 1327 | ITALY | Italian Data Protection Authority (Garante) | 2021-05-13 | 20,000 | Synlab Med srl | Health Care | Art. 5 (1) a), c) GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined Synlab Med srl EUR 20,000. The company conducted Covid-19 tests for various regional health authorities. In this context, the company had inadvertently sent the test results of 31 people to the wrong health authority. | link |
| 1328 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-08-09 | 7,000 | CDI Transport Intern și Internațional SRL | Transportation and Energy | Art. 12 (1) GDPR, Art. 58 (1) a), e) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 7,000 on CDI Transport Intern și Internațional SRL. During its investigation, the DPA found that the company’s website did not provide information on what rights data subjects are entitled to under the GDPR and how they can exercise those rights. In addition, the company had failed to provide the DPA with requested information in a timely manner. | link |
| 1329 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-08 | 600 | Restaurant owner | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a restaurant owner. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV. | link |
| 1330 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-08-11 | 6,700 | Lolland municipiality | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 6,700 on Lolland municipiality. The municipality had reported a data breach to the DPA in accordance with Art. 33 GDPR. One of the municipality’s employees had their work phone stolen. The employee used the phone to access their work email account which contained information on the names of several citizens, social security numbers and health data. During its investigation, the DPA found that the phone was not protected by a password. Therefore, it was possible to access the information stored on the phone. The DPA concluded that this incident had occurred due to the municipality’s failure to take sufficient technical and organizational measures to protect personal data. The municipality should have ensured, at least, that each employee secured their cell phone with a password. |
link |
| 1331 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-08-09 | 1,000 | Wabag Water Services SRL | Employment | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 1,000 on SC Wabag Water Services SRL. An employee of the company had filed a complaint with the DPA due to the fact that their employer had processed their personal data without their consent for the purpose of registering and booking a Covid-19 vaccination appointment. | link |
| 1332 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-08 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1333 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-03 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1334 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-05 | 9,000 | Prodesspa Decoratius i Pintures , S.L. | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Prodesspa Decoratius i Pintures , S.L.. A former employee had filed a complaint with the DPA due to the company’s unlawful disclosure of their data to a credit reporting agency. The original fine of EUR 15,000 was reduced to EUR 9,000 due to voluntary payment and admission of responsibility. | link |
| 1335 | GERMANY | Data Protection Authority of Niedersachsen | 2021 | 16,000 | Electronics store | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 17 GDPR, Art. 35 (3) GDPR | Non-compliance with general data processing principles | The DPA from Lower Saxony has imposed a fine of EUR 16,000 on an electronics store. The company had installed a video surveillance system which permanently recorded employees, customers as well as the company’s premises and technical equipment. The CCTV was installed for the purpose of protecting customers, employees, safeguarding the company’s property rights and prosecuting criminal acts and vandalism. The DPA stated that the recording of employees was not necessary to ensure the purposes associated with the CCTV and was therefore disproportionate. The DPA therefore found that the controller violated the principle of data minimization under Art. 5 (1) c) GDPR. The DPA also found that the company stored the recordings excessively long and, in addition, had not conducted a data protection impact assessment. | link |
| 1336 | GERMANY | Data Protection Authority of Niedersachsen | 2021 | Unknown | Company | Not assigned | Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A company had stored telecommunications hardware, a server and backup technology in a guest bathroom. The server cabinet, which did not have an intact lock, also served as a changing table. | link |
| 1337 | GERMANY | Data Protection Authority of Niedersachsen | 2021 | Unknown | Unknown | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Live video surveillance which was accessible via the Internet and, due to a lack of sufficient pixelation or redaction, allowed persons to be recognized. | link |
| 1338 | GERMANY | Data Protection Authority of Niedersachsen | 2021 | Unknown | Unknown | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The camera images of a store were distributed without the knowledge and intention of the controller due to a faulty configuration. The distribution involved recordings of employees as well as customers. | link |
| 1339 | GERMANY | Data Protection Authority of Saxony | 2021 | Fine amount between EUR 100 and EUR 1,000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Nineteen fines between EUR 100 and EUR 1,000 for unlawful use of a dashcam. | link |
| 1340 | GERMANY | Data Protection Authority of Saxony | 2021 | Unknown | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | A private individual had installed video surveillance cameras which, among other things, also covered the public space | link |
| 1341 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-12 | 180 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 180 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1342 | GERMANY | Data Protection Authority of Saxony | 2021 | Unknown | Private individual | Individuals and Private Associations | Unknown | Unknown | A resident of a residential building had unlawfully made video recordings which, among other things, covered parts of the jointly used inner courtyard. | link |
| 1343 | GERMANY | Data Protection Authority of Saxony | 2021 | Unknown | Private individual | Individuals and Private Associations | Unknown | Unknown | A private individual had taken secret video recordings during a court hearing with their mobile phone. | link |
| 1344 | GERMANY | Data Protection Authority of Saxony | 2021 | Unknown | Gym owner | Employment | Unknown | Unknown | The owner of a gym had apologized for the late opening of the gym, but at the same time shifted the responsibility to an employee who was named. As a result, their personal data were unlawfully disclosed. | link |
| 1345 | GERMANY | Data Protection Authority of Schleswig-Holstein | 2021 | Unknown | Physician | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A physician’s office had disposed of patient records in a waste paper container used by several offices. | link |
| 1346 | GERMANY | Data Protection Authority of Schleswig-Holstein | 2021 | Unknown | Physician | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A physician had stored patient records in an open carport and not in a locked room. | link |
| 1347 | GERMANY | Data Protection Authority of Schleswig-Holstein | 2021 | Unknown | Unknown | Health Care | Unknown | Unknown | An employee at a Covid testing center had used a test subject’s phone number to contact them privately. | link |
| 1348 | GERMANY | Data Protection Authority of Schleswig-Holstein | 2021 | Unknown | Bank employee | Finance, Insurance and Consulting | Unknown | Insufficient legal basis for data processing | An employee of a bank had regularly accessed the bank account data of a bank customer for private purposes over a period of about a year. | link |
| 1349 | GERMANY | Data Protection Authority of Saarland | 2021 | Unknown | Restaurant | Accomodation and Hospitalty | Art. 24 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A restaurant had disposed of 120 completed guest registration forms for contact tracing purposes during the Covid-19 pandemic in a publicly-accessible dumpster. During its investigation, the DPA also found that already during the restaurant’s operation, the restaurant had not implemented adequate safeguards to protect the data processed during the guest registration process. For example, the completed guest registration forms were kept in an adjoining room accessible to all employees without special security measures, such as a locked cabinet. | link |
| 1350 | GERMANY | Data Protection Authority of Saarland | 2021 | Unknown | Political organization | Individuals and Private Associations | Unknown | Unknown | An employee of a political organization had sent an e-mail to 400 people in an open distribution list. This not only made the e-mail addresses of all recipients visible to the other recipients but also revealed the political orientation of the recipients. | link |
| 1351 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-16 | 5,000 | RODALI GESTIÓN INMOBILIARIA, S.L. | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 5,000 on RODALI GESTIÓN INMOBILIARIA, S.L.. An individual had filed a complaint with the DPA due to the fact that the controller had not informed them about the processing of their personal data in the context of an apartment acquisition. For this reason, the DPA found that the controller had violated its information obligations under Art. 13 GDPR. | link |
| 1352 | ISLE OF MAN | Information Commissioner of Isle of Man | 2022-07-13 | 202,000 | Manx Care Ltd | Health Care | Art. 5 (1) c), f) GDPR, Art. 5 (2) GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 34 GDPR, Art. 58 GDPR | Non-compliance with general data processing principles | The DPA of Isle of Man has imposed a fine of EUR 202,000 on Manx Care Ltd. Manx Care had emailed an unsecured attachment containing a patient’s confidential health information to more than 1870 recipients. The DPA had subsequently issued an enforcement notice against Manx Care. However, Manx Care had failed to comply with the DPA’s orders. As a result, the DPA came to the decision to impose a fine on the company. The DPA primarily found that the company had failed to implement appropriate technical and organizational measures to protect personal data. Also, the DPA found that the company had violated the principle of data minimization according to Art. 5 (1) c) GDPR by sending the patient’s data to persons not related to the patient’s care. Finally, the DPA found that the company had not informed the data subject of the data breach. | link link |
| 1353 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-16 | 1,000 | Farpa s.r.l. | Health Care | Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 88 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 1,000 on Farpa s.r.l.. The company had installed video surveillance systems in social facilities it operates, however, their specific use was not authorized. The DPA found that the video surveillance system had different features than those approved and was installed in a different position than approved. Also, the DPA found that the company had not sufficiently informed the data subjects (guests and relatives of the facility) about the video surveillance. | link |
| 1354 | ITALY | Italian Data Protection Authority (Garante) | 2021-04-29 | 2000 | Santa Ninfa municipality | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) Art. 6 (2) GDPR, Art. 6 (3) b) GDPR GDPR, Art. 2-ter (1), (3) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 2,000 on the Santa Ninfa municipality. The municipality had published a resolution on its website that contained personal information such as the name and references about the enforcement title of the data subject. | link |
| 1355 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-15 | 3,600 | ECOZONO Y CULTURA, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on ECOZONO Y CULTURA, S.L.. Econzo, through a service provider, had collected data from data subjects who agreed to disclose the data for survey purposes. However, the data was later used to contact the individuals for advertising purposes. The original fine of EUR 6,000 was reduced to EUR 3,600 due to voluntary payment and admission of guilt. | link |
| 1356 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-12 | 6,000 | FREE SUN ENERGY S.L. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on FREE SUN ENERGY S.L.. A customer of the company had filed a complaint with the DPA because instead of receiving their invoice, they had received that of another customer containing that customer’s personal data. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and admission of guilt. | link |
| 1357 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-12 | 1,600 | JOYPAZAR, S.A. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of 1,600 on JOYPAZAR, S.A.. The company had installed video surveillance cameras which, among other things, also covered a public playground. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1358 | SLOVAKIA | Slovak Data Protection Office | 2021 | 500 | Unknown | Not assigned | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Slovak DPA has imposed a fine of EUR 500 on a controller for failing to cooperate with the DPA. | link |
| 1359 | SLOVAKIA | Slovak Data Protection Office | 2021 | 100 | Unknown | Not assigned | Unknown | Unknown | Unlawful video surveillance in a garden community. | link |
| 1360 | SLOVAKIA | Slovak Data Protection Office | 2021 | 40,000 | Unknown | Not assigned | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Slovak DPA has imposed a fine of EUR 40,000 on a controller. The controller had violated the principle of accountability (lack of proof that a data protection impact assessment had been carried out) and the principle of fairness and transparency. In addition, the controller had not concluded a contract with the processor. | link |
| 1361 | FRANCE | French Data Protection Authority (CNIL) | 2022-08-19 | 600,000 | ACCOR SA | Accomodation and Hospitalty | Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 32 GDPR, L. 34-5 CPCE | Insufficient fulfilment of data subjects rights | The French DPA (CNIL) has imposed a fine of EUR 600,000 on ACCOR SA.
Both CNIL and other European DPAS had received complaints against ACCOR from several individuals. In the course of its investigation, CNIL found that hotel guests who made a booking directly with the hotel or on one of the hotel group’s websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the CNIL found that due to technical problems, many individuals were unable to opt-out of receiving the promotional emails. In this context, CNIL found that ACCOR had not sufficiently informed data subjects about the processing of their personal data in the context of promotional messages and thus violated Art. 12 GDPR and Art. 13 GDPR. Further, ACCOR had failed to respond to data subjects’ requests for access to personal data in a timely manner, and thus the CNIL found a violation of Art. 12 GDPR and Art. 15 GDPR. The company had also failed to comply with the data subjects’ right to object due to the technical problems. The CNIL therefore found a violation of Art. 12 GDPR and Art. 21 GDPR. Finally, the CNIL found a violation of Art. 32 GDPR because ACCOR allowed the use of passwords that were not sufficiently secure. In imposing the fine, CNIL considered aggravatingly that the violations affected several fundamental principles of personal data protection and constituted a fundamental infringement of the rights of the data subjects, as well as the number of data subjects involved. |
link link |
| 1362 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-08-03 | 30,000 | Private Polyclinic and Diagnostic Centre of Pyle Axiou | Health Care | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Hellenic DPA has fined Private Polyclinic and Diagnostic Centre of Pyle Axiou EUR 30,000. A patient had requested access to data from an imaging examination. Due to lack of availability of the images, the clinic could not grant the request for access. The DPA found that the clinic had failed to provide adequate storage facilities for the images and thus violated Art. 5 (1) f) GDPR. | link |
| 1363 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-07-19 | 20,000 | DO VALUE GREECE LOANS & CREDITS CLAIM MANAGEMENT S.A. | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 (2) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has fined DO VALUE GREECE LOANS & CREDITS CLAIM MANAGEMENT S.A. in the amount of EUR 20,000. An individual had filed a complaint with the DPA for receiving numerous calls from the company about debts that had already been settled. The data subject had objected to the processing of their data and demanded the calls to be stopped immediately, as well as the deletion of their personal data from the company’s database. During its investigation, the DPA found that the company had unlawfully obstructed the exercise of the data subject’s rights. | link |
| 1364 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-22 | 900 | UNONO NET 3.0, S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on UNONO NET 3.0, S.L.. The company had forwarded an email to numerous recipients without using the blind copy function, making it possible for all recipients to see the email addresses of the other recipients. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and admission of responsibility. | link |
| 1365 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-22 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1366 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-12 | 800 | SMART ELECTRIC SOLUTIONS, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 800 on SMART ELECTRIC SOLUTIONS, S.L.. The company had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1367 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-07 | 1,800 | FINCAS ARENYS SL | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on FINCAS ARENYS SL. An individual had filed a complaint with the DPA. The individual had contacted the real estate company in order to rent a property. In doing so, the company had requested certain documents for the rental without, however, informing the data subject about the processing of their personal data as part of the rental process. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of responsibility. | link |
| 1368 | ITALY | Italian Data Protection Authority (Garante) | 2022-06-09 | 10,000 | Cribis Credit Management s.r.l. | Finance, Insurance and Consulting | Art. 5 (1) a), c) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian DPA has fined Cribis Credit Management s.r.l. EUR 10,000. The company had inadvertently sent an e-mail about late payments on a subscription to the head of the data subject. This allowed the head to gain access to their employee’s personal data such as name, surname and payment status information. | link |
| 1369 | ITALY | Italian Data Protection Authority (Garante) | 2022-06-16 | 70,000 | Unicredit S.p.A. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Unicredit S.p.A. EUR 70,000. An employee had filed a complaint with the DPA claiming that their right to access their personal data had not been sufficiently respected. The company required a specific form to be filled out in order to gain access to personal data. During its investigation, the DPA found that the requirement to fill out the form made it disproportionately difficult to exercise the right of access. | link |
| 1370 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-08-22 | 10,000 | Enel Energie Muntenia S.A. | Transportation and Energy | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has fined Enel Energie Muntenia S.A. EUR 10,000. A customer had mistakenly received an email addressed to another customer containing documents with personal data of the other customer. In the course of its investigation, the DPA found that the incident had occurred due to the company’s failure to take adequate technical and organizational measures to protect personal data. | link |
| 1371 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-07-07 | 4,000 | E Software Concept SRL | Industry and Commerce | Art. 32 (1) b), (2) GDPR, Art. 58 (1) a), e) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 4,000 on E Software Concept SRL. The company had uploaded certain documents on its website that were publicly accessible. Among other things, the documents included invoices and transport documents. These documents contained numerous personal data such as name, surname, sender and recipient address, telephone number, user names and passwords as well as e-mail addresses. During its investigation, the DPA found that the public disclosure had occurred as a result of the company’s failure to implement adequate technical and organizational measures to protect personal data. The DPA also found that the company had failed to comply with requests for information from the DPA during the investigation. | link |
| 1372 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-30 | 2000 | Sindicato Intersectorial Trabajadores/as Provincia de Alicante | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on the Sindicato Intersectorial Trabajadores/as Provincia de Alicante union. The union published the protocols of a works council on their bulletin board and in a WhatsApp group. As a result, the handwritten signatures of all union representatives on the works council were published. | link |
| 1373 | IRELAND | Data Protection Authority of Ireland | 2022-09-05 | 405,000,000 | Meta Platforms, Inc. | Media, Telecoms and Broadcasting | Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 24 GDPR, Art. 25 (1), (2) GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram).
Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested the DPC to increase the proposed fine. The DPC’s investigation revealed that on Instagram business accounts of minors, their cell phone numbers and email addresses were publicly displayed. In addition, the settings for the underage users’ accounts were set to ‘public’ by default , making their social media content publicly viewable unless they changed the account settings. The breach potentially affects millions of teenagers. |
link link |
| 1374 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-25 | 480 | SERVICIOS PROFESIONALES LA PARADA S.L. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on SERVICIOS PROFESIONALES LA PARADA S.L.. The company had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 800 was reduced to EUR 480 due to voluntary payment and admission of responsibility. | link |
| 1375 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-30 | 3,000 | COLEGIO VILLAEUROPA, S.C.L | Public Sector and Education | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on COLEGIO VILLAEUROPA, S.C.L. The school did not provide sufficient information on the video surveillence, as required by Art. 13 GDPR. The information sign contained neither a reference to the data controller nor an address to contact if one wishes to exercise their data subjects rights. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and admission of responsibility. | link |
| 1376 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-28 | 1,200 | DIGITECNIA SOLUTIONS, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on DIGITECNIA SOLUTIONS, S.L.. An individual had filed a complaint with the DPA due to the fact that the company had published a picture of themselves without their permission. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. | link |
| 1377 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-08-29 | 1,000 | Alpha Bank Romania SA | Finance, Insurance and Consulting | Art. 29 GDPR, Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on Alpha Bank Romania SA. The bank had accidentally sent a document to the wrong recipient via WhatsApp. The document contained personal data of four data subjects, such as first and last names and information on loans and contracts. During its investigation, the DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data. | link |
| 1378 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-30 | 1,700 | Bazar Pekin | Industry and Commerce | Art. 13 GDPR, Art. 30 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 1,700 on Bazar Pekin. The controller had failed to provide a notice with information about video surveillance in its premises. In addition, the controller failed to keep a proper register of processing activities. | link |
| 1379 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-01 | 240 | MH VILASECA S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on MH VILASECA S.L.. The controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 400 was reduced to EUR 240 due to voluntary payment and admission of responsibility. | link |
| 1380 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2022-08-25 | 20,000 | Recover AS | Industry and Commerce | Art. 6 (1) e) GDPR | Insufficient legal basis for data processing | The Norwegian DPA (Datatilsynet) has fined Recover AS EUR 20,000. The controller had carried out a credit check on the data subject without any valid legal basis for doing so. |
link |
| 1381 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-13 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The private individual had installed three video surveillance cameras on his property which, among other things, also covered the access road of a neighbor. | link |
| 1382 | FRANCE | French Data Protection Authority (CNIL) | 2022-09-13 | 250,000 | GIE INFOGREFFE | Public Sector and Education | Art. 5 (1) e) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The French DPA has imposed a fine of EUR 250,000 on GIE INFOGREFFE. The portal operates a website where people can access legal information about companies and order documents certified by the commercial courts. As part of its investigation, the DPA found that the personal data of 25% of members and subscribers, such as bank details, surnames, first names, addresses and telephone numbers, were kept for longer than intended (36 months). The DPA considered this to be a violation of Art. 5 (1) e) GDPR. In addition, the DPA found that the portal did not require the use of a secure password when creating an account, resulting in 3.7 million accounts not having a sufficiently secure password. Furthermore, the portal transmitted passwords that allowed access to accounts unencrypted via email. Besides, the portal also stored the passwords and secret questions and answers used during the process of resetting passwords by users in a database without encryption. For this reason, the DPA found that the portal had failed to implement adequate technical and organizational measures to protect personal data. |
link link |
| 1383 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-13 | 2000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1384 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-09 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1385 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-09-09 | 2000 | SC Raiffeisen Bank SA | Finance, Insurance and Consulting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 2,000 on SC Raiffeisen Bank SA. An individual had filed a complaint with the DPA for receiving text messages about money transfers to certain persons that they had not effected. During its investigation, the DPA found that the bank had accidentally used the telephone number of the data subject for transaction purposes in 44 cases. The data subject was not a customer of the bank and had not requested the transactions. |
link |
| 1386 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-09 | 180 | EURO DONER KEBAB | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on EURO DONER KEBAB. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1387 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-06 | 20,000 | MUXERS CONCEPT, S.L. | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined MUXERS CONCEPT, S.L. EUR 20,000. The company had installed video surveillance cameras and microphones in the employee changing room in one of the restaurants it operates. The DPA found that there was no legal basis for such extensive processing of the employees’ personal data and that the processing was therefore unlawful. | link |
| 1388 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-04 | 360 | Store owner | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on a store owner. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 600 was reduced to EUR 360 due to voluntary payment and admission of responsibility. | link |
| 1389 | ITALY | Italian Data Protection Authority (Garante) | 2022-06-30 | 5,000 | Federazione Italiana Sommelier, Albergatori e Ristoratori | Individuals and Private Associations | Art. 5 (1) a), f) GDPR, Art. 6 (1) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on Federazione Italiana Sommelier, Albergatori e Ristoratori. The federation had sent a protocol containing personal data of a member to all other members. The protocol revealed information about a disciplinary measure against the member concerned, although the measure was not yet legally binding and was later revoked. In addition, the disciplinary measure continued to be published on a cloud platform even after the measure was revoked. | link |
| 1390 | ITALY | Italian Data Protection Authority (Garante) | 2022-06-16 | 2000 | Federazione Italiana Nuoto | Individuals and Private Associations | Art. 12 (3), (4) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) fined Federazione Italiana Nuoto EUR 2,000 for failing to respond to the data subject’s request for access to their data in a timely manner. |
link |
| 1391 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-16 | 480 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment. | link |
| 1392 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-16 | 10,000 | SOPHIE ET VOILA, S.L | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on SOPHIE ET VOILA, S.L..The wedding dress company had published a picture of a customer in a wedding dress on its Instagram account without the customer’s consent. For this reason, the DPA determined that the processing of the customer’s personal data was unlawful. | link |
| 1393 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-09-08 | 8,000 | Realmedia Network SA | Media, Telecoms and Broadcasting | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has fined Realmedia Network SA EUR 8,000. The company had suffered security breaches on a website it operates. This allowed it to leak and access unauthorized data. The data involved included surnames, first names, telephone numbers, e-mail addresses, postal addresses, signatures, copies of ID cards, bank data and information from land register extracts of the data subjects. A total of 194,309 people were affected by the security incident. The DPA found that the company had failed to take adequate technical and organizational measures to ensure a level of data security appropriate to the processing risk. | link |
| 1394 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-28 | 48,000 | NATURGY ENERGY GROUP, S.A. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on NATURGY ENERGY GROUP, S.A.. A person had contacted the energy company pretending to be a relative of a customer. The person requested to receive electricity bills using a new email address. To verify the identity, the person had to provide name, address, ID number, contract number and the last 4 digits of the bank account details of the customer. However, the DPA found that this verification did not comply with the requirements of the GDPR for identity verification and considered it to be a violation of Art. 5 (1) f) GDPR and Art. 32 GDPR. The original fine of EUR 80,000 was reduced to EUR 48,000 due to voluntary payment and admission of responsibility. | link |
| 1395 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-08-28 | 5,600 | SOLIVESA MASTER FRANCHISE S.L. | Media, Telecoms and Broadcasting | Art. 28 GDPR, Art. 48 (1) b) LGT | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 5,600 on SOLIVESA MASTER FRANCHISE S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. | link |
| 1396 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-04 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR on a private individual. The data subject had filed a complaint against his ex-wife with the DPA. The ex-wife had installed video surveillance cameras in the jointly occupied house, which also recorded his living areas and thus interfered with his privacy. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1397 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-07-15 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the neighborly shared acces road. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1398 | GERMANY | Data Protection Authority of Berlin | 2022-09-20 | 525,000 | Company | Industry and Commerce | Art. 38 (6) GDPR | Insufficient involvement of data protection officer | The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group. The company had appointed a data protection officer, who however was also the managing director of two service companies that processed personal data on behalf of the very same company for which they acted as data protection officer. These service companies are also part of the group to which the e-commerce company belongs. The DPA considered this to be a conflict of interest and found a violation of Art. 38 (6) GDPR. The DPA had already issued a warning to the company in 2021 due to the conflict of interest. When a new inspection this year revealed that no new data protection officer had been appointed, the DPA imposed the fine. |
link |
| 1399 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2022-09-21 | 50,000 | Property development company | Real Estate | Art. 6 (1) GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The DPA of Baden-Württemberg has imposed a fine of EUR 50,000 on a property development company.
The company had sent a letter to a property owner in which it made a purchase price offer for their property. The letter did not contain any information on the origin of the data. Even after the owner asked the company where the data had been obtained, the company did not reply. In the course of its investigation, the DPA discovered that a surveyor had made use of his authority to inspect the electronic land register and, in two cases, had identified several hundred property owners without their knowledge. Subsequently, the surveyor had passed the relevant information to the company, which contacted the property owners. The DPA considered this to be, on the one hand, a violation of Art. 6 (1) GDPR and, on the other hand, a violation of Art. 14 GDPR due to the lack of information on the origin of the data. |
link |
| 1400 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-16 | 3,000 | MARIELI GABRIELA, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 3,000 on MARIELI GABRIELA, S.L.. A person had filed a complaint with the DPA due to the fact that the company had debited their bank account even though there was no contractual relationship. | link |
| 1401 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-16 | 2000 | Agent of the real estate agency BARCELONA DREAM HOUSE AGENCY | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 2,000 on an agent of the real estate agency BARCELONA DREAM HOUSE AGENCY. An individual had filed a complaint with the DPA because the real estate agent had not sufficiently informed them about the processing of their personal data in the context of the conclusion of a rental agreement. For example, information on the purpose of the processing as well as on the controller was missing. | link |
| 1402 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-20 | 1,800 | Union Sindical Obrera | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on the trade union Union Sindical Obrera. An individual had filed a complaint with the DPA for repeatedly receiving emails from the controller despite having requested that their data be deleted. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of guilt. | link |
| 1403 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-09-19 | 2000 | Banca Comercială Română SA | Finance, Insurance and Consulting | Art. 25 (1) GDPR, Art. 32 (1) b), d), e) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on Banca Comercială Română SA.
The bank had notified the DPA of a data breach pursuant to Art. 33 GDPR. Due to an error in the IT application of the controller, emails containing personal data of customers were sent to the wrong recipients. The DPA found that the bank had failed to take appropriate technical and organizational measures to ensure a level of security commensurate with the processing risk. |
link |
| 1404 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-23 | 3,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1405 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-09-07 | 530 | Sułkowice Cultural Center | Individuals and Private Associations | Art. 28 (1), (3), (9) GDPR | Insufficient data processing agreement | The Polish DPA has imposed a fine of EUR 530 on the Sułkowice Cultural Center.
During its investigation, the DPA found that the controller had transferred the processing of personal data to a processor without concluding a written concession agreement. |
link |
| 1406 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-08-08 | 735 | Company | Industry and Commerce | Art. 5 (1) b), c) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1), (2) GDPR | Non-compliance with general data processing principles | The Hungarian DPA has imposed a fine of EUR 735 on a company. An individual had filed a complaint against the company with the DPA. An employee of the company had made sound recordings with a mobile phone during repair work at the complainant’s home without informing the complainant. | link |
| 1407 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-09-25 | 1,200 | Health insurance provider | Health Care | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 12 (3), (4) GDPR, Art. 31 GDPR | Non-compliance with general data processing principles | The Hungarian DPA has imposed a fine of EUR 1,200 on a health insurance provider. The insurer had published the result of a Covid-19 test of the data subject on its website. This would have allowed unauthorized persons to access the personal data of the data subject. In addition, the insurer had not adequately cooperated with the agency during the DPA’s investigation. |
link |
| 1408 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2022-09-21 | 5,000 | Surveyor | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Baden-Württemberg has imposed a fine of EUR 5,000 on a surveyor. The surveyor had used his authority to inspect the electronic land register to identify several hundred property owners in two cases without their knowledge and had passed on the relevant information to a property developer. The latter in turn contacted the identified owners. The DPA determined that both the surveyor and the developer had unlawfully processed the data of the property owners. | link |
| 1409 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-09-22 | 2000 | Bitfactor SRL | Finance, Insurance and Consulting | Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on Bitfactor SRL. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. Due to a malfunction of an application of the controller, marketing messages were sent to users of the website, resulting in a breach of confidentiality of the personal data concerning 1757 data subjects. During its investigation, the DPA found that the controller did not take adequate technical and organizational measures to protect the personal data of the data subjects. |
link |
| 1410 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-28 | 180 | Y OTRO MAS C.B. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on Y OTRO MAS C.B.. The controller had installed a video surveillance system in a residential complex. During its investigation, the DPA found that the information sign about the video surveillance did not contain sufficient information about the processing of personal data, the controller and the exercise of data subject rights. The DPA considered this to be a violation of Art. 13 GDPR. The original fine of EUR 300 was reduced to EUR 180 due to admission of responsibility and voluntary payment. | link |
| 1411 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-28 | 720 | CLUB NATACIO LLEIDA | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CLUB NATACIO LLEIDA. The controller had installed a video surveillance system that recorded the cashier areas of the facility. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 1,200 was reduced to EUR 720 due to voluntary payment and admission of guilt. | link |
| 1412 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2022-09-12 | 6,700 | Hørsholm municipality | Public Sector and Education | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 6,700 on Hørsholm municipality. The municipality had reported a data breach to the DPA pursuant to Art. 33 GDPR. An employee’s work computer, which contained sensitive and confidential information about approximately 1,600 municipality employees, had been stolen. During its investigation, the DPA determined that the data on the computer was not adequately secured and that the municipality had failed to take appropriate technical measures to protect personal data. |
link |
| 1413 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-28 | 2000 | Auto Hi-Fi System S.n.c | Industry and Commerce | Art. 5 (1) a), c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Auto Hi-Fi System S.n.c in the amount of EUR 2,000. The controller had installed a video surveillance system that covered not only the public road but also a private property. The DPA considered this a violation of the principle of data minimization. Also, the controller had not posted a sign with information about the video surveillance. The DPA considered this to be a violation of Art. 13 GDPR. | link |
| 1414 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-21 | 2000 | Global Service s.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined Global Service s.r.l. EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR. | link |
| 1415 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-21 | 10,000 | Stay over s.r.l. | Industry and Commerce | Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 114 Codice della privacy | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Stay Over s.r.l. EUR 10,000. A former employee had filed a complaint with the DPA. The company had failed to respond to a request for access to personal data in a timely manner. In addition, the company had continued to process data from the employee’s e-mail inbox after termination of the employment relationship without the employee’s consent. | link |
| 1416 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-21 | 3,000 | Azienda Socio Sanitaria Territoriale Rhodense | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Azienda Socio Sanitaria Territoriale Rhodense EUR 3,000. The healthcare facility had reported the loss of a patient’s medical record. The file contained personal data such as surname, first name, gender, date and place of birth, tax number, place of residence, telephone numbers of the data subject. The DPA determined that the incident was caused by a lack of technical and organizational measures to protect personal data at the healthcare facility. | link |
| 1417 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-28 | 31,200 | BAYARD REVISTAS, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on Bayard Revistas S.A.. Unauthorized persons had accessed the Bayard database and thus unauthorizedly siphoned off location and contact data of users of the database. Approximately 470,000 users were affected by the incident. The DPA’s investigation determined that a vulnerability in the controller’s systems allowed the incident to occur. The original fine of EUR 52,000 was reduced to EUR 31,200 due to voluntary payment and admission of guilt. | link |
| 1418 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021 | Unknown | Private individual | Individuals and Private Associations | Art. 5 (1) a), c) GDPR | Non-compliance with general data processing principles | The Austrian DPA has fined a private individual. The individual had installed a video surveillance system which, among other things, also recorded the public space and stored the images excessively long. | link |
| 1419 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2021 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 9 (1), (2) GDPR | Non-compliance with general data processing principles | The Austrian DPA imposed a fine of EUR 600 on a private individual. The individual had contacted a public institution to draw their attention to the fact that the statement of a kindergarten teacher that she was 50% disabled did not correspond to reality. For this purpose, the person submitted a court report that contained health-related data of the data subject. In the course of its investigation, the DPA found that the transmission of the court report constituted an unlawful processing of the kindergarten teacher’s personal data. | link |
| 1420 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2021-08-17 | 20,100 | Danish Immigration Agency | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 20,100 on the Danish Immigration Agency.
Media reports brought the DPA’s attention to possible logging errors in one of the agency’s IT systems, which could have an impact on the rights and freedoms of residents. The DPA consequently started an investigation at the agency. In spring and summer 2020, several security incidents occurred in the agency’s systems, resulting in the loss of data records. The loss of data led to proceedings being initiated against a number of residents regarding the reduction of their cash benefits, and a number of residents being reported to the police for non-compliance with the provisions of the Foreigners Act. During its investigation, the DPA found that a lack of technical and organizational measures allowed the incident to occur. For instance, the agency had not made adequate backups of the data processed, although this would have been necessary in view of the legal consequences a loss of the data could mean for the immigrants. |
link |
| 1421 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-04 | 6,000 | Club Náutico el Estacio | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club’s ordinary meeting on its website, disclosing personal data without access restrictions. | link |
| 1422 | UNITED KINGDOM | Information Commissioner (ICO) | 2022-10-04 | 1,547,000 | Easylife Ltd. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 (1) c) GDPR, Regulation 21 PECR | Insufficient legal basis for data processing | The UK DPA has imposed a fine of EUR 1,547,000 on Easylife Ltd. Easylife is a retailer that sells household items as well as services and products under its health, motor, supercard and garden clubs.
When purchasing certain products, the company made assumptions about the customer’s health condition, whereupon the customer was then offered further products for purchase by phone or SMS that were related to their health condition. Of the 122 products in Easylife’s Health Club catalog, 80 items were classified as ‘trigger products.’ Once customers purchased these products, Easlylife created a profile of them in order to target them with a health-related item. During its investigation, the DPA found that the company collected and used the personal data (health data) of a total of 145,500 data subjects without their consent or even knowledge. The DPA found that this ‘invisible’ processing of the personal data constituted a serious violation of the data subjects’ rights, as they were not able to exercise their privacy and data protection rights at all due to lack of knowledge of the processing. In addition, the company had made 1,345,732 unsolicited marketing calls to individuals without their consent to the calls. The DPA considered this a violation of the PECR. |
link link |
| 1423 | ITALY | Italian Data Protection Authority (Garante) | 2022-09-15 | 100,000 | Lazio Region | Health Care | Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 24 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 100,000 on Lazio Region.
An individual had filed a complaint with the DPA because she had received an invitation from the regional health authority to participate in the cervical cancer screening program that was addressed to her daughter, who died in 1995. During its investigation, the DPA discovered that the daughter’s data was still in the region’s database even though she had already died. As the owner of the data, the Region should have ensured that the personal information was accurate and updated as necessary, and taken all reasonable steps to delete or correct the information it used in a timely manner. In addition to the above, the Garante also found that the Region had not properly provided data subjects with the required information about the processing of their personal data when sending out the invitation letters for a cervical cancer screening campaign. In imposing the fine, the DPA took into account, as an aggravating factor, that the Region had already received a fine. |
link link |
| 1424 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-07 | 45,000 | Senseonics Inc. | Health Care | Art. 5 (1) a), b), f) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 27 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients. The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of the data subjects via the e-mails. In the course of its investigation, the DPA also identified other privacy violations involving the glucose monitoring system produced by the company. By downloading the monitoring app, users were required to accept both the contractual terms of use and the content of the privacy policy with a single ‘click.’ This did not allow them to separately give their consent to the individual processing operations, including the processing of health data. Further, the DPA found that the company had violated the principles of fairness and transparency by providing users with confusing and sometimes erroneous information regarding the processing of personal data. In addition, the company failed to designate its representative in the European Union as the contact person for all data protection issues. |
link link |
| 1425 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-09 | 4,000 | PUNTO BADAL-BCN S.L. | Real Estate | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on the real estate agency PUNTO BADAL-BCN S.L.. The controller had sent marketing e-mails to several people in an open distribution list, making the email addresses of all recipients visible to the other recipients. The original fine of EUR 5,000 was reduced to EUR 4,000 due to voluntary payment. | link |
| 1426 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-09 | 24,000 | CAJA DE SEGUROS REUNIDOS, COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on CAJA DE SEGUROS REUNIDOS, COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A.. A data subject filed a complaint with the DPA. The data subject had taken out an insurance policy with the controller, the beneficiary of which was his ex-life partner at the time. After the separation, the ex-life partner asked the controller to change the debit entry for the premium from the data subject’s account to her account. The controller carried out this change without the consent of the data subject. The DPA considered this to be an unlawful change to the personal data of the data subject. The original fine of EUR 40,000 was reduced to EUR 24,000 due to voluntary payment and admission of responsibility. | link |
| 1427 | ESTONIA | Estonian Data Protection Authority (AKI) | 2020-08-17 | 56 | Health care worker | Health Care | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | Acess to personal data in a health database for private research activities. | link |
| 1428 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2022-05-03 | 10,600 | HEI – Medical Travel | Health Care | Art. 15 (1), (3) GDPR, Art. 9 (1) Act 90/2018, Art. 17 (2) Act 90/2018 | Insufficient fulfilment of data subjects rights | The Icelandic DPA has imposed a fine of EUR 10,600 on HEI – Medical Travel. A data subject had filed a complaint with the DPA against the controller.
The controller had gained access to the data subject’s email via the Icelandic Medical Association’s internal website and had then sent them unsolicited emails. The DPA found that such access was unlawful due to the lack of a valid legal basis. In addition, the data subject had asked the controller for information about the processing of their personal data, such as the origin of the e-mail address. The controller did not properly comply with this request. |
link |
| 1429 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-09 | 900 | Private individual | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on a private individual. The individual unauthorizedly sent e-mails with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients. The original fine of EUR 1,200 was reduced to EUR 900 due to voluntary payment and admission of responsibility. | link |
| 1430 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-09 | 800 | Company | Not assigned | Art. 6 (1) e) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 800 on a company. The controller had installed video surveillance cameras without obtaining authorization for the installation. In addition, the controller failed to provide signs regarding the CCTV with the contact details of the data controller. | link |
| 1431 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-09 | 6,000 | UNION DE OFICIALES DE LA GUARDIA CIVIL PROFESIONAL | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 6,000 on the association UNION DE OFICIALES DE LA GUARDIA CIVIL PROFESIONAL. A person had filed a complaint with the DPA because the controller had contacted them without them being a member of the association or otherwise having given their permission to be contacted. |
link |
| 1432 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-09 | 64,000 | EVERIS SPAIN S.L | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on EVERIS SPAIN S.L.. Everis had published information on sold data of users of an insurance company as well as records with personal data of Spanish customers of the insurance company. The DPA considered this a violation of the confidentiality of the data. The DPA also found that the unlawful publication of the data had been possible due to, among other things, a lack of technical and organizational measures to protect personal data at the time of the data breach. The original fine of EUR 80,000 was reduced to EUR 64,000 due to voluntary payment. | link |
| 1433 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-04 | 600 | Homeowners Association | Real Estate | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 600 on a homeowners’ association. The controller had installed a video surveillance system that recorded both images and sound. During its investigation, the DPA found that the video surveillance system recorded, among other things, parts of the common area. The DPA considered this to be a violation of the principle of data minimization. In addition, the DPA found that the controller did not sufficiently comply with its information obligations under Art. 13 GDPR regarding the video surveillance. | link |
| 1434 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-10-03 | 150 | Website operator | Individuals and Private Associations | Art. 5 (1) a), f) GDPR, Art. 6 (1) a) GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 150 on a website operator. The controller had published unauthorized personal data such as telephone number, ID number and series, e-mail address, bank details and marital status of 383 natural persons. | link |
| 1435 | ITALY | Italian Data Protection Authority (Garante) | 2022-09-01 | 4,000 | Liceo Statale ‘Edoardo Amaldi” | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 4,000 on the school ‘Edoardo Amaldi’. The school had published a circular on the school website about the summer vacations which contained the exact vacation dates of the school staff. | link |
| 1436 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-09-21 | 5,000 | Curtea Veche Publishing SRL | Media, Telecoms and Broadcasting | Art. 32 (1) b), c) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 5,000 on Curtea Veche Publishing SRL.
The controller had reported two data breaches to the DPA pursuant to Art. 33 GDPR. In the first data breach, the controller had inadvertently published a file containing the customer database in a public forum. The second data breach concerned a ransomware attack that resulted in unauthorized access and loss of integrity as well as availability of personal data of about 100 data subjects. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. This failure to implement protective measures permitted the data breaches to occur. |
link |
| 1437 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-09-06 | 5,000 | EDYTE SA | Industry and Commerce | Art. 29 GDPR | Insufficient legal basis for data processing | The Hellenic DPA has imposed a fine of EUR 5,000 on EDYTE SA. EDYTE, as a processor, had unlawfully disclosed personal data to third parties without the authorization of the data controller. | link |
| 1438 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-08-19 | 20,000 | Medical laboratory | Health Care | Art. 5 (1) f) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 32 GDPR, Art. 35 (1), (3) GDPR | Insufficient technical and organisational measures to ensure information security | The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory.
During its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. In addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients’ personal data on the website without encryption. Finally, the DPA found that the laboratory had not published a privacy statement on its website, in violation of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR. |
link |
| 1439 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-08-08 | 5,000 | IDIKA SA | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 10,000 on IDIKA SA. IDIKA was operating in the context of providing free COVID-19 tests. The DPA found that IDIKA, in the course of its processing activities, did not sufficiently inform data subjects about the processing of their personal data. In addition, IDIKA stored personal data longer than necessary and had failed to implement sufficient technical and organizational measures to protect personal data. | link |
| 1440 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-10-05 | 72,500 | Bank | Finance, Insurance and Consulting | Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR | Insufficient legal basis for data processing | The Hungarian DPA has imposed a fine of EUR 72,500 on a bank. An individual had filed a complaint with the DPA. The bank had conducted a credit check on the individual based on a credit application. However, the bank later conducted a second credit check, although the individual had not requested a new credit offer. The DPA therefore found that this second credit check was carried out unlawfully due to the lack of a legal basis. | link |
| 1441 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-14 | 12,000 | SEAN SERIOS S.L. | Public Sector and Education | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 12,000 on SEAN SERIOS S.L. The controller had published the results of a selection procedure on a website. This included, among other things, personal data of the participants, such as surname, first name and score in the selection process. In the course of its investigation, the DPA found that the controller did not have a sufficient legal basis for publishing the data. | link |
| 1442 | ITALY | Italian Data Protection Authority (Garante) | 2022-08-05 | 20,000 | Cosmopol Security S.p.A. | Industry and Commerce | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Cosmopol Security S.p.A. EUR 20,000. An individual had filed a complaint with the DPA against the controller. The individual had received invoices without ever having had a contractual relationship with the company. Therefore, the data subject requested information on the origin of their personal data. However, the controller did not respond to the data subject’s request for information in a timely manner. | link |
| 1443 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-07-08 | 1,500 | Physician | Health Care | Art. 5 (1) GDPR, Art. 12 (2) GDPR, Art. 13 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hungarian DPA has imposed a fine of EUR 1,500 on a physician. A patient had asked the doctor to send her complete medical records, such as imaging records as well as consent forms regarding her maternity care. However, the physician had not complied with this request. | link |
| 1444 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-17 | 180 | INMUR JOYEROS, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on INMUR JOYEROS, S.L.. The controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1445 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-07 | 20,000 | Intesa Sanpaolo Vita S.p.a. | Finance, Insurance and Consulting | Art. 5 (1) a), f) GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Intesa Sanpaolo Vita S.p.a. EUR 20,000. The data subject, who had taken out a life insurance policy with the controller, had filed a complaint with the DPA against the controller for the unauthorized disclosure of their personal data. In the course of its investigation, the DPA found that the controller had disclosed personal data, such as first name, last name and information about the policy, to third parties without authorization. The unauthorized disclosure had occurred due to an employee’s error. | link |
| 1446 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-19 | 5,000 | RESTEXPERIENCE, S.L. | Accomodation and Hospitalty | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined RESTEXPERIENCE, S.L. EUR 5,000. The controller had accidentally sent an email containing tax information of 36 individuals to 11 unauthorized individuals. The DPA considered this to be a breach of the principle of integrity and confidentiality. It also found that the company had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 1447 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-17 | 500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 500. The individual had installed video surveillance cameras on their property which covered, among other things, the public space and a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization. | link |
| 1448 | FRANCE | French Data Protection Authority (CNIL) | 2022-10-17 | 20,000,000 | Clearview Al Inc. | Industry and Commerce | Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 31 GDPR | Insufficient fulfilment of data subjects rights | The French DPA has fined Clearview Al Inc. EUR 20,000,000. The company holds a database of more than 20 billion facial images (including those of french residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals to be identified based on the biometric data extracted from the images. Individuals’ profiles can be enriched with information associated with those images, such as image tags and geolocation.
In the course of its investigation the DPA found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. In addition, the DPA found that Clearview AI restricted the exercise of data subjects’ rights. Finally, the DPA criticized the cooperation of Clearview AI. The company did not respond to investigation forms at all or only very incompletely. |
link link |
| 1449 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-10-18 | 2000 | SC Materiale Constructii Online SRL | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has fined SC Materiale Constructii Online SRL EUR 2,000 for failing to provide information requested by the DPA during an investigation. | link |
| 1450 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-10-18 | 150 | Private individual | Individuals and Private Associations | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 150 on a private individual. The individual had made unauthorized use of another person’s personal data without their consent. | link |
| 1451 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-17 | 6,000 | Company | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 6,000 on a company. The data controller had installed video surveillance cameras which also recorded sound. However, the DPA found that the controller did not have a sufficient legal basis for the surveillance and the recordings therefore had been obtained unlawfully. | link |
| 1452 | ITALY | Italian Data Protection Authority (Garante) | 2022-09-15 | 2000 | Immobiliare Riscostruzione Meloria s.r.l. | Real Estate | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has imposed a fine of EUR 2,000 on Immobiliare Riscostruzione Meloria s.r.l.. The controller had installed a video surveillance system at its office which covered parts of a common entrance to the building and thus also recorded residents of the building. During its investigation, the DPA found that the information sign regarding the video surveillance did not contain sufficient information on the purpose of the processing of personal data and the contact details of the data controller. | link |
| 1453 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-09-22 | 3,000 | Gas station | Industry and Commerce | Art. 12 GDPR, Art. 14 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 3,000 on a gas station operator. A person had filed a complaint with the DPA due to the controller’s failure to grant them access to images of their minor child recorded by the video surveillance system in the gas station. The DPA considered this to be a violation of Art. 12 GDPR. In addition, the operator had shared the images from the video surveillance system with the police in the course of a police investigation without informing the parent. The DPA found that failure to inform the parent constituted a violation of Art. 14 GDPR. | link |
| 1454 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-09-09 | 15,000 | School | Public Sector and Education | Art. 5 (1) a), b) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 30 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has fined a school EUR 15,000. The school had installed several video surveillance cameras on the building, which permanently recorded students, teachers and visitors.
During its investigation, the DPA found that the school did not have a sufficient legal basis for the video surveillance. In view of the extensive video surveillance and the resulting restriction of the personal rights of the data subjects, the school could not rely on a legitimate interest (protection of property). In addition, the DPA found that the controller had violated its duty to inform by informing teachers and parents only verbally and incompletely about the video surveillance system. |
link |
| 1455 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-10-03 | 20,000 | ALFA BANK S.A. | Finance, Insurance and Consulting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Hellenic DPA has imposed a fine of EUR 20,000 on ALFA BANK S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers’ explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR. | link |
| 1456 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-10-03 | 20,000 | EUROBANK ERGASIAS S.A. | Finance, Insurance and Consulting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Hellenic DPA has imposed a fine of EUR 20,000 on EUROBANK ERGASIAS S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers’ explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR. | link |
| 1457 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-10-03 | 20,000 | PIRAEUS BANK S.A. | Finance, Insurance and Consulting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Hellenic DPA has imposed a fine of EUR 20,000 on PIRAEUS BANK S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers’ explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR. | link |
| 1458 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-10-03 | 20,000 | NATIONAL BANK OF GREECE S.A. | Finance, Insurance and Consulting | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Hellenic DPA has imposed a fine of EUR 20,000 on NATIONAL BANK OF GREECE S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers’ explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR. | link |
| 1459 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-20 | 1,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1460 | ITALY | Italian Data Protection Authority (Garante) | 2022-09-15 | 10,000 | Bper Banca S.p.A. | Finance, Insurance and Consulting | Art. 12 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on Bper Banca S.p.A.. An individual had filed a complaint with the DPA regarding the failure to fulfill their right to erasure of personal data. The individual had requested the bank to delete their personal data processed by the bank. The bank then asked the data subject to send their identification documents in order to verify their identity for the purpose of fulfilling their request. The data subject submitted their data, but did not receive a response to their request for deletion. For this reason, the DPA found that the Bank had violated Art. 12 GDPR by failing to respond to the request in a timely manner. | link |
| 1461 | UNITED KINGDOM | Information Commissioner (ICO) | 2022-10-19 | 5,033,000 | Interserve Group Limited | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The British DPA has fined the construction group Interserve Group Limited EUR 5,033,000. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. Interserve had suffered a cyber attack in which the attackers sent a phishing mail to the mailbox of Interserve’s accounting team. The mail was opened by an employee who also downloaded and opened an attached zip file. This allowed the attackers to install malware and siphon off personal data from 113,000 employees. The siphoned data contained bank account information, social security numbers, ethnicity, sexual orientation and religion of the data subjects, among other things. The DPA’s investigation found that inadequate security measures allowed the attack to occur. Interservere employees, for example, had not been adequately trained on data privacy. In addition, Interserve processed personal data on unsupported operating systems that were no longer subject to security updates to address vulnerabilities in the system. Also, Interserve had not conducted adequate vulnerability scans. Finally, Interserve’s information security team had not sufficiently investigated the attack as antivirus software reported that the malware had been removed. |
link link |
| 1462 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-06 | 15,000 | Servizio Idrico Integrato S.c.p.a. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Servizio Idrico Integrato S.c.p.a. EUR 15,000. The controller had operated a website where personal data was being processed without using an SSL form. The DPA found that the use of an SSL form would have been necessary for the security of the data. It therefore concluded that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 1463 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-21 | 10,000 | Clio S.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 30 (2) GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 10,000 on Clio S.r.l.. Clio provides and manages a whistleblowing reporting application for various private and public entities. As part of its investigation, the DPA found that Clio had not adequately regulated its relationship with customers. In addition, Clio provided data on whistleblowing reports to customers without a valid legal basis. The DPA considered this to be a violation of Art. 5 (1) a) GDPR and Art. 6 GDPR. Further, the DPA found that Clio had failed to maintain a register of activity carried out in its role as a processor. The DPA considered this to be a violation of Art. 30 (2) GDPR. |
link |
| 1464 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-21 | 5,000 | Ginosa municipality | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 5,000 on Ginosa municipality. The fine is related to the fine against Clio S.r.l.. Clio provides and manages a whistleblowing reporting application for various private and public entities, including, Ginosa municipality. During its investigation, the DPA found that the municipality provided personal data to Clio in connection with whistleblowing reports, allowing Clio to collect and store them without a valid legal basis. Furterhmore, the DPA found that the municipality had not adequately regulated its relationship with Clio. | link |
| 1465 | ITALY | Italian Data Protection Authority (Garante) | 2022-07-21 | 20,000 | Acqua Novara.VCO S.p.a. | Transportation and Energy | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 20,000 on Acqua Novara.VCO S.p.a.. The fine is related to the fine against Clio S.r.l.. Clio provides and manages a whistleblowing reporting application for various private and public entities, including, Acqua Novara. During its investigation, the DPA found that Acqua Novara provided personal data to Clio in connection with whistleblowing reports, allowing Clio to collect and store them without a valid legal basis. Furterhmore, the DPA found that the Acqua Novara had not adequately regulated its relationship with Clio. | link |
| 1466 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-24 | 240 | Company | Not assigned | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on a company. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 240 due to voluntary payment. | link |
| 1467 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-24 | 400 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 400 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1468 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-24 | 8,000 | ADSL HOUSE, S.L. | Media, Telecoms and Broadcasting | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) imposed a fine of EUR 8,000 on ADSL HOUSE, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. | link |
| 1469 | ITALY | Italian Data Protection Authority (Garante) | 2022-09-15 | 3,000 | Thiene municipality | Employment | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 3,000 on Thiene municipality. A former employee of the municipality filed a complaint with the DPA because a document containing their personal data was published on the municipality’s website. The document contained information on the termination of the employment relationship. | link |
| 1470 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-17 | 35,000 | OES GLOBAL ENERGY S.L. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA imposed a fine of EUR 35,000 on OES GLOBAL ENERGY S.L.. A customer of the controller had filed a complaint with the DPA after receiving an e-mail from the controller containing documents relating to the termination of electricity contracts of other customers. These documents contained personal data of the customers such as their names and ID numbers. The DPA considered this unlawful disclosure of personal to be a violation of the principle of confidentiality and integrity, as well as a lack of sufficient technical and organizational measures to protect personal data. | link |
| 1471 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-26 | 10,000 | ACKERMANN & SCHWARTZ ATTORNEYS AT LAW SLP | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on ACKERMANN & SCHWARTZ ATTORNEYS AT LAW SLP. The law firm had collected personal data from website users without obtaining their consent. In addition, the DPA found that the privacy policy on the website did not contain sufficient information. For example, information on the controller’s contact details and information on exercising data subjects’ rights were missing. | link |
| 1472 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-25 | 9,000 | EL RACO DEL PIS INVERSIONES S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 9,000 on EL RACO DEL PIS INVERSIONES S.L.. The controller had sent an e-mail in an open distribution list, making the email addresses of all recipients visible to the other recipients. | link |
| 1473 | ITALY | Italian Data Protection Authority (Garante) | 2022-06-16 | 20,000 | Deutsche Bank S.p.A. | Finance, Insurance and Consulting | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to the data subject’s request for access to their data in a timely manner. | link |
| 1474 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-23 | 1,200 | URBANO DIVERTIA, S.L. | Not assigned | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on URBANO DIVERTIA S.L.. A customer had filed a complaint with the DPA, for having received a document from the controller with data relating to the previous tenant of the apartment they were now renting from the controller. The DPA considered this to be a violation of the principle of integrity and confidentiality. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. | link |
| 1475 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-09-01 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The individual had published personal data of another person on a blog without their consent and in a defamatory manner. | link |
| 1476 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-31 | 2000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a member of a staff council. The individual had sent minutes of staff council meetings to unauthorized third parties that were not members of the staff council. During its investigation, the DPA found that the individual did not have an effective legal basis for sending the emails. | link |
| 1477 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-31 | 70,000 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 70,000 on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. A customer of the bank had filed a complaint with the DPA. The customer had in the past, in their capacity as an attorney, filed a statement of claim against the bank by their client, also a customer of the bank.
The bank had then sent a reply to the client and in it, instead of the professional address of the data subject, the attorney, had inadvertently noted their private address. The DPA firstly found that the bank processed the attorney’s personal data in a way that was incompatible with the purposes for which the data were collected (management of their private account). In addition, the DPA found that the unauthorized disclosure of the attorney’s personal data occurred due to inadequate technical and organizational measures at the bank. |
link |
| 1478 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-02 | 25,000 | CAIXABANK S.A. | Finance, Insurance and Consulting | Art. 16 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine of EUR 25,000 on CAIXABANK S.A.. The data subject had repeatedly and unsuccessfully requested that their address on file with the bank be updated. The DPA considered this to be a violation of Art. 16 GDPR. | link |
| 1479 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-07 | 2000 | Romanian Post | Transportation and Energy | Art. 32 (1) b), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on the Romanian Post. The Post suffered a data breach where staff lost several mailings containing pension statements, employment certificates and death certificates. The incident affected 35 individuals (recipients). The DPA found that the Post had failed to implement adequate technical and organizational measures to protect personal data that might have prevented such an incident. |
link |
| 1480 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-31 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA for having unsuccessfully requested a copy of their phone contract from Vodafone several times. Finally, the person received an e-mail, but with the phone contract of another customer. The DPA considered this to be a violation of the principle of integrity and confidentiality as set out in Art. 5 (1) f) GDPR. In addition, the DPA found that Vodafone failed to implement adequate technical and organizational measures to protect personal data, which could have prevented the incident. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1481 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-08 | 5,000 | SC Prestige Media PHG SRL | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 5,000 on SC Prestige Media PHG SRL. The controller had published 23 documents containing information on the termination of employment relationships and personal data of the data subjects on its website. Some of the data subjects had no legal relationship with the controller. | link |
| 1482 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-09 | 1,000 | SC Das Sense Society SRL | Accomodation and Hospitalty | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has fined SC Das Sense Society SRL EUR 1,000 for failing to provide information requested by the DPA during an investigation. | link |
| 1483 | ITALY | Italian Data Protection Authority (Garante) | 2022-08-05 | 1,000 | Colosseo S.r.l. | Industry and Commerce | Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 24 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 1,000 on Colosseo S.r.l.. An individual had filed a complaint with the DPA because the controller had sent him an unsolicited commercial email. Thereafter, the data subject requested the controller to provide access to their personal data, to delete their personal data and the objection to receive future promotional emails. However, the controller did not respond to the data subject’s requests. | link |
| 1484 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-02 | 5,000 | CÍTRICOS TANTA, S.L. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 5,000 on CÍTRICOS TANTA, S.L.. The controller had entered personal data of an employee in the Social Security General Employee Register without the employee ever having actually worked. For this reason, the controller would have been obliged to cancel the entry of the data subject in the register within 72 hours, which the controller failed to do. In the absence of the data subject’s work performance, the controller no longer had a legal basis to upload the data to the register. Therefore, the DPA found that the failure to delete the data constituted an unlawful processing of the data subject’s personal data. | link |
| 1485 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-02 | 2000 | Rapido Finance, S.L. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on Rapido Finance, S.L.. The data subject had received a message from a company on behalf of Rapid Finance requesting payment of outstanding debts. However, the data subject had already paid the debts, which was also confirmed in a court ruling. For this reason, the DPA determined that the disclosure of the data subject’s personal data for the purpose of contacting them regarding the settlement of the debt was unlawful. | link |
| 1486 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-31 | 525,000 | TECHPUMP SOLUTIONS S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) a), b), e) GDPR, Art. 6 (1) GDPR, Art. 8 GDPR, Art. 12 (1), (2) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 30 (1) GDPR, Art. 22 (2) LSSI | Non-compliance with general data processing principles | The Spanish DPA has fined Techpump Solutions S.L. EUR 525,000. Techpump operates several websites with adult content. The DPA found several violations of data protection law during its investigation. Firstly, the DPA found that, contrary to the specified information in the privacy policy, Techpump shared users’ personal data with companies belonging to the same group. In addition, the DPA found that Techpump had not specified a retention period for users’ personal data and kept it indefinitely until users requested to withdraw their consent. Techpump also processed users’ personal data without first obtaining their consent. Further, the DPA found that Techpump did not have sufficient parental controls to prevent minors under the age of 14 from accessing its content. In addition, Techpump’s privacy policy was only available in English, rather than Spanish, and the information was not clearly understandable. Techpump also required that individuals who wished to exercise their data subject rights submit their ID card information in order to verify their identity. The DPA considered this to be an unacceptable impediment to the exercise of data subject rights. Finally, Techpump also collected various data such as IP addresses and WIFI data without having defined a processing purpose for it. | link |
| 1487 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-03 | 70,000 | UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 70,000 on UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC (UPS). A person had filed a complaint with the DPA because UPS had delivered a package from them to a neighbor without their consent. The DPA considered this to be an unauthorized disclosure of their data, which was a result of a lack of technical and organizational measures for personal data protection. The DPA also found that this unauthorized disclosure of personal data constituted a violation of the principle of integrity and confidentiality. | link |
| 1488 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-10 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1489 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-10 | 900 | Homeowners Association | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on a Homeowners Association. The association had installed several video surveillance cameras across the residential area which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and admission of responsibility. | link |
| 1490 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-11 | 48,000 | Banco Bilbao Vizcaya Argentaria S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. An individual had filed a complaint with the DPA due to requesting information on one of their accounts and then receiving contract information from a third party. The DPA found that the unauthorized disclosure of third-party data was due to inadequate technical and organizational measures at the bank. The original fine of EUR 80,000 was reduced to EUR 48,000 due to voluntary payment and admission of responsibility. | link |
| 1491 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-11 | 3,600 | XASTRE DO PETO, S.L. | Accomodation and Hospitalty | Art. 6 (1) GDPR, Art. 13 GDPR, Art. 21 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 3,600 on XASTRE DO PETO, S.L. (restaurant). An individual had filed a complaint with the DPA due to the fact that the controller required them to fill out a form with their personal information for contact tracing purposes in the context of the Covid-19 pandemic. However, during its investigation, the DPA found that the legal basis for collecting the contact information had expired in the meantime and that the controller had therefore processed the data unlawfully. The DPA also found that the controller did not provide data subjects with sufficient information on data processing. The DPA further determined that the controller did not provide data subjects with an easy way to object to the processing of personal data. | link |
| 1492 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-15 | 80,000 | BANKINTER, S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on BANKINTER, S.A.. A person had filed a complaint with the DPA as personal data of a third person were also displayed to them when accessing their bank account. The DPA found that the unauthorized disclosure of the third-party data occurred due to a lack of adequate technical and organizational measures to protect personal data at the bank. The original fine of EUR 100,000 was reduced to EUR 80,000 due to voluntary payment. | link |
| 1493 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-08-11 | 197,000 | AMPLIFON Hungary Trade and Service Provider LLC | Industry and Commerce | Art. 5 (1) b) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 14 GDPR | Non-compliance with general data processing principles | The Hungarian DPA has imposed a fine of EUR 197,000 on AMPLIFON Hungary Trade and Service Provider LLC. The DPA had received complaints from several data subjects for having received unsolicited invitations to a hearing screening. During its investigation, the DPA found that the company had contacted the data subjects without first obtaining their consent. The company had received the data from the Ministry of the Interior for market research purposes. The DPA found that the company had processed the data unlawfully and contrary to the original purpose for market research. In addition, the DPA found that the company had not provided the data subjects with sufficient information on the data processing. | link |
| 1494 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-11-02 | 1,700 | Mayor | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 1,700 on the mayor of Dobrzyniewo Duże municipality. The mayor had reported a data breach to the DPA pursuant to Art. 33 GDPR. An employee’s work computer, which contained personal data, had been stolen. During its investigation, the DPA determined that the data on the computer was not adequately secured and that the municipality had failed to take appropriate technical measures to protect personal data. | link |
| 1495 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-16 | 28,000 | Raiffeisen Bank SA | Finance, Insurance and Consulting | Art. 25 (1) GDPR, Art. 32 (1), (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 28,000 on Raiffeisen Bank SA. The bank had reported several data breaches pursuant to Art. 33 GDPR to the DPA. During its investigation, the DPA found that the bank conducted queries in a credit agency without the consent of the data subjects. In addition, the DPA found that the bank had granted credit to several customers without the affected customers having applied for it. Furthermore, the bank had inadvertently sent personal data of data subjects to wrong recipients, allowing them to access the data. The DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data. This resulted in unauthorized access and/or disclosure of personal data. |
link |
| 1496 | FRANCE | French Data Protection Authority (CNIL) | 2022-11-10 | 800,000 | DISCORD INC. | Media, Telecoms and Broadcasting | Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 25 (2) GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls.
During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximately 50,000 accounts that had not been used for more than five years. Further, the DPA noted that the company did not have complete information regarding retention periods. Also, the DPA found that the company had failed to ensure data protection by default, contrary to the obligation under Art. 25 (2) GDPR. The DPA also found that the company had failed to sufficiently ensure the security of personal data by accepting insecure passwords from users. Finally, the DPA found that the company had failed to conduct a data protection impact assessment. |
link link |
| 1497 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-18 | 300 | Homeowners Association Bld. Pipera 1-2E | Individuals and Private Associations | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA (ANSPDCP) has fined Homeowners Association ‘Bld. Pipera 1-2E’ EUR 300 for failing to provide information requested by the DPA during an investigation. | link |
| 1498 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2022-11-02 | 180,000 | Setúbal municipality | Public Sector and Education | Art. 5 (1) e), f) GDPR, Art. 13 (1), (2) GDPR, Art. 37 (1), (7) GDPR | Non-compliance with general data processing principles | The Portuguese DPA has imposed a fine of EUR 170,000 on Setúbal municipality. The DPA found data protection violations regarding the collection of personal data from Ukrainian refugees. The municipality had asked refugees to fill out a form at the time of their arrival and provide various details on personal data, such as name, date of birth, marital status, etc. The DPA noted, that the municipality had not sufficiently informed the data subjects about the data processing. In addition, the DPA found that the municipality had failed to implement sufficient technical and organizational to protect personal data, as well as to define a retention period for the data. The municipality had also failed to appoint a data protection officer. |
link link |
| 1499 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-21 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. | link |
| 1500 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-21 | 20,000 | ING Bank NV Amsterdam Sucursala București | Finance, Insurance and Consulting | Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 20,000 on ING Bank NV Amsterdam Sucursala București. The bank had reported a data breach to the DPA pursuant to Art. 33 GDPR. Several personal data of customers, such as ID card data, bank data, bank card data, etc., were accessed and disclosed without authorization. This resulted in payment transactions being carried out by unauthorized third parties. During its investigation, the DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data, which allowed the unauthorized access. |
link |
| 1501 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-24 | 1,000 | Medicover S.R.L. | Health Care | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on Medicover S.R.L.. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had inadvertently sent documents containing personal data to the wrong recipient. As a result, personal data such as the data subject’s name, correspondence address, e-mail and health data were disclosed without authorization. The DPA determined that the incidents were due to the controller’s failure to implement appropriate technical and organizational measures to protect the processing of personal data. | link |
| 1502 | IRELAND | Data Protection Authority of Ireland | 2022-11-25 | 265,000,000 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Art. 25 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA has fined Meta Platforms Ireland Limited EUR 265 million. The DPA had launched an investigation against Meta in 2021 after media reports indicated that a dataset containing personal data from Facebook had been made available on a hacking platform. The data leak affected up to 533 million users with their data such as phone numbers and email addresses. As part of the investigation, the DPA reviewed and assessed the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. The DPA primarily reviewed the implementation of technical and organizational measures to protect personal data and found a breach of Art. 25 GDPR |
link link |
| 1503 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-11-25 | 3,000 | OTP LEASING ROMANIA IFN SA | Finance, Insurance and Consulting | Art. 25 (1) GDPR, Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on OTP LEASING ROMANIA IFN SA. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. An individual had informed the controller that they had gained unauthorized access to an IT platform operated by the controller by changing the URL address and creating an administrator account. This enabled the person to gain unauthorized access to personal data. The DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. This resulted in unauthorized access to the personal data. |
link |
| 1504 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-29 | 500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and furthermore published the recorded images on Facebook. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1505 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 500,000 | Vodafone Italia S.p.A. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 130 (1), (2), (3) Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 500,000 on Vodafone Italia S.p.A.. A customer had filed a complaint with the DPA against Vodafone. The 80-year-old customer had been contacted by an external call center commissioned by Vodafone. During the conversation, the call center concluded a new contract with the customer without their consent. During its investigation, the DPA also found that the customer had not received sufficient information about the processing of her personal data. In addition, the call center had read out the information too quickly, making the content incomprehensible.
In calculating the fine, the DPA took into account, as an aggravating factor, that Vodafone had already committed similar violations in the past. However, the fact that Vodafone immediately terminated the contract in question was taken into account as a mitigating factor. |
link link |
| 1506 | FRANCE | French Data Protection Authority (CNIL) | 2022-11-24 | 600,000 | ÉLECTRICITÉ DE FRANCE | Transportation and Energy | Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. L. 34-5 CPCE | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 600,000 on ÉLECTRICITÉ DE FRANCE (EDF), France’s largest electricity supplier.
The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF. During its investigation, the DPA found that EDF’s privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data. In addition, the DPA found that EDF had not responded to a number of data subject requests in a timely manner Furthermore, the DPA noted that EDF failed to demonstrate that it had obtained valid consent from data subjects in the context of a commercial solicitation campaign. Finally, the DPA concluded that EDF had failed to implement sufficient technical and organizational measures to protect personal data. |
link link |
| 1507 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-29 | 3,000 | Company | Not assigned | Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 3,000 on a company. The controller had installed a video surveillance system that also recorded the voices of both employees and customers. During its investigation, the DPA found that the controller did not have a valid legal basis for processing the information of the voices as part of the video surveillance. In addition, the DPA found that the controller failed to provide sufficient information about the video surveillance, including information about the processing, the identity of the controller, and the exercise of data subjects’ rights. | link |
| 1508 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-03 | 3,000 | INDECEMI, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 3,000 on INDECEMI, S.L.. A person had filed a complaint with the DPA against the controller after receiving an email from the controller containing personal data (first name, last name, address, telephone number, etc.) of another person in the context of a complaint. The DPA considered this to be a violation of the principle of integrity and confidentiality. | link |
| 1509 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-03 | 600 | LORENT 2013, S.L | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on LORENT 2013, S.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1510 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-03 | 300 | Homeowners Association | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on a Homeowners Association. The association had installed several video surveillance cameras across the residential area which, among other things, also covered the common area. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1511 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-06 | 2,000,000 | Alpha Exploration | Media, Telecoms and Broadcasting | Art. 5 (1) a), e), f) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 27 (4) GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 2 million on Alpha Exploration. Alpha Exploration operates the social network Clubhouse.
In the course of its investigation, the DPA found numerous violations of the GDPR. For example, the DPA found that there was a lack of transpanency regarding the use of users’ data and their chat contacts. In addition, users of the network were able to store and share audio messages from other users without their consent. Moreover, account information was shared with unauthorized third parties without a valid legal basis. In addition, the company failed to define retention periods for personal data. Also, the company failed to provide users with sufficient information about numerous aspects of the processing of their personal data and had not implemented sufficient technical and organizational measures to protect personal data. Finally, the DPA found that the company failed to conduct a data protection impact assessment. At the end of the investigation, the DPA not only imposed a fine but also ordered a number of measures to be taken by the company. For example, the company must define retention periods and introduce a function that informs users that their chats are being recorded. |
link |
| 1512 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-06 | 10,000 | Codess Sociale, Soc. Coop. sociale. | Individuals and Private Associations | Art. 12 (3), (4) GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on Codess Sociale, Soc. Coop. sociale. A former voluntary member had filed a complaint with the DPA. The data subject states that when they resigned, they had requested the deletion of their personal data from the controller’s archives. However, the controller failed to comply with the request in due time. | link |
| 1513 | ITALY | Italian Data Protection Authority (Garante) | 2022-09-15 | 40,000 | FCA Italy S.p.A. | Individuals and Private Associations | Art. 12 (1), (2), (3), (4) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 40,000 on FCA Italy S.p.A.. An employee of the controller had requested access to personal data processed in the context of their employment relationship. However, the controller had failed to comply with this request in a timely manner, contrary to the requirements of Art. 12 GDPR and Art. 15 GDPR. | link |
| 1514 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 40,000 | Azienda Usl Valle d’Aosta | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Azienda Usl Valle d’Aosta EUR 40,000. An employee and patient of the health department had filed a complaint with the DPA because a colleague who had never treated them had repeatedly accessed their medical file, despite the fact that they had explicitly refused their consent to the data processing.
During its investigation, the DPA found that, in order to simplify patient management during the Covid 19 pandemic, the health department had simplified the medical record system. As a result, patient medical records were accessible to any employee, whether or not the affected patient had consented to it. The DPA considered this a violation of the obligation to implement appropriate technical and organizational measures to protect personal data. |
link link |
| 1515 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-02 | 3,500 | CASA 7 PERSONAL SHOPPER, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 3,500 on CASA 7 PERSONAL SHOPPER, S.L. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients. | link |
| 1516 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-02 | 3,600 | Federation of Sports for People with Intellectual Disabilities of Castilla la Mancha-FECAM | Individuals and Private Associations | Art. 9 (2) a) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined the Federation of Sports for People with Intellectual Disabilities of Castilla la Mancha-FECAM. The controller processed medical data from Covid-19 antigen tests of participants in sports competitions without their consent to the processing. In addition, the DPA found that the controller failed to inform the data subjects of the data retention period. The original fine of EUR 6,000 was reduced to EUR 3,600 due to voluntary payment and admission of responsibility. | link |
| 1517 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-25 | 1,800 | ALPA 57 PRODUCCIONES, S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA (AEPD) has fined ALPA 57 PRODUCCIONES, S.L. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and acknowledgement of guilt. | link |
| 1518 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-25 | 5,000 | Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications (APEDANICA) | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined the Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications (APEDANICA) EUR 5,000. Employees of the company LEGAL ERASER SL had filed a complaint with the DPA. The controller had requested information about LEGAL ERASER from the DPA as part of the right to information based on the Spanish Transparency Act. The controller then published the documents, some of which contained personal data of LEGAL ERASER’s customers and employees, on 58 links on the Internet. | link |
| 1519 | IRELAND | Data Protection Authority of Ireland | 2022-01-26 | 5,000 | Slane Credit Union Ltd. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 24 GDPR, Art. 28 (1), (3) GDPR, Art. 30 (1) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA has imposed a fine of EUR 5,000 on Slane Credit Union Ltd. The controller had notified the DPA of a data breach in 2018. Due to an error in a search engine optimization tool installed on the controller’s website, four reports of member inquiries containing personal member data were unintentionally published. The incident affected 76 members, including minors, and their personal data such as names, addresses, gender, birth dates, account numbers, etc. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. In addition, the DPA concluded that the controller failed to conduct due diligence on the processor and to conclude a GDPR compliant contract with the processor. |
link |
| 1520 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-12-09 | 2000 | Casa Rusu S.R.L. | Industry and Commerce | Art. 25 (1) GDPR, Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on Casa Rusu S.R.L. . The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had used an unauthorized form during the payment process on its website, through which the bank data of the customer cards were collected. This allowed unauthorized access to personal data such as the first and last name of the affected bank cardholder, card number, expiration date and year, CVC code. During its investigation, the DPA found that the controller failed to take appropriate technical and organizational measures to protect personal data. | link |
| 1521 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-09 | 480 | Private individual | Individuals and Private Associations | Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual. The individual had installed video surveillance cameras in a residential complex that also covered common areas. During its investigation, the DPA found that the individual did not have permission to install the cameras and therefore did not have a valid legal basis for data processing. In addition, the individual failed to provide information about the video surveillance to the data subjects. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment. | link |
| 1522 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-09 | 8,000 | Notary | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a notary. The controller had consulted the land register of a property belonging to the data subject without an order requiring the consultation of this data or the consent of the data subject. The original fine of EUR 10,000 was reduced to EUR 8,000 due to voluntary payment. | link |
| 1523 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-09 | 120 | Private individual | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has fined a private individual. The controller had installed a video surveillance system in a multi-party residential building that they own. However, the information sign regarding the video surveillance system lacked information about the controller and the exercise of data subjects’ rights. The original fine of EUR 150 was reduced to EUR 120 due to voluntary payment. | link |
| 1524 | PORTUGAL | Portuguese Data Protection Authority (CNPD) | 2022-11-02 | 4,300,000 | Portuguese National Statistical Institute | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 28 (1), (6), (7) GDPR, Art. 35 (1), (2), (3) b) GDPR, Art. 44 GDPR, Art. 46 (2) GDPR | Non-compliance with general data processing principles | The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million.
The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects’ ability to freely express their will regarding data processing. In addition, the DPA found that the controller failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR. In addition, the order processing contract permitted the transfer of personal data outside the EEA without providing for additional security measures besides the SCCS approved by the European Commission, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. Finally, the DPA found that the controller failed to conduct a data protection impact assessment regarding the census. |
link link |
| 1525 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-13 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1526 | FINLAND | Deputy Data Protection Ombudsman | 2022-12-09 | 230,000 | Viking Line Oy Abp | Accomodation and Hospitalty | Art. 5 (1) a), d) GDPR, Art. 12 (3) GDPR, Art. 13 GDPR, Art. 15 (1) GDPR, Art. 25 (1) GDPR | Non-compliance with general data processing principles | The Finnish DPA has imposed a fine of EUR 230,000 on Viking Line Oy Abp. A former employee had filed a complaint with the DPA. During its investigation, the DPA found that the controller had not complied with the data subject’s request for access to their health data and that some of the medical data had been stored incorrectly. The DPA also found that the medical data was stored with other personal data, although such storage is unlawful. Furthermore, the DPA found that the controller had not properly informed its employees about the processing of their personal data, contrary to its obligation under Art. 13 GDPR. |
link link |
| 1527 | FRANCE | French Data Protection Authority (CNIL) | 2022-12-08 | 300,000 | FREE SAS | Media, Telecoms and Broadcasting | Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 300,000 on FREE SAS.
The DPA had received several complaints from individuals experiencing difficulties in exercising their rights to access and delete their personal data at FREE. During its investigation, the DPA found that the company did not process the requests for access and deletion of personal data in a timely manner. The DPA also found that the company failed to ensure the security of personal data. For example, the company allowed users to use insecure passwords and user passwords were stored unencrypted in the company’s databases. Finally, the DPA found that the company had not adequately documented a data breach. |
link link |
| 1528 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 7,000 | I.S.P.R.O. | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) has imposed a fine of EUR 7,000 on the oncology health care facility I.S.P.R.O.. An individual had mistakenly received medical records from another patient via e-mail. | link |
| 1529 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-13 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1530 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-13 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1531 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-12-15 | 5,000 | Societatea Energetică Electrica S.A. | Transportation and Energy | Art. 28 (3) a) GDPR | Insufficient data processing agreement | The Romanian DPA has fined Societatea Energetică Electrica S.A. EUR 5,000 for a violation of Art. 28 (3) a) GDPR. | link |
| 1532 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-15 | 16,000 | HOSPITAL RECOLETAS PONFERRADA, S.L. | Health Care | Art. 6 (1) GDPR, Art. 15 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on the healthcare facility HOSPITAL RECOLETAS PONFERRADA, S.L.. A patient had filed a complaint with the DPA. The patient had filled out a consent form during a medical examination in which certain items were already pre-ticked. The DPA also found that the controller had not complied with the patient’s request for access to their personal data in a timely manner. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment. | link |
| 1533 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-15 | 30,000 | ORANGE ESPAGNE, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine ORANGE ESPAGNE, S.A.U. due to insufficient legal basis for data processing. The data subject had filed a complaint against the data controller for registering a telephone line in their name without their consent or any contractual relationship. Rather, the contracts in question were concluded by fraudsters using the personal data of the data subject. Still, the personal data was entered into the company’s information systems without any verification as to whether the contracts were lawful and actually concluded by the data subject. The original fine of EUR 60,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt. | link |
| 1534 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-20 | 1,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,000 on a private individual. A person had filed a complaint with the DPA because the controller had published their personal data such as name, surname, ID card number and date of birth without their consent in a WhatsApp group with 31 members. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1535 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-20 | 2000 | Property owner administrative board | Individuals and Private Associations | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on a Property Owners Association. Two property owners had filed a complaint with the DPA. The individuals had submitted a request for a copy of financial documents to the board. The Association however published the requests with personal data of the individuals concerned on the bulletin board in a common area of the respective residential building. The DPA considered this to be a violation of the principle of confidentiality. | link |
| 1536 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-20 | 3,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 3,000 on a private individual. An individual had posted videos of teachers and underage students during physical education classes on the Internet to express his anger about the fact that students were required to wear masks during class. The DPA found that the individual had unlawfully processed the data of the data subjects due to the lack of consent of the data subjects as well as any other legal basis. | link |
| 1537 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-01 | 100,000 | Lazio Region | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 113 Codice della privacy, Art. 114 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Lazio Region EUR 100,000. A trade union had filed a complaint with the DPA alleging that the Region had monitored the e-mail accounts of employees of the Region’s legal department. The Region had initiated such monitoring on suspicion of possible disclosure of information protected by official secrecy to third parties. The Region stored and analyzed the employees’ data for 180 days. The data included not only information related to work, but also personal data of the data subjects concerning their private sphere. During its investigation, the DPA found that the Region at the time did not have a valid legal basis for such a large-scale collection of personal data. | link link |
| 1538 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 4,000 | Villafranca di Verona municipality | Employment | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 4,000 on Villafranca di Verona municipality. The municipality had published a document containing personal data of an employee on its website. | link |
| 1539 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-12-22 | 10,000 | SUDREZIDENȚIAL Broker S.R.L. | Finance, Insurance and Consulting | Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 10,000 on SUDREZIDENȚIAL Broker S.R.L.. An employee of the controller had unauthorizedly published an Excel spreadsheet containing personal data, such as first name, last name, telephone number, ID number, e-mail address, bank details, etc. of 509 customers of the controller on the Internet. In the course of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 1540 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2022-12-27 | 3,000 | Kaufland Romania SCS | Industry and Commerce | Art. 29 GDPR, Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Kaufland Romania SCS. The controller had reported a data breach to the DPA according to Art. 33 GDPR. An employee had taken pictures of the CCTV recordings with their cell phone and transmitted them to a third party. The third party then published the images on which two people and a license plate could be identified on the website of a local newspaper. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. |
link |
| 1541 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-24 | 1,000,000 | Areti spa | Transportation and Energy | Art. 5 (1) d), e) GDPR, Art. 5 (2) GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 24 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined electricity supplier Areti spa EUR 1 million. A customer had filed a complaint with the DPA due to Areti classifying them as a defaulting customer, which prevented them from switching to another electricity supplier.
This was due to the fact that outdated data in Areti’s databases had not been updated following a mismatch in the company’s internal systems. The incident affected around 47,000 customers. The DPA’s investigation also found that Areti had stored the data for an inadequate length of time. In addition, Areti failed to properly respond to requests to exercise data subject rights. |
link link |
| 1542 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 20,000 | Sportitalia | Employment | Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 30 (1) c) GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 20,000 on Sportitalia. The controller processed biometric data (fingerprints) of employees for the purpose of registering their attendance. Garante found that such extensive processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Furthermore, Garante determined that the processing of biometric data had taken place without sufficiently informing the data subjects about the processing. | link link |
| 1543 | IRELAND | Data Protection Authority of Ireland | 2023-01-04 | 390,000,000 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR | Non-compliance with general data processing principles | The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization ‘None of Your Business’ (NOYB) had filed a complaint with the DPA on behalf of two individuals.
Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of service, Meta informed its users to click ‘Agree and Continue’ to indicate their agreement with the new terms of service. This was required for further access to the services. Meta assumed that the acceptance of the updated terms of use constituted a contract between Meta and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to Meta, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that Meta was actually trying to rely on consent as a legal basis for processing users’ data. By making the access to its services conditional on users’ consent to the updated terms of service, Meta was actually forcing users to consent to the processing of their personal data. Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that Meta did not rely on user consent as a legal basis, and did not consider ‘coerced consent’ in this case. It also did not rule out the possibility that Meta relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that Meta had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed. As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by Meta. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that Meta was not entitled to rely on a contractual legal basis. The EDPB therefore found that Meta had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required Meta to bring its data processing into compliance within three months. |
link |
| 1544 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 5,000 | Cisterna di Latina Municipality | Public Sector and Education | Art. 5 GDPR, Art. 12 GDPR, Art. 37 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on Cisterna di Latina Municipality. An individual had filed a complaint with the DPA. The individual had submitted a request to the municipality for access to their personal data. Due to an error, the data was not disclosed to the data subject but to a third party. For this reason, the data subject did not receive a response to his request. In addition the DPA found that the municipality had not appointed a data protection officer. | link |
| 1545 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-01-03 | 500 | Homeowners Association | Real Estate | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 500 on a homeowners’ association. The controller had publicly posted a list with the first and last names of all members of the association. | link |
| 1546 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-01-04 | 3,000 | Apă Canal Ilfov SA | Industry and Commerce | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Apă Canal Ilfov SA. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients. | link |
| 1547 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 300 | Homeowners Association | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 300 on a homeowners’ association for failing to provide sufficient information about video surveillance in the residential area. | link |
| 1548 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 400 | MAE WEST SYSTEMS, S.L. | Accomodation and Hospitalty | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined MAE WEST SYSTEMS, S.L. EUR 400. The controller had installed video surveillance in a bar it operated without providing sufficient information about the video surveillance. | link |
| 1549 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-03 | 3,000 | Transport Workers’ Union of Aragon | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined the Transport Workers’ Union of Aragon EUR 3,000. The union had published a document with personal data (surname, first name and identity card number) of members of the strike committee on various social networks. During its investigation, the DPA found that the incident may have occurred due to the union’s failure to implement sufficient technical and organizational measures to protect personal data. | link |
| 1550 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1551 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-29 | 3,000 | ADENET SYSTEMS, S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Failure to provide requested information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. | link |
| 1552 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-01-12 | 2000 | BRISTOL LOGISTICS SA | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 10,000 on BRISTOL LOGISTICS SA. The DPA received a notification from BRISTOL LOGISTICS SA of a personal data breach under Art. 33 GDPR. The notification stated that a binder containing the personnel files of 12 employees had been stolen, which led to unauthorized persons having access to personal data. The DPA considered this to be a violation of Art. 32 GDPR, as the municipality had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk. | link |
| 1553 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 10,000 | I-Model s.r.l. | Industry and Commerce | Art. 6 (1) GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on I-Model s.r.l. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send them SMS advertisements, despite the fact that they had requested the deletion of their data and the controller had confirmed the deletion. | link |
| 1554 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-13 | 1,000 | EDITORIAL RIBADEO S.L. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on EDITORIAL RIBADEO S.L. for failing to comply with an order issued by the DPA. | link |
| 1555 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-12 | 3,000 | SERVICIOS INTEGRALES DEL HOGAR TENERIFE, S.L. | Employment | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on a SERVICIOS INTEGRALES DEL HOGAR TENERIFE, S.L.. A former employee had filed a complaint with the DPA due to the controller’s unauthorized disclosure of their personal data via Whatsapp after they left the company. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and admission of responsibility. | link |
| 1556 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-10 | 120 | Homeowners Association | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on a homeowners’ association for failing to provide sufficient information about video surveillance in the residential area. The original fine of EUR 150 was reduced to EUR 120 due to voluntary payment. | link |
| 1557 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-10 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 300. The individual had installed video surveillance cameras on their property which covered, among other things, a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization. | link |
| 1558 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-09 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 300. The individual had installed video surveillance cameras on their property which covered, among other things, a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization. | link |
| 1559 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 600 | Homeowners Association | Real Estate | Art. 6 (1) e) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a homeowners association EUR 600. The controller had installed an unauthorized CCTV system in the residential area. In addition, the DPA found that the contoller had not provided sufficient information about the data processing by the CCTV. | link |
| 1560 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 300 | Store owner | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a store owner EUR 300 for failing to provide information signs about CCTV surveillance in their premises. | link |
| 1561 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-29 | 24,000 | SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.. A customer had filed a complaint with the DPA due to the fact that the controller carried out a change of their electricity and gas supply company without obtaining their consent beforehand. The original fine of EUR 30,000 was reduced to EUR 24,000 due to voluntary payment. | link |
| 1562 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-01 | 6,000 | Store owner (Joy Unique Collection) | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Insufficient fulfilment of information obligations | The Italian DPA has fined the owner of the store ‘Joy Unique Collection’ EUR 6,000 . The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. | link |
| 1563 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2023-01-09 | 6,000 | Praktiškas UAB | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 30 (1), (3) GDPR, Art. 35 (1), (3) GDPR | Insufficient legal basis for data processing | The Lithuanian DPA has fined Praktiškas UAB, the operator of SportGates sports clubs, EUR 6,000. The controller had processed biometric data of customers in the context of their access to sports facilities. During its investigation, the DPA found that the customers’ consent to the processing of their biometric data could not be considered voluntary. This was because the controller did not offer the provision of any other type of information for access to the sports clubs. Nor did it provide the data subjects with information about possible alternatives for accessing the sports club. In addition, the DPA found that the controller did not provide the data subjects with sufficient information about the processing of their personal biometric data. The controller also failed to conduct a data protection impact assessment before processing the personal data. | link |
| 1564 | IRELAND | Data Protection Authority of Ireland | 2022-12-22 | 100,000 | VIEC Limited | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Irish DPA has imposed a fine of EUR 100,000 on the nursing home operator VIEC Limited. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The controller had suffered a phishing attack in which an unauthorized third party gained access to an email account of a VIEC manager. As a result, the unknown third party also managed to access personal data such as health and biometric data of home residents. The DPA found this to be a breach of the principle of integrity and confidentiality. The DPA also found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. |
link link |
| 1565 | FINLAND | Deputy Data Protection Ombudsman | 2022-12-13 | 750,000 | Alektum Oy | Finance, Insurance and Consulting | Art. 12 (3) GDPR, Art. 15 (1), (3) GDPR | Insufficient fulfilment of data subjects rights | The Finnish DPA has fined the debt collection company Alektum Oy EUR 750 000. The DPA opened an investigation against the controller after three people filed complaints against them. During its investigation, the DPA found that the controller had failed to respond at all or sufficiently to requests from data subjects regarding their data protection rights. The DPA also found that the controller had not sufficiently cooperated with the DPA. | link link |
| 1566 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-01-13 | 50,000 | Intellexa SA | Industry and Commerce | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Hellenic DPA has fined Intellexa SA EUR 50,000. The controller had not properly cooperated with the DPA during an investigation. | link |
| 1567 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-08-31 | 1,450 | Unknown | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA (UODO) has fined a data controller EUR 1,450 for failing to provide information requested by the DPA during an investigation. | link link |
| 1568 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-03-23 | 490 | Unknown | Not assigned | Art. 31 GDPR, Art. 58 (1) e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA (UODO) has fined a data controller EUR 490 for failing to provide information requested by the DPA during an investigation. | link link |
| 1569 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-08-30 | 6,800 | TIMSHEL Sp. z o.o. | Finance, Insurance and Consulting | Art. 58 (1) e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA (UODO) has fined TIMSHEL Sp. z o.o. EUR 6,800 for failing to provide information requested by the DPA during an investigation | link link |
| 1570 | POLAND | Polish National Personal Data Protection Office (UODO) | Unknown | 960 | Unknown | Not assigned | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Polish DPA (UODO) has fined a data controller EUR 1,450 for failing to provide information requested by the DPA during an investigation. | link |
| 1571 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-16 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and neighbour properties. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1572 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-16 | 56,000 | Vodafone España, S.A.U. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1573 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-01 | 3,000 | Store owner (Woolen) | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Insufficient fulfilment of information obligations | The Italian DPA has fined the owner of the store ‘Woolen’ EUR 3,000 . The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. | link |
| 1574 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-01 | 6,000 | A.R.N.A.S. Civico | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 6,000 on A.R.N.A.S. Civico. Two employees of the controller had filed a complaint with the DPA. During its investigation, the DPA found that the controller had published two documents containing personal health data of the data subjects on the Internet without their consent, thus making them available to the public. | link |
| 1575 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-01 | 20,000 | Amazon Italia Logistica s.r.l. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Amazon Italia Logistica s.r.l. EUR 20,000. A former employee had requested documents from the controller, which however they did not receive in time. During its investigation, the DPA found that the controller had not sufficiently fulfilled its obligation to comply with the data subject’s request for access. | link |
| 1576 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-16 | 40,000 | Thomas International Systems, S.A. | Finance, Insurance and Consulting | Art. 9 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Thomas International Systems, S.A.. Thomas International performs psychological tests on behalf of other companies. Thomas International had conducted such a test on behalf of the company Agroxarxa, S.L.. A participant of such a test had filed a complaint against the controller because they had to provide sensitive personal data (ethnicity, disability). However, Agroxarxa had indicated that the test did not request and process such sensitive data. During its investigation, the DPA found that Thomas International had nevertheless processed sensitive personal data without the consent of the data subject or the processing being necessary for the fulfillment of the contractually agreed purpose between Agroxarxa and Thomas International. The DPA considered this to be a violation of Art. 9 GDPR. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 1577 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-01-18 | 1,000 | Dante Internațional SA | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 1,000 on Dante Internațional SA. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send them advertisements, despite the fact that they had requested the deletion of their data. | link |
| 1578 | IRELAND | Data Protection Authority of Ireland | 2023-01-19 | 5,500,000 | WhatsApp Ireland Ltd. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR | Insufficient legal basis for data processing | The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization ‘None of Your Business’ (NOYB) had filed a complaint with the DPA on behalf of an individual.
WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click ‘Agree and Continue’ to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the acceptance of the updated terms of use constituted a contract between WhatsApp and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to WhatsApp, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that WhatsApp was actually trying to rely on consent as a legal basis for processing users’ data. By making the access to its services conditional on users’ consent to the updated terms of service, WhatsApp was forcing users to consent to the processing of their personal data. Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that WhatsApp did not rely on user consent as a legal basis, and did not consider ‘coerced consent’ in this case. It also did not rule out the possibility that WhatsApp relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that WhatsApp had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed. As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by WhatsApp. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that WhatsApp was not entitled to rely on a contractual legal basis. The EDPB therefore found that WhatsApp had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required WhatsApp to bring its data processing into compliance within three months. |
link link |
| 1579 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2023-01-17 | 17,900 | Dalarna Region | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 17,900 on Dalarna Region. The region had sent out invitations for patient visits where the respective healthcare facility, such as a children’s hospital, was visible on the envelope window. The DPA found that this visibility allowed unauthorized persons to gain access to patients’ personal data. The DPA concluded that the region had failed to implement adequate technical and organizational measures to protect personal data. | link link |
| 1580 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-20 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1581 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-20 | 360 | TECNO MOTOR LA MUELA, S.L.L | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on TECNO MOTOR LA MUELA, S.L.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the video surveillance and thus violated its duty to inform under Art. 13 GDPR. The original fine of EUR 600 was reduced to EUR 360 due to voluntary payment and admission of responsibility. | link |
| 1582 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-18 | 2000 | Private investigator | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has fined a private investigator EUR 2,000. An individual who had hired the investigator filed a complaint with the DPA. They stated that the controller had failed to inform them sufficiently about the processing of their personal data conducted as part of the investigation. In addition, the DPA found that the controller had a contact form on its website with no reference to the privacy policy. | link |
| 1583 | FINLAND | Deputy Data Protection Ombudsman | 2022-12-27 | 122,000 | Company | Industry and Commerce | Art. 9 GDPR | Insufficient legal basis for data processing | The Finnish DPA has imposed a fine of EUR 122,000 on a company with products that process health data, such as heart rate, etc. The DPA had received several complaints regarding the processing of health data from data subjects. During its investigation, the DPA found that the company did not have a sufficient legal basis to process various types of health data. While the company had informed users of the products about the processing of personal health data in general, it had failed to provide information for each of the different types of health data (e.g., body mass index or oxygen capacity), such as the purpose of the processing. Accordingly, the DPA found that the users’ consent could not be valid since it was not given on an individual basis and with full knowledge of the facts. |
link link |
| 1584 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 100,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) imposed a fine of EUR 100,00 on Vodafone España, S.A.U. due data processing without a sufficient legal basis. A data subject stated that a prepaid line of which charges were made, had been registered in their name. However, the data subject had never concluded a contract with the company for this line. Rather, the contract in question was concluded by fraudsters using the data subject’s personal data. Nevertheless, the personal data was entered into the company’s information systems without any verification as to whether the contract had been lawfully and actually concluded by the data subject. | link |
| 1585 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-12-28 | 2000 | Homeowners Association | Employment | Art. 6 (1) GDPR, Art. 15 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on a homeowners’ association. An individual who did cleaning work in the residential complex had filed a complaint with the DPA because members of the association had added them to a WhatsApp group without their consent. The data subject was required to upload pictures of the cleaning they had done for documentation purposes. The DPA concluded that adding their phone number to the WhatsApp group without their consent violated Art. 6 GDPR and was therefore unlawful. The DPA also found that the controller had not complied with the data subject’s request for access to personal data in a timely manner, therefore violating Art. 15 GDPR. | link |
| 1586 | CROATIA | Croatian Data Protection Authority (azop) | 2022-11-25 | 1,991 | Company in the hospitality industry | Accomodation and Hospitalty | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 1,991 on a company in the hospitality industry. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1587 | CROATIA | Croatian Data Protection Authority (azop) | 2022-11-25 | 1,991 | Betting place | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 1,991 on a betting place. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1588 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-05 | 1,991 | Betting place | Industry and Commerce | Art. 27 (1), (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 1,991 on a betting place. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice was not visible for data subjects entering the video perimeter. Furthermore the the video surveillance notice did not contain all relevant information on the CCTV. The DPA therefore concluded that the controller had violated Art. 27 (1) and (2) of the Croatian Act on the Implementation of the GDPR. |
link |
| 1589 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-05 | 3,583 | Retailer | Industry and Commerce | Art. 27 (1) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 3,583 on a retailer. The controller had installed a video surveillance system in their premises, however the DPA found that the controller failed to inform the data subjects about the fact that they would be recorded by the CCTV. The DPA therefore concluded that the controller had violated Art. 27 (1) of the Croatian Act on the Implementation of the GDPR. |
link |
| 1590 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-06 | 3,185 | Retailer | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 3,185 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1591 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-06 | 1,991 | Retailer | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 1,991 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1592 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-07 | 2,654 | Retailer | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 2,654 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1593 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-07 | 1,991 | Fish market | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 1,991 on a fish market. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1594 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-08 | 2,654 | Jewelry manufacturer | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 2,654 on a jewelry manufacturer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1595 | CROATIA | Croatian Data Protection Authority (azop) | 2022-12-08 | 2,654 | Retailer | Industry and Commerce | Art. 27 (2) Croatian Act on the Implementation of the GDPR | Insufficient fulfilment of information obligations | The Croation DPA (azop) has imposed a fine of EUR 2,654 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR. | link |
| 1596 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-27 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded a neighbor property and the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1597 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-25 | 180 | Unknown | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on a data controller. The data controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1598 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-25 | 3,000 | CASAL DE L’ESPLUGA DE FRANCOLÍ | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on CASAL DE L’ESPLUGA DE FRANCOLÍ. A club managed by the controller had uploaded pictures of a competition showing minors on social media . The mother of a child had filed a complaint because she had not given her permission for the pictures to be published. The DPA therefore determined that the controller, in the absence of a valid legal basis, had unlawfully processed the images. The original fine of EUR 5000 was reduced to EUR 3000 due to voluntary payment and admission of responsibility. | link |
| 1599 | ITALY | Italian Data Protection Authority (Garante) | 2021-09-21 | 2000 | Istituto Comprensivo – IC Cosenza III “V. Negroni” | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 2,000 on Istituto Comprensivo – IC Cosenza III “V. Negroni”. The educational institution had published a document, which also contained personal health data of some teachers, on an online platform for the teaching staff. The document contained information on benefits linked to the health status of teachers who were entitled to such benefits. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1600 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-01-31 | 1,000 | Dent Estet Clinic SA | Health Care | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Romanian DPA has fined Dent Estet Clinic SA (dental practice) EUR 1,000. An employed dentist at the practice had published medical information of a patient, such as photos and X-rays, in an article on a medical blog. However, the dentist failed to obtain the patient’s consent before publishing the medical data. Although the patient had informed the clinic, it failed to notify the DPA of the data breach in a timely manner. | link |
| 1601 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-01-31 | 1,000 | Dentist | Health Care | Art. 6 (1) a) GDPR, Art. 9 (2) a) GDPR | Insufficient legal basis for data processing | The Romanian DPA has fined a dentist EUR 1,000. The controller had published medical information of a patient, such as photos and X-rays, in an article on a medical blog. However, it had failed to obtain the patient’s consent before publishing the medical data. Therefore, the DPA found that the controller had unlawfully processed the data. | link |
| 1602 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-31 | 180 | Unknown | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on a data controller. The data controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1603 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-31 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform | link |
| 1604 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-31 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 600 on a private individual. The individual had installed a video surveillance camera at their home that recorded, among other things, common areas of the residential complex. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1605 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-02-01 | 1,000 | Tensa Art Design SA | Industry and Commerce | Art. 21 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian data protection authority (AEPD) has imposed a fine of EUR 1,000 on Tensa Art Design SA. A data subject had objected to a further newsletter subscription and however had continued to receive advertisements from the data controller. | link |
| 1606 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 55,000 | Azienda Universitaria Friuli Occidentale | Health Care | Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 35 GDPR, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Occidentale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients’ personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected. | link link |
| 1607 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 55,000 | Azienda Universitaria Friuli Centrale | Health Care | Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 35 GDPR, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Centrale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients’ personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected. | link link |
| 1608 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 55,000 | Azienda Universitaria Giuliano Isontina | Health Care | Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 14 GDPR, Art. 35 GDPR, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Giuliano Isontina . The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients’ personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected. | link link |
| 1609 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-02 | 24,000 | FACTOR ENERGÍA, S.A. |
Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on a FACTOR ENERGÍA, S.A.. A data subject had filed a complaint with the DPA because they had received advertising messages from the controller even though no contractual relationship existed between them. According to the DPA, the controller had processed the data unlawfully in the absence of a valid legal basis. The original fine of EUR 40,000 was reduced to EUR 24,000 due to voluntary payment and admission of responsibility. |
link |
| 1610 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-24 | 1,000 | STS Di Prisinzano s.r.l | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined STS Di Prisinzano s.r.l EUR 1,000. The company had processed data of a customer in the context of a breakdown service without sufficiently informing the customer about the processing of their personal data. | link |
| 1611 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-06 | 3,000 | Associazione Rescue Drones Network ODV | Individuals and Private Associations | Art. 12 GDPR, Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 3,000 on Associazione Rescue Drones Network ODV. A founding member of the association had filed a complaint with the DPA. The member learned of disciplinary actions against them, consequently they intended to use documents from their email account for their defense. However, the controller had blocked access to their email account, preventing them from accessing the documents they needed. Against this background, they had asked the controller to grant them access to their e-mail account. However, the controller had never responded to the request. The DPA considered this to be a violation of the data subject’s right to information under Art. 12 GDPR and Art. 15 (3) GDPR. | link |
| 1612 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-06 | 10,000 | Poste Italiane S.p.a. | Transportation and Energy | Art. 12 (3), (4) GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA (Garante) fined Poste Italiane S.p.a. EUR 10,000 for failing to respond to the data subject’s request for access to their data in a timely manner. | link |
| 1613 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 5,000 | Fondazione Teatro Regio di Torino | Individuals and Private Associations | Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 5,000 on Fondazione Teatro Regio di Torino. A foundation member had filed a complaint with the DPA due to the fact, that the foundation had published a document, containing personal health data of them, on their website. In the course of its investigation, the DPA found that the foundation had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1614 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 9,000 | Azienda Ospedaliero-Universitaria Careggi di Firenze | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GPDR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 9,000 on Azienda Ospedaliero-Universitaria Careggi di Firenze. The controller had mistakenly sent a patient medical record to the wrong patient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data, which allowed such an incident to occur. | link |
| 1615 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 5,000 | Cisterna di Latina municipality | Public Sector and Education | Art. 5 GDPR, Art. 12 GDPR, Art. 37 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 5,000 on Cisterna di Latina municipality. An individual had filed a complaint with the DPA because the municipality had not responded to their request for access to their personal data in a timely manner. During its investigation, the DPA found that the municipality had mistakenly sent the data requested by the data subject to a third party rather than to the data subject. In addition, the DPA found that the municipality failed to appoint a new data protection officer several months after the initially appointed data protection officer resigned. | link |
| 1616 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 6,000 | Conservatorio di Musica S. Cecilia di Roma | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 38 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 6,000 on ‘Conservatorio di Musica S. Cecilia di Roma’. A student of the educational institution had filed a complaint with the DPA for having received a disciplinary sanction for a statement made during a student assembly. Although it was not supposed to be, the assembly was recorded and the institution used the recordings to base the disciplinary action on it. During its investigation, the DPA determined that the controller did not have a valid legal basis to use the assembly recordings and, therefore, the processing of the student’s personal data was unlawful. Also, the DPA found that the educational institution’s data protection officer was also the institution’s director. The DPA considered this to be an unlawful conflict of interest. | link |
| 1617 | GERMANY | Data Protection Authority of Sachsen-Anhalt | 2023 | 9,000 | Magdeburg University Hospital | Health Care | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The DPA of Sachsen-Anhalt has imposed a fine of EUR 9,000 on Magdeburg University Hospital. The clinic had failed to report to the DPA a data breach involving a former employee having unlawfully disclosed personal data from the clinic’s systems to third parties. | link |
| 1618 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 6,000 | Hermes Airport Ltd. | Transportation and Energy | Art. 24 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 6,000 on Hermes Airport Ltd. The controller had suffered a cyber attack which, according to the DPA, had been caused due to a lack of technical and organizational measures for the protection of personal data and a lack of supervision of a processor. | link |
| 1619 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 5,000 | DW Dynamic Works LIMITED | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 5,000 on DW Dynamic Works LIMITED. The controller operated as a processor for Hermes Airport Ltd.. Hermes had suffered a cyberattack which, according to the DPA, was caused, among other things, by Dynamic Works’ lack of technical and organizational measures to protect personal data. | link |
| 1620 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 3,500 | Universal Life Insurance Public Co Ltd. | Finance, Insurance and Consulting | Art. 24 (1) GDPR, Art. 28 (1) GDPR | Insufficient data processing agreement | The Cypriot DPA has imposed a fine of EUR 3,500 on Universal Life Insurance Public Co Ltd. The processor of the data controller had suffered a data breach in which personal data of customers were mistakenly disclosed to other customers. During its investigation, the DPA found that the controller had failed to contractually regulate the relationship with its processor. The DPA concluded that the controller had contracted a processor without ensuring that the processor provided sufficient guarantees for the implementation of appropriate technical and organizational measures to protect personal data. | link |
| 1621 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 3,750 | PRINTAFORM Ltd. | Industry and Commerce | Art. 28 (3) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 3,750 on PRINTAFORM Ltd. PRINTAFORM, which worked as a processor for Universal Life Insurance Public Co Ltd, had suffered a data breach in which personal data of customers was mistakenly disclosed to other customers. According to the DPA, the data breach was caused by PRINTAFORM’s lack of technical and organizational measures to protect personal data. | link |
| 1622 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 17,000 | Bank of Cyprus Public Company Ltd. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 24 (1) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 17,000 on Bank of Cyprus Public Company Ltd. In the context of a sale of credit facilities, the bank had inadvertently transferred data of customers whose credit facilities had not been sold to the buyer. The incidents affected approximately 11,673 records and 5,500 individuals. The DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data. | link |
| 1623 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 5,000 | Cyprus Electricity Authority | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 24 (1) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 17,000 on Bank of Cyprus Public Company Ltd. In the context of a sale of credit facilities, the bank had inadvertently transferred data of customers whose credit facilities had not been sold to the buyer. The incidents affected approximately 11,673 records and 5,500 individuals. The DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data. | link |
| 1624 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 5,000 | Cypriot Ministry of Defense | Public Sector and Education | Art. 24 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 5,000 on the Cypriot Ministry of Defense. The controller had suffered a cyber attack which, according to the DPA, had been caused due to a lack of technical and organizational measures for the protection of personal data and a lack of supervision of a processor. | link |
| 1625 | CYPRUS | Cypriot Data Protection Commissioner | 2022 | 7,500 | DW Dynamic Works LIMITED | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 7,500 on DW Dynamic Works LIMITED. The controller operated as a processor for the Cypriot Ministry of Denfese. The minsitry had suffered a cyberattack which, according to the DPA, was caused, among other things, by Dynamic Works’ lack of technical and organizational measures to protect personal data. | link |
| 1626 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 3,000 | Scuola Statale Secondaria di I^ grado ‘Bianco-Pascol’ | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on the school ‘Scuola Statale Secondaria di I^ grado ‘Bianco-Pascoli’, di Fasano (BR)’. The educational institution had published a document, containing personal health data of some students, in the school’s electronic register. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and thus acted unlawfully. In addition, the school failed to respond to requests for information in a timely manner. | link |
| 1627 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-03 | 500 | MIRACLE IBIZA S.L. | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 500 on MIRACLE IBIZA S.L.. The controller had installed a video surveillance system that captured the front door of an individual’s apartment. The DPA considered this to be a violation of the principle of data minimization pursuant to Art. 5 (1) c) GDPR. | link |
| 1628 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-03 | 600 | HOTEL VILLA SORO, S.L. | Accomodation and Hospitalty | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on HOTEL VILLA SORO, S.L.. The controller had installed a video surveillance system without providing the required information according to Art. 13 GDPR. The original fine of EUR 1000 was reduced to EUR 600 due to voluntary payment and admission of responsibility. | link |
| 1629 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 900 | Istituto di Istruzione Superiore G. Renda di Polistena, Reggio Calabria | Employment | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 900 on the educational institution ‘Istituto di Istruzione Superiore G. Renda di Polistena, Reggio Calabria’. A former employee of the municipality filed a complaint with the DPA because a document containing their personal data had been unlawfully published on the website of the educational institution. The document contained information about the termination of the employment relationship. | link |
| 1630 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 10,000 | Italian Archery Federation (FITARCO) | Individuals and Private Associations | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 10 GDPR, Art. 2-ter Codice della privacy, Art. 2-octies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA (Garante) has fined the Italian Archery Federation (FITARCO) EUR 10,000. A member of the federation had filed a complaint with the DPA due to the fact that the federation had unlawfully published documents containing their personal data on its website. The documents contained, among other things, criminal information about the data subject. | link |
| 1631 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-10 | 15,000 | Poliambulatorio Radiologico ‘il Sorriso’ S.r.l. | Health Care | Art. 5 GDPR, Art. 13 GDPR, Art. 37 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 15,000 on Poliambulatorio Radiologico ‘il Sorriso’ S.r.l.. A patient had filed a complaint with the DPA for not receiving sufficient information regarding the processing of their personal data. Among other things, the controller had not provided information about the data protection officer and the type of data being processed. The DPA also found that the controller had failed to provide the contact details of their data protection officer to the DPA. | link |
| 1632 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-11-30 | 9,600 | PIONIER (law firm) | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Polish DPA has imposed a fine of EUR 9,600 on the law firm PIONIER. The law firm mainly represents victims of traffic accidents in proceedings against insurance companies and other entities. In this context, it supports its clients in claims for damages as well as claims for reimbursement of medical treatment costs.
During its investigation, the DPA found that the law firm processed personal data, including health data, of potential clients without a valid legal basis. The law firm obtained personal data of potential clients based on press releases as well as social media reports. This allowed it to contact potential clients and offer them its services. During an initial conversation, they asked them for their verbal consent to process their personal data up until the conclusion of a contract. However, the DPA found that the consent should have been given in a way that it could still be proven at a later stage (e.g., through a register of consents). |
link link |
| 1633 | ITALY | Italian Data Protection Authority (Garante) | 2023-01-11 | 2,500 | Azienda Sanitaria Locale di Brindisi | Health Care | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 2,500 on Azienda Sanitaria Locale di Brindisi. A data subject had filed a complaint with the DPA due to the health authority’s failure to respond to a request for access to their personal data. | link |
| 1634 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 5,000 | Comune di Borgia | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 (2), (4) GDPR, Art. 37 (7) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 5,000 on Comune di Borgia. The municipality processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis. Also the Garante found that the municipality failed to provide the DPA the contact data of their data protections officer. | link |
| 1635 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 8,000 | Comune di Vicchio | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 (2), (4) GDPR | Insufficient legal basis for data processing | The Italian DPA (Garante) imposed a fine of EUR 8,000 on Comune di Vicchio. The municipality processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis. | link |
| 1636 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 6,000 | Comune di Bracciano | Employment | Art.5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 6,000 on Comune di Bracciano. A former employee had filed a complaint with the DPA due to the fact, that the municipality had published a document, containing personal health data of them, on their website. In the course of its investigation, the DPA found that the municipality had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1637 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-24 | 1,000 | Private individual | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 32 GDPR, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 1,000 on a private individual. Two individuals had filed a complaint with the DPA due to the fact that the controller had published personal data of them and their families in their dissertation. The individuals had participated in treatments conducted by the controller, but they had not consented to the publication of their data in the dissertation in an unanonymized form. | link |
| 1638 | ITALY | Italian Data Protection Authority (Garante) | 2022-05-26 | 2000 | Store owner | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined the owner of the store ‘Turkish City’ EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR. | link |
| 1639 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 12,000 | Comune di Salento | Public Sector and Education | Art. 5 (1) a), b), e) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 30 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 12,000 on Comune di Salento. An individual had lodged a complaint with the DPA for being recorded by a CCTV camera, which proved that he had disregarded the curfew introduced as part of the Covid-19 pandemic countermeasures. During its investigation, the DPA found that the processing of the personal data for the purpose of proving the curfew violation was not lawful since the cameras had originally been installed for the purpose of combating street crime. The municipality is therefore not processing the data for its original purpose, which constitutes a breach of the purpose limitation principle laid down in the GDPR. The DPA also found that the municipality stored the recordings excessively long and did not provide sufficient information about the CCTV to the data subject. Furthermore, the DPA found that the municipality had failed to respond to the data subject’s request for information in a timely manner. Finally, the municipality failed to maintain a register of processing activities for certain periods. |
link |
| 1640 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-24 | 3,000 | Ordine dei Medici Chirurghi e degli Odontoiatri della Provincia di Cagliari | Health Care | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on the Board of Surgeons and Dentists of the Province of Cagliari. The controller had disclosed data of a doctor to third parties without a valid legal basis. | link |
| 1641 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 3,000 | Comune di Monte Sant’Angelo | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) e) GDPR, Art. 17 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on Comune di Monte Sant’Angelo. A person who had participated in a selection procedure had filed a complaint with the DPA due to the fact that the municipality had published a list of candidates and their results in the selection procedure on its website. In its investigation, the DPA found that the municipality did not have a valid legal basis to publish the results and the personal data of the applicants. In addition, the DPA found that the controller failed to comply with the data subject’s request for deletion of their personal data. | link |
| 1642 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-02-08 | 5,000 | Medijobs Platform SRL | Industry and Commerce | Art. 32 (1) b), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 5,000 on Medijobs Platform SRL. The controller had informed the DPA about a data breach according to Art. 33 GDPR. Unauthorized third parties had succeeded in accessing the IT infrastructure of the controller and had downloaded, deleted and transferred personal data of applicants such as name, e-mail address, professional history, marital status, etc.. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which ultimately also contributed to the data breach. | link |
| 1643 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 1,500 | Direzione Didattica Statale 1° Circolo-Eboli | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 1,500 on the school ‘Direzione Didattica Statale 1° Circolo-Eboli’. The educational institution had sent a document containing the names of all teachers and students, as well as health data of some students, to all teachers and parents, without distinguishing that teachers and parents receive only the information about students that concerns them. | link |
| 1644 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 15,000 | Rebirth s.r.l. | Accomodation and Hospitalty | Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 114 Codice della privacy, Art. 157 Codice della privacy | Insufficient fulfilment of information obligations | The Italian DPA has fined Rebirth s.r.l. EUR 15,000. The controller had installed 14 surveillance cameras in a café it operated without, however, informing about the video surveillance. | link |
| 1645 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-11-15 | 5,200 | News service | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 7 (2), 4) GDPR, Art. 12 GDPR | Insufficient legal basis for data processing | The Hungarian DPA imposed a fine of EUR 5,200 on a news service. A customer had complained to the DPA about subscribing to a newsletter to receive a daily news digest, however, they had also received direct marketing messages. During its investigation, the DPA found that the processing of the data subjects’ personal data for direct marketing purposes was unlawful. As the controller had not sufficiently informed the data subjects of their rights, the DPA found that the data subjects’ consent to receive the newsletter was not valid as a legal basis for the processing of the data for marketing purposes due to the insufficient information provided. | link |
| 1646 | ITALY | Italian Data Protection Authority (Garante) | 2022-08-05 | 1,000 | Mister Brick S.a.s. | Industry and Commerce | Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 24 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 1,000 on Mister Brick S.a.s.. An individual had filed a complaint with the DPA against the controller for having received unsolicited marketing messages from the controller. During its investigation, the DPA found that the controller did not have a legal basis to process the data subject’s data. Moreover, the controller failed to respond to a request of the data subject to exercise their rights in a timely manner. | link |
| 1647 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-12-13 | 1,500 | Manager of a real estate co-ownership | Real Estate | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 12 (3), (4) GDPR, Art. 15 (1) b), c) GDPR | Insufficient legal basis for data processing | The DPA of Luxembourg has imposed a fine of EUR 1,500 on a manager of a real estate co-ownership. The controller had disclosed personal data to unauthorized third parties without having a legal basis for such disclosure. In addition, the controller did not respond to requests from data subjects to exercise their rights in a timely manner. | link |
| 1648 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-07 | 10,000 | Tecnomed Trento s.r.l. | Health Care | Art. 5 (1) a), c) GDPR, Art. 13 GDPR, Art. 29 GDPR, Art. 32 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined Tecnomed Trento s.r.l. EUR 10,000. The controller had operated several video surveillance cameras in its premises, some of them without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. The DPA also found that three individuals with shared credentials had authorized access to the recorded images. The DPA concluded that this circumstance was not appropriate to guarantee the confidentiality of the information processed by the video surveillance system, in particular it does not allow to check who carried out certain processing operations. | link |
| 1649 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2022 | 6,500 | Pharmacy | Health Care | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The DPA of Baden-Württemberg imposed a fine of EUR 6,500 on a pharmacy. The pharmacy had disposed of a large number of personal documents, including diagnoses and medical prescriptions of data subjects, in trash containers that were accessible to other people. | link |
| 1650 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2022 | 20,000 | Company | Employment | Unknown | Unknown | The DPA from Baden-Württemberg has imposed a fine of EUR 20,000 on a company. The company had developed a new office plan that took into account the vaccination status of its employees. For information purposes, the office plan showing the new occupancy was sent to the employees. Each employee was assigned a color (green, yellow or red) depending on their vaccination status. The DPA found that the color system allowed the disclosure of the vaccination status of all employees and was therefore unlawful. | link |
| 1651 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2022 | 500 | Restaurant | Accomodation and Hospitalty | Unknown | Unknown | The DPA from Baden-Württemberg imposed a fine of EUR 500 on a restaurant. The owner had disposed of a large quantity of Covid contact forms in the forest. | link |
| 1652 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2022 | Unknown | Debt collection company | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 14 (1), (2) GDPR | Insufficient legal basis for data processing | The DPA from Baden-Württemberg has imposed a fine on a debt collection company. The debt collection company had received investor information from an employee of an insolvent company, which it used to offer its services to assist the affected investors with insolvency claims. However, the DPA found that the company had processed the data without the required legal basis. In addition, the debt collection company failed to provide the data subjects with necessary information, such as the origin of their data. | link |
| 1653 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-20 | 1,400,000 | Douglas Italia S.p.a. | Industry and Commerce | Art. 5 (1) b), e) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 (2) a) GDPR, Art. 24 GDPR, Art. 25 (1) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a. for various GDPR violations.
In the course of its investigation, the DPA initially found that customers were supposed to give their consent to the privacy notices, the cookie policy, and the GTC at the same time. The DPA considered this to be a breach of Art. 6 GDPR and Art. 7 GDPR, as the data subject’s consent to the processing of their personal data could not be considered voluntary due to the lack of separate options for consenting to the different notices. Douglas had merged with other companies and in the process acquired additional personal data. The DPA found that after acquiring the data, Douglas had kept the data for an excessive period of time without obtaining consent from the data subjects to use it for its own purposes. The DPA also found that Douglas retained data of customers who had not renewed their loyalty cards for an excessive period of time. Douglas also failed to provide its customers with sufficient and accurate information about the data processing. The DPA also found that Douglas did not use the data for direct marketing in accordance with customer consent. For example, customers who had only consented to telemarketing also received SMS marketing messages. Finally, the DPA found that Douglas had breached its accountability obligations regarding the processing of personal data on its blog. |
link |
| 1654 | ITALY | Italian Data Protection Authority (Garante) | 2022-11-24 | 4,000 | Società Lombarda Sport s.r.l. | Health Care | Art. 5 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Italian DPA has fined Società Lombarda Sport s.r.l. EUR 4,000. An individual had filed a complaint with the DPA. The individual had undergone a sports fitness examination with the company for the purpose of attending sports courses. However, the company then had passed on the result of their examination without a valid legal basis. | link |
| 1655 | BELGIUM | Belgian Data Protection Authority (APD) | 2022-08-23 | 2,500 | Company | Industry and Commerce | Art. 5 (1) d) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Belgian DPA has imposed a fine of EUR 2,500 on a company. The company operates a digital management platform where suppliers and customers can communicate and upload administrative documents. An individual, who is not themselves a member of the platform, had filed a complaint with the DPA. Since the complainant’s roommate is a member of the platform, the complainant asked them to upload the joint water bill, which was in the complainant’s name. The platform recognized the complainant’s name and sent the roommate an invitation to connect with additional companies through the platform where the complainant was a customer. Although the roommate did not accept the invitation, they were able to view various data concerning the complainant. The DPA found that the company had failed to implement appropriate technical and organizational measures to protect personal data, in order, for example, to prevent easy access to third-party data. | link link |
| 1656 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2023-02-06 | 900,000 | Sats ASA | Industry and Commerce | Art. 5 (1) a), e) GDPR, Art. 6 (1) GDPR, Art. 12 (1), (3) GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Norwegian DPA has imposed a fine of EUR 900,000 on the fitness chain ‘Sats’. The DPA had received several complaints from customers who had submitted requests for information as well as deletion of their personal data, which Sats had not complied with. The DPA also found that Sats had processed certain customer data without a valid legal basis. | link |
| 1657 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-07-22 | 10,000 | Company | Not assigned | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA of Luxembourg (CNPD) has imposed a fine of EUR 10,000 on a company. The company had installed a video surveillance system for the purpose of protecting company property and staff. However, the cameras also constantly captured parts of employee’s work areas, a break room, a meeting room and a neighbor property. The DPA states that the controller violated the principle of data minimization under Art. 5 (1) c) GDPR due to the excessive CCTV. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing data subjects about the video surveillance. | link |
| 1658 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance. | link |
| 1659 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 300 | COMANDANCIA DE LLEIDA | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 300 on COMANDANCIA DE LLEIDA. The controller had failed to provide a notice with information about video surveillance in its premises. | link |
| 1660 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property. | link |
| 1661 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1662 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1663 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 180 | SUPER 24H LOS ROSALES, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on SUPER 24H LOS ROSALES, S.L.. The controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1664 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 1,200 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,200 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the video surveillance. | link |
| 1665 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 300 | PLANET COSTA DORADA SOCIEDAD LIMITADA | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 300 on PLANET COSTA DORADA SOCIEDAD LIMITADA. The controller had failed to provide a notice with information about video surveillance at its premises. | link |
| 1666 | IRELAND | Data Protection Authority of Ireland | 2023-01-23 | 460,000 | Centric Health Ltd. | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Irish DPA has imposed a fine of EUR 460,000 on Centric Health Ltd.. The controller suffered a ransomware attack in which personal data such as name, date of birth and contact details were accessed, altered and destroyed without authorization. Data records of approximately 70,000 people were affected, of which 2,500 were permanently affected.
The DPA’s investigation found that the healthcare facility had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such an attack. |
link |
| 1667 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 200,000 | Amiu S.p.A. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 37 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 200,000 on Amiu S.p.A.. The company operates the waste collection service for the city of Taranto and acted as a processor for this service. The company had installed several video surveillance cameras for the purpose of monitoring illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DPA found that Amiu did not have a valid legal basis to publish the images. It also found that the processing was not sufficiently regulated, contrary to the requirements of Art. 28 GDPR. Finally, the DPA found that Amiu had not appointed a data protection officer. | link |
| 1668 | ITALY | Italian Data Protection Authority (Garante) | 2022-04-28 | 150,000 | Tarento municipality | Public Sector and Education | Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 28 GDPR, Art. 35 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has imposed a fine of EUR 150,000 on Tarento municipality. The company Amiu S.p.A had operated the local waste collection service on behalf of the municipality. The company had installed several video surveillance cameras with the permission of the municipality to monitor illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DPA also found that the municipality had not properly regulated the processing with Amiu S.p.A. In addition, the DPA found that the municipality had not provided sufficient information about the video surveillance cameras. The municipality also failed to conduct a data protection impact assessment regarding the installation of the cameras, which would have been necessary for such a large-scale systematic surveillance. | link |
| 1669 | ITALY | Italian Data Protection Authority (Garante) | 2022-10-06 | 100,000 | Veneto region | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 100,000 on the Veneto Region. The DPA had received a complaint from dozens of medical and nursing staff. During its investigation, the DPA found that the Region, in the context of Covid-19 containment measures, had provided lists of information on unvaccinated employees to various healthcare facilities and the physicians in charge there. The DPA found that the Region did not have a valid legal basis for such systematic disclosure of the lists to the physicians and that only the disclosure of the lists to the health authorities was covered by the legal decree in force at the time. | link |
| 1670 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 30,000 | Verizon Connect Italy S.p.A. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | The Italian DPA has fined Verizon Connect Italy S.p.A. EUR 30,000. An individual who worked for a Verizon customer had filed a complaint with the DPA. Verizon had installed GPS systems in delivery vehicles for the customer and was acting as a processor for them. During its investigation, the DPA found that the relationship between Verizon and the customer was not sufficiently regulated, contrary to the requirements of Art. 28 GDPR. The DPA therefore found that the data processed as part of the commissioned processing was consequently processed without a valid legal basis over a long period of time. | link |
| 1671 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 4,900,000 | Edison Energia S.p.A. | Transportation and Energy | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1), (2), (3) GDPR, Art. 21 (2) GDPR, Art. 24 (1), (2) GDPR, Art. 25 (1) GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Edison Energia S.p.A. EUR 4.9 million. Several person had filed complaints with the DPA regarding unlawful marketing activities of the company. During its investigation, the DPA found that the company contacted data subjects by telephone for marketing purposes without their consent. For this purpose, the company used contact lists from third parties, which in many cases, however, did not contain the free, specific, informed and documented consent of the users to the disclosure of personal data. The DPA also found that Edison Energia did not provide data subjects with a direct and easy way to exercise their right to object. In addition, Edison Energia failed to respond to data subject requests in a timely manner in several cases. In addition, the DPA found that users of the app and website simultaneously consented to the use of their data for both marketing and profiling purposes. The DPA found that such consent did not correspond to voluntary and specific consent for different purposes. Finally, the DPA found that Edison Energia failed to provide data subjects with transparent information about the processing of their personal data. | link link |
| 1672 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,500 on a private individual. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients. | link |
| 1673 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 10,000 | HERON CITY VALENCIA MANAGEMENT S.L. | Industry and Commerce | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine of EUR 10,000 on HERON CITY VALENCIA MANAGEMENT S.L.. A data subject had complained to the DPA due to the controller’s failure to comply with their request for access to the recordings of the video surveillance system in which the data subject appeared. | link |
| 1674 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-21 | 300 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on a private individual. The individual had shared a document containing personal data of the data subject in a WhatsApp group without the data subject’s consent. The original fine of EUR 500 was reduced to EUR 300 due to voluntary payment and admission of responsibility | link |
| 1675 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-28 | 15,000 | GRUPO NORCONSULTING, S.L. | Finance, Insurance and Consulting | Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine of EUR 15,000 on GRUPO NORCONSULTING, S.L.. A data subject had filed a complaint against the controller with the DPA due to the controller’s failure to properly comply with their request for access and erasure of their personal data. | link |
| 1676 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-28 | 800 | EUROPYMES SERVICIOS INTEGRALES S.L. | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish Data Protection Authority has imposed a fine on EUROPYMES SERVICIOS INTEGRALES S.L.. The controller has not properly complied with the data subject’s request for erasure of their personal data. The original fine of EUR 1000 was reduced to EUR 800 due to voluntary payment. | link |
| 1677 | IRELAND | Data Protection Authority of Ireland | 2022-12-30 | 15,000 | A&G Couriers Limited T/A Fastway Couriers (Ireland) | Transportation and Energy | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) has fined A&G Couriers Limited T/A Fastway Couriers (Ireland) EUR 15,000. During a changeover of its IT systems, the controller had suffered a cyberattack in which unauthorized third parties gained access to personal data. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such an attack. | link |
| 1678 | FINLAND | Deputy Data Protection Ombudsman | 2023-02-17 | 440,000 | Suomen Asiakastieto Oy | Finance, Insurance and Consulting | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Finnish DPA has imposed a fine of EUR 440,000 on Suomen Asiakastieto Oy for failing to comply with an order issued by the DPA. During an investigation, the DPA found that the company had unlawfully stored financial data of data subjects. The DPA therefore ordered the company to remove the data, which the company did not comply with. | link link |
| 1679 | CROATIA | Croatian Data Protection Authority (azop) | Unknown | 20,000 | Telecommunications company | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 5 (1) d) GDPR | Insufficient legal basis for data processing | The Croatian DPA (azop) has imposed a fine of EUR 20,000 on a telecommunications company. A data subject had filed a complaint with the DPA claiming that the company was still processing their personal data even though they had not been a customer of the company for more than ten years. During its investigation, the DPA found that the company had still been storing the data due to an alleged debt. The debt was no longer outstanding, however, the company had failed to delete the data of the data subject due to a lack of measures to regularly verify that the stored data was up to date and accurate. The DPA concluded that the company had unlawfully processed the data and violated Art. 6 (1) GDPR in relation to Art. 5 (1) d) GDPR. | link |
| 1680 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-06 | 2,250 | Finopro IFN SA | Finance, Insurance and Consulting | Art. 32 (1) b), c) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,250 on Finopro IFN SA. The controller had suffered a ransomware attack in which unauthorized third parties gained access to personal data such as address, credit card details, bank account information, telephone numbers etc. of data subjects. During its investigation the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1681 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-06 | 3,000 | Integral Collection SRL | Finance, Insurance and Consulting | Art. 32 (1) b), c) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3000 on Integral Collection SRL. The controller had suffered a ransomware attack in which unauthorized third parties gained access to personal data such as address, credit card details, bank account information, telephone numbers etc. of data subjects. During its investigation the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1682 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-13 | 2000 | Modaone SRL | Industry and Commerce | Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Romanian DPA has imposed a fine of EUR 2,000 on Modaone SRL. An individual had filed a complaint with the DPA for having received advertising messages by e-mail, although they had objected to receiving such messages and this had been confirmed to them by the controller. In the course of its investigation, the DPA also found that the controller had not provided data subjects with sufficient, correct and up-to-date information about the processing of their personal data. In addition, the DPA found that the requirements for exercising data subject rights were inadequate. |
link |
| 1683 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-15 | 10,000 | Alianța pentru Unirea Românilor | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Romanian DPA imposed a fine of EUR 10,000 on Alianța pentru Unirea Românilor. During its investigation, the DPA found that the controller collected personal data on its website without informing the data subjects and without meeting the conditions for the lawfulness of the processing. The DPA also found that the controller collected data such as surname, first name, address, ID card number, etc. not only on its website but also through various forms to be filled in. The DPA considered this to be a violation of the principle of data minimization. |
link |
| 1684 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-15 | 4,000 | Partidul Uniunea Salvați România | Individuals and Private Associations | Art. 32 (1) a) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has fined the Partidul Uniunea Salvați România party EUR 4,000. The controller had suffered a phishing attack in which the attackers gained unauthorized access to personal data such as first name, last name, email, phone number, as well as data on the political affiliation of the data subjects. The DPA found that the controller had failed to implement adequate technical and organizational measures such as data encryption to protect personal data, which facilitated such an attack. | link |
| 1685 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-14 | 3,000 | Tinmar Energy SA | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has fined Tinmar Energy SA EUR 3,000. The controller had suffered a data breach in which third parties gained unauthorized access to personal data such as first name, last name, phone number, address etc. of the data subjects. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1686 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-16 | 1,000 | Centrul Medical dr. Furtună Dan | Health Care | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on Centrul Medical dr. Furtună Dan. The controller had sent results of a medical test via WhatsApp to the wrong recipient. As a result, personal data of the data subject, such as first and last name, telephone number and medical data, were unauthorizedly disclosed to third parties. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1687 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-16 | 3,000 | Med Life S.A. | Health Care | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on Centrul Medical dr. Furtună Dan. The controller had sent results of a medical test via WhatsApp to the wrong recipient. As a result, personal data of the data subject, such as first and last name, telephone number and medical data, were unauthorizedly disclosed to third parties. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1688 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-01-19 | 6,400 | Szczecin-Centrum District Court | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 6,400 on the Szczecin-Centrum District Court.
The court had reported a data breach to the DPA involving the loss of three data carriers. One data carrier was an official and encrypted one, the other two were private and unencrypted data carriers containing drafts of court rulings and statements with personal data. In the course of its investigation, the DPA discovered that data carriers which had not been checked and secured by the court’s IT department had been used on official computers over a period of many years. In addition, the DPA found that although there were regulations prohibiting the use of private data carriers, the court failed to check whether employees actually complied with these regulations. In addition, the court failed to implement technical measures to prevent the use of private data carriers. |
link link |
| 1689 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-16 | 5,000 | Private individual | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 5,000 on a private individual. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients. | link |
| 1690 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-15 | 480 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed a video surveillance camera which also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment. | link |
| 1691 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-27 | 4,000 | Attorney | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 4,000 on an attorney. The attorney had sent a court ruling containing personal data of a data subject to several individuals via WhatsApp without the consent of the data subject. | link |
| 1692 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-14 | 240 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. A data subject had filed a complaint against their ex-partner with the DPA. The ex-partner had installed video surveillance cameras in the jointly occupied residency, which also recorded parts of their private living areas and and jointly used parts of the residency. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 240 due to voluntary payment. | link |
| 1693 | ITALY | Italian Data Protection Authority (Garante) | 2023-01-26 | 5,000 | Azienda ULSS n.5 Polesana | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GPDR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 5,000 on Azienda ULSS n.5 Polesana. The healthcare facility had mistakenly sent a patient medical record to the wrong patient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data, which allowed such an incident to occur. | link |
| 1694 | ITALY | Italian Data Protection Authority (Garante) | 2023-01-11 | 6,000 | Ufficio Scolastico Regionale per la Lombardia, Ufficio IV – Ambito Territoriale di Brescia | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 6,000 on Ufficio Scolastico Regionale per la Lombardia, Ufficio IV – Ambito Territoriale di Brescia. The school board had published a document, which contained personal health data of a teacher on its website. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1695 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-15 | 136,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 32 GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U. A data subject had filed a complaint against the data controller as unauthorized fraudsters managed to access their Vodafone account and make changes to their contract. During its investigation, the DPA found that Vodafone had carried out the changes without verifying the identity of the person requesting them and determining whether they were actually requested by the data subject. The original fine of EUR 170,000 was reduced to EUR 136,000 due to voluntary payment and admission of responsibility. | link |
| 1696 | IRELAND | Data Protection Authority of Ireland | 2023-02-27 | 750,000 | Bank of Ireland 365 | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA has fined Bank of Ireland 365 EUR 750,000. The bank had notified the DPA of 10 data breaches linked to the bank’s app. Unauthorized persons had managed to gain access to the app as well as to other individuals’ accounts. The DPA determined that this data breach was facilitated due to the bank’s failure to implement appropriate technical and organizational measures to protect personal data. | link |
| 1697 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2023-03-08 | 220,000 | Argon Medical Devices | Employment | Art. 33 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. | link |
| 1698 | FRANCE | French Data Protection Authority (CNIL) | 2023-03-16 | 125,000 | CITYSCOOT | Transportation and Energy | Art. 5 (1) c) GDPR, Art. 28 (3) GDPR, Art. 82 Loi informatique et libertés | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 125,000 on CITYSCOOT, a company that rents out motor scooters for short periods.
During its investigation, the DPA found that CITYSCOOT, was collecting vehicle geolocation data every 30 seconds while renting a scooter, as well as, storing the history of the trips. The company had stated that it collected the data for purposes such as handling traffic violations, complaint inquiries, assisting users in the event of a crash, and handling theft cases. However, the DPA found that none of these purposes justified such permanent geolocation of data subjects, and that the company had thus violated the principle of data minimization. In addition, the DPA found that the contracts concluded by the company with its processors did not contain all the required information. |
link link |
| 1699 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-23 | 5,000 | Tehnoplus Industry SRL | Employment | Art. 5 (1) a), c), e) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 5,000 on Tehnoplus Industry SRL. An employee of the company had filed a complaint with the DPA because the controller had installed a GPS system in their company vehicle for the purpose of monitoring the vehicle without providing them with sufficient information about such installation. During its investigation, the DPA also found that the controller was processing the GPS data outside working hours and for purposes other than originally intended. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller was unable to prove that it did not store the data for longer than legally permitted. |
link |
| 1700 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-03-27 | 450 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 450 on an private individual. The individual had published personal data of numerous people on a social network without their consent. | link |
| 1701 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-23 | 70,000 | Orange Espagne S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Orange Espagne S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1702 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 70,000 | CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. The data subject had received a message from a debt collection company on behalf of Caixabank requesting payment of outstanding debts. However, the debt had been annulled, which was also confirmed in a court ruling. For this reason, the DPA determined that the disclosure of the data subject’s personal data for the purpose of contacting them regarding the settlement of the debt was unlawful. | link |
| 1703 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-12-13 | 1,000 | Company | Not assigned | Art. 12 (1) GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. | link link |
| 1704 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-12-13 | 2,500 | Company | Not assigned | Art. 12 (1) GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 2,500 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. | link link |
| 1705 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-12-13 | 2,100 | Company | Not assigned | Art. 12 (1) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 2,100 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the processing of personal data, therefore violating Art. 13 GDPR. | link link |
| 1706 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-12-13 | 700 | Company | Not assigned | Art. 12 (1) GDPR, Art. 13 (1) f) GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 700 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the transfer of personal data to a third country or international organisation, therefore violating Art. 13 GDPR. | link link |
| 1707 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2022-12-13 | 1,400 | Company | Not assigned | Art. 12 (1) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The DPA of Luxembourg has imposed a fine of EUR 1,400 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the processing of personal data, therefore violating Art. 13 GDPR. | link link |
| 1708 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | SOCIEDAD ESPAÑOLA DE RADIODIFUSIÓN, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on SOCIEDAD ESPAÑOLA DE RADIODIFUSIÓN, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1709 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | LA VANGUARDIA EDICIONES, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on LA VANGUARDIA EDICIONES, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1710 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | DIARIO ABC, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on DIARIO ABC, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1711 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | CONECTA5 TELECINCO, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on CONECTA5 TELECINCO, S.A.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1712 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | DISPLAY CONNECTORS, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on DISPLAY CONNECTORS, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1713 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | EL DIARIO DE PRENSA DIGITAL SL. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on EL DIARIO DE PRENSA DIGITAL SL.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1714 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 40,000 | EDITORIAL DE PRENSA CANARIA, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on EDITORIAL DE PRENSA CANARIA, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 1715 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 40,000 | TITANIA COMPAÑÍA EDITORIAL, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on TITANIA COMPAÑÍA EDITORIAL, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment. | link |
| 1716 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-21 | 50,000 | UNIDAD EDITORIAL INFORMACION GENERAL S.L.U. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on UNIDAD EDITORIAL INFORMACION GENERAL S.L.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1717 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Physician | Health Care | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The DPA of Bremen imposed a fine on a physician for failing to respond to a data subject’s request for access to their data in a timely manner. | link |
| 1718 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Company | Not assigned | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The DPA of Bremen imposed a fine on a company for failing to respond to a data subject’s request for access to their data in a timely manner. | link |
| 1719 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Physician | Health Care | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Bremen imposed a fine on a physician for using a patient’s contact details to contact them privately without their consent. | link |
| 1720 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Physician | Health Care | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Bremen imposed a fine on a physician for transmitting patient’s data to a billing office without their consent. | link |
| 1721 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Bremen imposed a fine on a private individual. The individual who worked in a restaurant, had contacted a restaurant visitor privately using the contact information they had provided, which was required for a restaurant visit during the Covid 19 pandemic. | link |
| 1722 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Bremen imposed a fine on a private individual. The individual, who worked at a Covid19 testing center, had contacted a patient privately using the contact details the patient had provided for their Covid-test | link |
| 1723 | GERMANY | Data Protection Authority of Bremen | 2022 | Fine in five-digit amount | Company | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The DPA of Bremen has imposed a five-digit fine on a company. The controller had unlawfully used GPS software in its company vehicles, allowing unrestricted monitoring of its employees over a long period oftime. The DPA found that such extensive monitoring was not necessary and therefor unlawful. | link |
| 1724 | GERMANY | Data Protection Authority of Bremen | 2022 | Fine in five-digit amount | Company | Employment | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Bremen has imposed a five-digit fine on a company. The company had sent an unredacted social plan to all affected employees in the context of dismissals due to operational reasons, resulting in the disclosure of personal data contained therein, such as date of birth, age, marital status, number of dependent children, function in the company, severe disability, etc., to all employees. The DPA found that such extensive disclosure of personal data was unlawful due to the lack of a legal basis. The DPA considered the fact that special categories of personal data, such as information on a severe disability, had also been disclosed to be an aggravating factor. | link |
| 1725 | GERMANY | Data Protection Authority of Bremen | 2022 | Fine in five-digit amount | Company | Employment | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Bremen has imposed a five-digit fine on a company. The company had transferred the pay slips of its employees without their consent to another company, which was to continue to employ the employees in the future. The DPA considered the fact that a high double-digit number of employees were affected as an aggravating factor. | link |
| 1726 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Company | Not assigned | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The DPA from Bremen has fined a company for failing to inform the DPA pursuant to Art. 33 GDPR that an employee’s business email account had been hacked. | link |
| 1727 | GERMANY | Data Protection Authority of Bremen | 2022 | Fine in three-digit amount | Company | Not assigned | Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The DPA of Bremen has imposed a three-digit fine on a company. The company offered its applicants an online application procedure on its website without informing users about the processing of their personal data. | link |
| 1728 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Medical care center | Health Care | Unknown | Insufficient legal basis for data processing | The DPA of Bremen has imposed a fine on a medical care center for having scanned a customer’s ID card against their will and stored the copy. Once the customer complained, they were threatened with termination of the customer relationship. In assessing the fine, the DPA took into account the fact that the ID card had been scanned against the explicit objection of the data subject. | link |
| 1729 | GERMANY | Data Protection Authority of Bremen | 2022 | Unknown | Supermarket | Industry and Commerce | Unknown | Insufficient legal basis for data processing | The DPA of Bremen has imposed a fine on a supermarket. A store detective had taken a photo of the data subject on the occasion of an alleged theft and transmitted it via the messenger service WhatsApp to the manager, the store manager and two closing staff members, allegedly to enforce house rules but without a sufficient legal basis. | link |
| 1730 | UNITED KINGDOM | Information Commissioner (ICO) | 2023-04-04 | 14,500,000 | TikTok | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The UK DPA (ICO) has fined TikTok EUR 14.5 million. The ICO had found that more than one million British children under the age of 13 were using TikTok without the consent of their parents. The ICO criticized TikTok for failing to implement adequate controls to identify and remove underage children from its platform. Further, the ICO found that TikTok did not provide users of the platform with sufficient and easily understandable information about the collection, use and disclosure of their data. For this reason, the ICO concluded that TikTok had not ensured that its users’ personal data was processed in a lawful, fair and transparent manner. |
link |
| 1731 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-04-04 | 3,000 | Tensa Art Design SRL | Industry and Commerce | Art. 21 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 3,000 on Tensa Art Design SRL. An individual had filed a complaint for receiving promotional messages despite having filed an objection to receiving promotional messages and having their personal data processed for marketing purposes. The DPA considered this to be a violation of Art. 21 (3) GDPR. | link |
| 1732 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-02-07 | 321 | Housing association | Real Estate | Art. 5 (1) a) GDPR, Art. 28 (1), (3), (9) GDPR, Art. 33 (1) GDPR, Art. 34 (1), (2) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has imposed a fine of EUR 321 on a housing association. The controller had suffered a data breach involving the theft of documents, including a copy of a notarial deed. During its investigation, the DPA found that the controller had both failed to report the data breach to the DPA in a timely manner and to notify the data subjects affected by the incident. Further, the DPA found that the controller had not adequately checked if the processor provided sufficient guarantees to implement appropriate technical and organisational measures to ensure data protection. |
link link |
| 1733 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-03 | 50,000 | ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1734 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-04 | 18,000 | ENFOKA SISTEMAS GLOBALES, S.L. | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on ENFOKA SISTEMAS GLOBALES, S.L.. A customer had filed a complaint with the DPA due to the fact that the controller carried out a change of their electricity supply company without obtaining their consent beforehand. The original fine of EUR 30,000 was reduced to EUR 18,000 due to voluntary payment and admission of responsibility. | link |
| 1735 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-05 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property. | link |
| 1736 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-03 | 50,000 | 20 MINUTOS EDITORA, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on 20 MINUTOS EDITORA, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 1737 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-03 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property. | link |
| 1738 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-24 | 1,000 | INMARAN ASESORES S.L. | Finance, Insurance and Consulting | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on INMARAN ASESORES S.L. for failing to comply with an order issued by the DPA. | link |
| 1739 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-09 | 3,000 | Store owner | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined a store owner EUR 3,000. The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. | link |
| 1740 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-23 | 4,000 | Azienda socio-sanitaria locale n. 1 di Sassari | Health Care | Art. 5 GDPR, Art. 9 GPDR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 4,000 on Azienda socio-sanitaria locale n. 1 di Sassari. The controller had mistakenly sent a document containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data. | link |
| 1741 | GERMANY | Data Protection Authority of Hamburg | 2022 | Fine in three-digit amount | Private individual | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | Unlawful use of a dashcam | link |
| 1742 | GERMANY | Data Protection Authority of Hamburg | 2022 | Unknown | Logistics company | Transportation and Energy | Art. 32 (1) GDPR, Art. 33 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | A logistics company had disposed of delivery lists in a public waste paper container. The lists contained a large amount of detailed information, such as the first and last names of subscribers, the addresses, subscribed newspapers, and special delivery information, such as the location of mailboxes and any complaints from recipients. The DPA also noted that the company failed to inform the data subjects and the DPA of the data breach in a timely manner. | link |
| 1743 | GERMANY | Data Protection Authority of Hamburg | 2022 | 1,000 | Physician | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | A physician’s office had disposed of records of positive and negative Covid-19 Antigen Rapid test results from patients in a public waste disposal site. | link |
| 1744 | GERMANY | Data Protection Authority of Hamburg | 2022 | 1,000 | Covid-19 test center | Health Care | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The DPA of Hamburg has fined a Covid-19 test center EUR 1,000 for failing to comply with the right of data subjects to have their personal data deleted. | link |
| 1745 | GERMANY | Data Protection Authority of Hamburg | 2022 | 2,700 | Covid-19 test center | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg has imposed a fine of EUR 2,700 on a Covid-19 test center. The test center had send the data subjects an unencrypted e-mail containing a URL that allowed them to access the test result without taking any further security measures. In some cases, the download link was structured in a way that led to the download of a PDF file with the file name corresponding to the last name of the person tested. With knowledge of the directory path, it was therefore possible to view third-party test results. | link |
| 1746 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-23 | 180 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on a private individual. The data controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1747 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2021-10-27 | 18,700 | Company | Not assigned | Art. 37 (7) GDPR, Art. 38 (1), (3) GDPR, Art. 39 (1) b) GDPR | Insufficient involvement of data protection officer | The DPA of Luxembourg has imposed a fine of EUR 18,700 on a company. During its investigation, the DPA first found that the controller’s public website did not include direct contact details for the DPO. Furthermore, the DPO was not sufficiently involved in all data protection matters. For example, they only participated in internal meetings by invitation. Moreover, there were several hierarchical intermediaries between the DPO and the highest management level of the controller, not granting them sufficient autonomy. Also, in the absence of formalized procedures, the DPO was not able to sufficiently monitor the consistency of data processing practices. | link |
| 1748 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-24 | 360 | ALI MARKET | Industry and Commerce | Art. 13 GDPR, Art. 30 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 360 on ALI MARKET. The controller had failed to provide a notice with information about video surveillance in its premises. In addition, the controller failed to keep a proper register of processing activities. | link |
| 1749 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-04-07 | 3,000 | REGENCY COMPANY SRL | Employment | Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 3,000 on REGENCY COMPANY SRL. The controller had installed video surveillance cameras in its premises for the purpose of monitoring access of people and security of premises and property. However, this allowed it to monitor its employees extensively. In the course of its investigation, the DPA found that the video surveillance was partly carried out without the consent of the employees and that the purposes underlying the surveillance could also be achieved by means less intrusive into the privacy of the employees. | link |
| 1750 | GERMANY | Data Protection Authority of Hamburg | 2022 | 1,400 | Covid-19 test center | Health Care | Art. 6 (1) c) GDPR | Insufficient legal basis for data processing | The DPA from Hamburg has imposed a fine of EUR 1,400 on a Covid-19 test center. The controller intended to fulfill its statutory documentation obligations and scanned the front and back of ID cards of tested persons for this purpose. However, such extensive storage of personal data would not have been necessary to fulfill its documentation obligations. This could and should have been known to the controller. | link |
| 1751 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-04 | 84,000 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 15 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. During its investigation, the DPA found that the controller had registered alleged debts of a former client to the risk information center of the Spanish Central Bank without a valid legal basis. The DPA also found that the controller had not adequately complied with the former customer’s request for access to their personal data. The original fine of EUR 140,000 was reduced to EUR 84,000 due to voluntary payment and admission of responsibility. | link |
| 1752 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-17 | 10,000 | NGENIERÍA Y TELECOM JAÉN, S.L. | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on INGENIERÍA Y TELECOM JAÉN, S.L.. The controller had extented the data subject’s contract without their consent. | link |
| 1753 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-09-26 | 26,700 | TV2 Média Csoport Zrt. | Media, Telecoms and Broadcasting | Art. 5 (1) a), b) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Hungarian DPA has fined TV2 Média Csoport Zrt. EUR 26,700. In the course of its investigation, the DPA found that the controller had operated two websites without providing adequate information on the handling of personal data on the websites. The DPA also found that the controller failed to obtain consent from users in a transparent and clear manner on the websites. | link link |
| 1754 | ITALY | Italian Data Protection Authority (Garante) | 2023-01-26 | 7,000 | Azienda Ospedaliera Bianchi Melacrino Morelli | Health Care | Art. 5 GDPR, Art 9 GDPR, Art. 32 GDPR, Art. 75 Codice della privacy | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 7,000 on Azienda Ospedaliera Bianchi Melacrino Morelli. The controller had mistakenly sent a document containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data. | link |
| 1755 | ITALY | Italian Data Protection Authority (Garante) | 2023-01-11 | 5,000 | Azienda Ospedale-Università Padova | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on Azienda Ospedale-Università Padova. The controller had sent an email containing consent forms for participation in a clinical trial to several recipients in an open distribution list. This allowed the recipients to view the email addresses of all other recipients, 19 in total. | link |
| 1756 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-28 | 1,800 | WUNSCHURLAUB S.L. | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has fined WUNSCHURLAUB S.L. for storing passwords in plain text on its website www.meine-auszeit-jetzt.de. The DPA considered this to be a violation of Art. 32 GDPR. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of responsibility. | link |
| 1757 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-28 | 600 | ECOMM MOVADGENCY S.L. | Industry and Commerce | Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine a ECOMM MOVADGENCY S.L. for sending out direct marketing messages, despite the fact that the data subjects had exercised their right to objection. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and admission of responsibility. | link |
| 1758 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-28 | 3,000 | CITIZENGO FOUNDATION | Individuals and Private Associations | Art. 7 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on CITIZENGO FOUNDATION. A person had filed a complaint with the DPA because the controller had sent them an email with election advertising without the individual’s consent. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 1759 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-03-01 | 11,100 | Housing cooperative | Individuals and Private Associations | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has imposed a fine of EUR 11,100 on a housing cooperative. The controller had disclosed personal data of a member of the cooperative to an unauthorized person. The incident was recorded in an internal register of violations, however the controller failed to inform the DPA and the data subject of the incident in a timely manner. | link link |
| 1760 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2022 | 3,400 | Company | Transportation and Energy | Unknown | Insufficient legal basis for data processing | The Czech DPA imposed a fine of EUR 3,400 on a company. The data subject had concluded an energy supply contract with the controller in the past, but then duly terminated it. Nevertheless, the controller assigned the previously terminated contract to a processor (sales representative) in order to contact the data subject to conclude a new contract. The DPA found that the controller had unlawfully transferred the data subject’s data to the sales agent, as in the absence of an existing contract it had no valid legal basis for such transfer. | link |
| 1761 | ITALY | Italian Data Protection Authority (Garante) | 2023-01-26 | 5,000 | Misterbianco municipality | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 5,000 on Misterbianco municipality. An employee had filed a complaint with the DPA due to the fact, that the municipality had published a document, containing personal data of them, on their website. In the course of its investigation, the DPA found that the municipality had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1762 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-15 | 120,000 | Eurosanità S.P.A. | Health Care | Art. 5 GDPR, Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 120,000 on Eurosanità S.P.A.. The controller operates various healthcare facilities. An individual had filed a complaint with the DPA for mistakenly receiving a document that contained medical records of another individual. The DPA found that the controller had not taken sufficient technical and organizational measures to protect personal data in order to avoid such incidents. | link |
| 1763 | ITALY | Italian Data Protection Authority (Garante) | 2022-12-01 | 2000 | Store owner | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined a store owner EUR 2,000 for failing to provide sufficient information pursuant to Art. 13 GDPR about CCTV surveillance in their premises. | link |
| 1764 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-04 | 10,000 | Real Federación Española de Tenis de Mesa | Individuals and Private Associations | Art. 9 (2) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 10,000 on Real Federación Española de Tenis de Mesa. A participant in an examination to become a table tennis coach had filed a complaint with the DPA because they were required to show a Covid test in order to access the examination premises. During its investigation, the DPA found that the controller did not have a valid legal basis for this processing, as the legal provisions regarding hygiene concepts at that time did not require proof of testing. | link |
| 1765 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-02-02 | 10,000 | Vodafone | Media, Telecoms and Broadcasting | Art. 5 (1) a), b) GDPR, Art. 6 (1), (4) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 10,000 on Vodafone. An individual had filed a complaint with the DPA because they had received a package containing promotional gifts from a company working with Vodafone, even though they had expressly objected to the use of their data for promotional purposes. During its investigation, the DPA found that the controller processed the data without a valid legal basis and thus acted unlawfully. The DPA also found that the controller could not prove that it had comprehensively informed the data subject about the processing of their personal data in accordance with Art. 13 GDPR. | link |
| 1766 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-02-02 | 30,000 | Piraeus Bank | Finance, Insurance and Consulting | Art. 5 (1) a), f) GDPR, Art. 33 GDPR, Art. 34 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 30,000 on Piraeus Bank. A customer had filed a complaint with the DPA because the bank had disclosed transaction and account balance information from two bank accounts of which they were joint owners to the heirs of the other owner in the course of legal proceedings. The DPA determined, that the disclosure of the joint account information was unlawful. In addition, the bank failed to report the incident to the DPA and the data subject in a timely manner. | link |
| 1767 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-02-20 | 40,000 | Vodafone | Media, Telecoms and Broadcasting | Art. 15 GDPR, Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The Hellenic DPA has imposed a fine of EUR 40,000 on Vodafone. An individual had filed a complaint with the DPA because, following a request for access to records of conversations with a Vodafone call center, Vodafone had provided them with another customer’s conversations. Vodafone in addition failed to report this incident to the DPA in a timely manner. | link |
| 1768 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-16 | 100,000 | ORANGE ESPAGNE S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 100,000 on ORANGE ESPAGNE S.A.U.. A customer who had purchased a cell phone from ORANGE had filed a complaint with the DPA. As a condition to deliver the cell phone, ORANGE stated that the delivery person had to take a photo of the front and back of the customer’s ID card. ORANGE implemented these measures for security purposes to prevent fraud and identity theft. Despite these legitimate purposes, the DPA found that there existed far less intrusive means to the data subject´s privacy of preserving these purposes than photographing the ID card and thereby processing a variety of personal data. | link |
| 1769 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2023-04-04 | 13,300 | Company | Not assigned | Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Hungarian DPA has imposed a fine of EUR 13,300 on a company. A customer had filed a complaint with the DPA because a conversation, which they had with a sales representative of the controller, had been recorded without them being informed about this. The DPA considered this to be a breach of the controller’s information obligations under the GDPR. | link |
| 1770 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-09 | 1,600 | Deca s.r.l. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 1,600 on Deca s.r.l.. Employees had filed a complaint with the DPA because the controller had not complied with their requests for access to personal data processed during the attendance check. | link |
| 1771 | GREECE | Hellenic Data Protection Authority (HDPA) | 2022-12-19 | 7,000 | ΜΑΡΙΑ ΠΕΔΙΩΤΗ ΚΑΙ ΣΙΑ Ο.Ε. | Not assigned | Art. 12 GDPR, Art. 15 GDPR, Art. 31 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 7,000 on the company ΜΑΡΙΑ ΠΕΔΙΩΤΗ ΚΑΙ ΣΙΑ Ο.Ε. The company had not sufficiently complied with the request for information from a person, as the information was late and incomplete. In addition, the controller did not sufficiently cooperate with the DPA. | link |
| 1772 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-13 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1773 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-13 | 112,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. The original fine of EUR 140,000 was reduced to EUR 112,000 due to voluntary payment. | link |
| 1774 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-28 | 800 | GUUDJOB WORLDWIDE S.L. | Not assigned | Art. 12 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine on GUUDJOB WORLDWIDE S.L.. An individual filed a complaint with the DPA claiming that the controller had not complied with their request to delete their personal data. The individual had posted a review on the controller’s website. After seeing that their name had been published, they asked for their data to be deleted. However, the controller did not comply with this request in due time. The original fine of EUR 1,000 was reduced to EUR 800 due to voluntary payment. | |
| 1775 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-10 | 40,000 | VODAFONE ONO, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on VODAFONE ONO, S.A.U.. The controller had carried out a credit check on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis.The original fine of EUR 50,000 was reduced to EUR 40,000 for voluntary payment. | link |
| 1776 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2023-01-19 | 150,000 | Dutch Social Insurance Institution (SVB) | Public Sector and Education | Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA has imposed a fine of EUR 150,000 on the Dutch Social Insurance Institution (SVB). The controller had suffered a data breach in which a client’s data had been leaked to unauthorized third parties. An unknown third party had succeeded in requesting benefit information via the controller’s telephone helpdesk. In the course of its investigation, the DPA found that the controller had failed to implement sufficient technical and organizational measures to protect personal data. For example, the DPA found that the system for verifying the identity of callers was inadequate and verification questions were too simple. | link |
| 1777 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-04-19 | 3,000 | Partidul Uniunea Salvați România | Individuals and Private Associations | Art. 5 (1) a), b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 3,000 on the party ‘Partidul Uniunea Salvați România’. The controller had published personal data of persons with different degrees of disability on their website without a valid legal basis. | link |
| 1778 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-09 | 10,000 | Banca Cambiano 1884 S.p.A. | Finance, Insurance and Consulting | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to the data subject’s request for access to their data in a timely manner. | link |
| 1779 | GERMANY | Data Protection Authority of Hessen | 2022 | 16,400 | Covid-19 test center | Health Care | Art. 6 (1) GDPR, Art. 33 (1), (5) GDPR | Insufficient legal basis for data processing | The DPA of Hessen has fined a Covid-19 test center EUR 16,400. The controller had sent an e-mail containing personal data to several recipients in an open distribution list. The DPA also found that the controller had failed to adequately document the data breach. | link |
| 1780 | GERMANY | Data Protection Authority of Hessen | 2022 | 1,800 | Covid-19 test center | Health Care | Art. 5 (1) a), f) GDPR, Art. 6 (1) GDPR | Non-compliance with general data processing principles | The DPA of Hessen imposed a fine of EUR 1,800 on a Covid-19 test center. An employee had taken an adhesive label from the trash, written the test center’s e-mail address on it and attached it to the center’s window. However, due to a lack of care, the employee did not notice that the label still contained personal data of an individual. The data was therefore visible to third parties for about 24 hours until the label was removed. | link |
| 1781 | GERMANY | Data Protection Authority of Hessen | 2022 | 7,380 | Police officer | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | A police officer had accessed data in police databases for private research purposes over a period of three years. | link |
| 1782 | GERMANY | Data Protection Authority of Hessen | 2022 | 300 | Police officer | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | A police officer had accessed data in police databases for private research purposes in order to obtain information about their ex-partner’s new partner. | link |
| 1783 | GERMANY | Data Protection Authority of Hessen | 2022 | 800 | Police officer | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague. | link |
| 1784 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-04-24 | 1,000 | Tensa Art Design SA | Industry and Commerce | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 1,000 on Tensa Art Design SA. The controller failed to comply with a data subject’s right to object. | link |
| 1785 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-20 | 25,000 | KFC RESTAURANTS SPAIN, S.L. | Industry and Commerce | Art. 13 GDPR, Art. 37 GDPR | Insufficient involvement of data protection officer | The Spanish DPA has fined KFC RESTAURANTS SPAIN, S.L EUR 25,000. During its investigation, the DPA found that the controller had failed to appoint a data protection officer. In addition, the DPA found that the controller did not provide all of the information required under Art. 13 GDPR on its website. | link |
| 1786 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-02 | 50,000 | Azienda sanitaria locale di Bari | Health Care | Art. 5 (1) a), c), f) GDPR, Art. 9 GDPR, Art. 25 (1), (2) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 50,000 on Azienda sanitaria locale di Bari. The healthcare facility had published reviews of former patients on the Internet and provided access to hundreds of documents on which it was possible to identify the patients. The information about the patients had been crudely redacted, but not enough to prevent the data from being disclosed. In particular, information about the patients’ state of health, clinical data on operations, diagnoses, etc. were visible. | link link |
| 1787 | SWEDEN | Data Protection Authority of Sweden | 2023-04-26 | 17,600 | Skåne region | Public Sector and Education | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has fined Skåne region EUR 17,600. An employee of the region had lost an unencrypted USB stick containing the social security numbers and sensitive personal data of nearly 2,000 people. The DPA found that the region had failed to implement adequate technical and organizational measures to protect personal data. | link link |
| 1788 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2022-08-23 | 25,000 | Operator of a public toilet | Not assigned | Art. 5 (1) a), b), c) GDPR, Art. 6 (1) f) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Austrian DPA has imposed a fine of EUR 25,000 on an operator of a public toilet. The controller had installed a video surveillance camera on the restrooms and secretly recorded people using the toilets. The DPA found that the controller had no legal basis for installing the cameras. In assessing the fine, the fact that the privacy of the data subjects had been significantly violated was taken into account as an aggravating factor. | link |
| 1789 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-21 | 25,000 | SECURITAS DIREC ESPAÑA, S.A. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 25,000 on SECURITAS DIREC ESPAÑA, S.A. for failing to comply with an order issued by the DPA. | link |
| 1790 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-25 | 70,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1791 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-24 | 70,000 | Telefónica Móviles España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Telefónica Móviles España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1792 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-26 | 1,000 | Website operator | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 1,000 on a website operator for failing to ensure that the privacy policy on its website complied with the requirements of Art. 13 GDPR. | link |
| 1793 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-25 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which also recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1794 | GERMANY | Data Protection Authority of Brandenburg | 2022 | Fine in five-digit amount | Bank | Finance, Insurance and Consulting | Art. 28 (3) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Brandenburg has imposed a five-digit fine on a bank. The bank had installed a video surveillance system that covered parts of the foyer of the branch with ATMs, the entrance area and the sidewalk and parking spaces in front of it. The transmission of the images as well as the commands to access the camera were carried out unencrypted via the Internet. The bank suffered a data breach in which unknown third parties compromised the video cameras and then posted the images on the Internet. They were also able to control the cameras to a limited extent.
During its investigation, the DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such a breach. In addition, the DPA found that the bank failed to enter into a processing agreement with its processors, that also had access to cameras and images. |
link |
| 1795 | GERMANY | Data Protection Authority of Brandenburg | 2022 | Fine in five-digit amount | Restaurant operator | Accomodation and Hospitalty | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a five-figure fine on a restaurant operator. During the Corona pandemic, the operator had required restaurant visitors to fill out forms with their name, address, telephone number and e-mail address for the purpose of contact tracing as required by law. However, there was no legal requirement to collect the e-mail address. Visitors were further required to check a box stating that they agreed to be contacted by the restaurant. However, the restaurant subsequently used the email addresses to send a promotional newsletter. During its investigation, the DPA found that the processing of the email address for advertising purposes was unlawful due to the fact that the requirements for giving effective consent were not met. After all, it was not clear to the data subjects that the restaurant intended to use the e-mail address for advertising purposes. The restaurant operator also failed to inform the data subjects of their right to withdrawal. | link |
| 1796 | GERMANY | Data Protection Authority of Brandenburg | 2022 | Fine in five-digit amount | Operator of a swimming pool | Not assigned | Art. 6 (1) c) GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a five-digit fine on the operator of an outdoor swimming pool. The controller had processed more visitor data than legally required for contact tracing purposes in the context of the Covid pandemic. | link |
| 1797 | GERMANY | Data Protection Authority of Brandenburg | 2022 | Fine in five-digit amount | Aid organization | Individuals and Private Associations | Art. 28 (3) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Brandenburg has imposed a five-figure fine on an aid organization. The aid organization provides transportation for people with illnesses. The organization had reported a data breach to the DPA in which data of data subjects had been published due to a hack. At the time of the attack, the controller’s database contained more than 80,000 records with data that included information about the health status of the data subjects. During its investigation, the DPA found that the bank had failed to take adequate technical and organizational measures to protect personal data, which allowed such a breach to occur. In addition, the DPA found that the bank had failed to conclude a processing agreement with its processors. | link |
| 1798 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-28 | 12,000 | ALBERO FORTE COMPOSITE, S.L. | Employment | Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine on ALBERO FORTE COMPOSITE, S.L.. The company had taken pictures of employees at the entrance for the purpose of recording their working hours. However, the company had failed to conduct a data protection impact assessment. The original fine of EUR 20,000 was reduced to EUR 12,000 due to voluntary payment and admission of responsibility. | link |
| 1799 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-28 | 5,000 | INFINITY ECOM S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 5,000 on INFINITY ECOM S.L. for failing to ensure that the privacy policy on its website complied with the requirements of Art. 13 GDPR. | link |
| 1800 | ITALY | Italian Data Protection Authority (Garante) | 2023-02-23 | 300,000 | Ediscom S.p.a. | Industry and Commerce | Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 14 GDPR, Art. 25 GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 300,000 on Ediscom S.p.a.. The marketing company had collected data from 21 million individuals via various online portals in order to use them for marketing activities. The company also used so-called ‘dark patterns’ to mislead users into consenting to the processing of their data for marketing purposes and to the transfer of their data to third parties. The DPA found a number of other violations, including that in some cases of data processing, the company was unable to demonstrate that it had obtained the consent of data subjects for this. | link link |
| 1801 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-03 | 75,000 | Burwebs S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) a), b), e) GDPR, Art. 12 (2) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 30 (1) GDPR, Art. 22 (2) LSSI | Non-compliance with general data processing principles | The Spanish DPA has fined Burwebs S.L. EUR 75,000. Burwebs operates websites with adult content. During its investigation, the DPA found that Burwebs did not process users’ data transparently. In addition, Burwebs retained users’ personal data for an indefinite period of time. Further, the DPA found that Burwebs processed the data of minor users without requiring any parental consent. Burwebs also complicated the exercise of data subjects’ rights under the GDPR and had not sufficiently informed users about the processing as well as storage of their personal data in its privacy policy. Finally, the DPA found that Burwerbs’ record of processing activities was not complete. | link |
| 1802 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-22 | 30,000 | DISPLAY CONNECTORS, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on DISPLAY CONNECTORS, S.L.. An individual had filed a complaint with the DPA regarding the controller’s publication of information about a court case that included personal data of the complainant’s minor son. During its investigation, the DPA determined that the minor’s right to privacy outweighed the controller’s freedom of information, and thus the publication violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of responsibility. | link |
| 1803 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-03 | 5,000 | BANQUETES SANTA ANA, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 5,000 on BANQUETES SANTA ANA, S.L.. The controller had asked a couple celebrating their wedding at its premises to provide the personal data of their guests, including ID card numbers, for the purpose of contact tracing in the context of the Covid-19 pandemic. The DPA determined that such a broad request for personal information was not necessary for contact tracing purposes and that the provision of the names, for example, would have been sufficient. | link |
| 1804 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2023-04-12 | 253,000 | Aldi | Industry and Commerce | Unknown | Non-compliance with general data processing principles | The Hungarian DPA imposed a fine of EUR 253,000 on the supermarket chain Aldi. Aldi had entered and stored the date of birth of many customers in the checkout system when purchasing alcoholic beverages. This procedure was introduced to make the cashiers’ work easier, as the software could quickly calculate whether the person was over 18 or not, but was considered excessive by the DPA. Furthermore, ALDI did not answered any questions about the legal basis for this processing. | link |
| 1805 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-09 | 3,000 | Aesse S.r.l.s. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 130 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on Aesse S.r.l.s.. An individual had filed a complaint with the DPA due to the fact that the controller had made an unsolicited advertising call. The complainant stated that they had never given their consent to receive advertising communication. In addition, the controller failed to adequately comply with their request for information about the origin of their data. | link |
| 1806 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-03 | 200,000 | GSMA LTD. | Not assigned | Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 200,000 against GSMA LTD.. An individual had filed a complaint with the DPA because they had to transfer special categories of personal data (e.g., ID card data) to the controller in order to register for an event. In the course of its investigation, the DPA found that the controller had failed to conduct a data protection impact assessment for these processing operations. | link |
| 1807 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-02 | 5,000 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, Art. 130 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 5,000 on a private individual. The individual had sent promotional messages to several data subjects without their consent. | link |
| 1808 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-02-08 | 7,200 | Company | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 7,200 on a company. The controller had suffered a data breach that resulted in the loss of personal data. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which facilitated the data breach. The controller had failed to conduct certain risk analyses, for example. In addition, the DPA found that the controller failed to review its processor and ensure that it provided sufficient guarantees to protect personal data. | link link |
| 1809 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-05 | 1,200 | FUNDACIÓ PRIVADA UNIVERSITARIA EADA | Public Sector and Education | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on FUNDACIÓ PRIVADA UNIVERSITARIA EADA. An individual who had participated in a training event filed a complaint against the educational institution. The controller had used pictures of the training event, which showed the data subject, for promotional purposes without their consent. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. | link |
| 1810 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-05 | 2000 | Homeowners’ association | Individuals and Private Associations | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on a homeowners’ association. An owner had filed a complaint with the DPA due to the fact that members of the association had accessed the community’s video surveillance footage and distributed it via WhatsApp. | link |
| 1811 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-12-21 | 8,000 | Hotel | Accomodation and Hospitalty | Art. 5 (1) e) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 31 GDPR | Insufficient legal basis for data processing | The Hungarian DPA has imposed a fine of EUR 8,000 on a hotel. The controller had installed video surveillance cameras that covered the dining room and a whirlpool area permanently recording guests. The controller had installed the cameras for the purpose of protecting individuals and property. However, during its investigation, the DPA found that the controller’s pursued purposes could not be considered proportionate to the severe interference with the guests’ privacy. The DPA also found that the controller had failed to provide sufficient information about the video surveillance. | link link |
| 1812 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022 | 80,700 | Beauty salon | Industry and Commerce | Unknown | Insufficient legal basis for data processing | The Hungarian DPA has imposed a fine of EUR 80,700 on a beauty salon. The controller had installed video cameras in all its premises, which permanently recorded customers and employees. During its investigation, the DPA found that the controller did not have the required permission to operate the video surveillance system. In addition, the controller processed the data of the customers for marketing purposes without having a valid legal basis and informing the customers about it. | link |
| 1813 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022 | 1,600 | Physician | Health Care | Art. 5 (1) a) GDPR, Art. 12 (2) GDPR, Art. 13 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hungarian DPA imposed a fine of EUR 1,600 on a physician. A patient had filed a complaint against the controller with the DPA. The patient had asked the doctor to send all medical records after the death of her unborn child. However, the physician did not comply with this request. | link link |
| 1814 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022 | 1,300 | Website operator | Not assigned | Art. 5 (1) a) GDPR, Art. 12 (2), (3) GDPR, Art. 31 GDPR | Insufficient fulfilment of data subjects rights | The Hungarian DPA has imposed a fine of EUR 1,300 on a website operator. An individual had filed a complaint with the DPA against the controller due to the fact that the controller had published personal data of them on the website. The data subject sent a request for access to their data to the controller, but never received a response. Furthermore the controller had not properly cooperated with the DPA during the investigation. | link |
| 1815 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-09-12 | 80,700 | Coin dealer | Industry and Commerce | Art. 5 (1) a), b) GDPR, Art. 6 (1) GDPR, Art. 7 (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Hungarian DPA imposed a fine of EUR 80,700 on a coin dealer. During its investigation, the DPA found that the privacy policy did not contain sufficient information about the data processing regarding data of new or prospective customers. The DPA also found that due to the lack of information, the data subjects could not give their informed consent and the data processing was therefore unlawful. | link link |
| 1816 | CROATIA | Croatian Data Protection Authority (azop) | 2023-05-04 | 2,265,000 | Debt collection agency | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 13 (1) GDPR, Art. 28 (3) GDPR, Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors’ personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors.
During its investigation, AZOP found that controller did not provide sufficient information about the processing of personal data in its privacy policy. Moreover, it failed to provide information about the legal basis for the refund of overpaid funds. The breach affected 132,652 individuals. Further, the AZOP found that the controller had not entered into a data processing agreement with a processor that monitored simple consumer bankruptcies. This put the data of 83,896 individuals at risk. The breach persisted for 2 years. Finally, AZOP found that the controller had failed to implement adequate technical and organizational measures to protect personal data. Aggravating factors considered by AZOP included the controller’s failure to adequately cooperate with the DPA during the process. Furthermore, the controller has not yet informed AZOP of additional measures it has taken to prevent future risks of identified violations and has not yet brought its privacy policy into compliance with the GDPR. |
link link |
| 1817 | CYPRUS | Cypriot Data Protection Commissioner | 2023-01-16 | 7,000 | Πολίτης newspaper | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR, Art. 6 (1) f) GDPR | Non-compliance with general data processing principles | The Cypriot DPA has imposed a fine of EUR 7,000 on the newspaper ‘Πολίτης’. The controller had unlawfully published the names and pictures of two police officers. | link |
| 1818 | CYPRUS | Cypriot Data Protection Commissioner | 2023-02-03 | 3,250 | Epic Ltd. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR, Art. 24 (1), (2) GDPR, Art. 32 (1) GDPR | Insufficient legal basis for data processing | The Cypriot DPA has imposed a fine of EUR 3,250 on Epic Ltd. The contoller had made unsolicited calls to 332 former customers without a valid legal basis. The DPA also found that the controller had not taken appropriate technical and organizational measures to prove that data processing was carried out in compliance with the GDPR. | link |
| 1819 | CYPRUS | Cypriot Data Protection Commissioner | 2023-05-02 | 9,000 | NAGA Markets Europe Ltd | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 9,000 on NAGA Markets Europe Ltd. The controller had suffered a data breach in which an unknown person accessed the company’s database, holding the data of approximately 342,000 customers. The DPA found that the controller had not implemented appropriate technical and organizational measures to protect personal data, which facilitated such a breach. | link |
| 1820 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-04-28 | 2000 | ASSOCIACIO DE CAÇADORS D’ALZIRA | Individuals and Private Associations | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on ASSOCIACIO DE CAÇADORS D’ALZIRA. A member of the association had filed a complaint with the DPA because the chairman had published a letter they had written without their consent in a WhatsApp group with 195 members. | link |
| 1821 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-09 | 2000 | Consorzio Concessioni Reti Gas S.c.a.r.l. | Transportation and Energy | Art. 5 (1) a),c) GDPR, Art. 12 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Consorzio Concessioni Reti Gas S.c.a.r.l. EUR 2,000. The controller continued to leave the business email account of an intern active even after the termination of the employment. The DPA furthermore found that the controller could not prove compliance with its information obligations under the GDPR. | link |
| 1822 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022-04-22 | 8,000 | Political party | Individuals and Private Associations | Art. 5 (2) GDPR, Art. 32 (1) a), b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Hungarian DPA has imposed a fine of EUR 8,000 on a party. The party had suffered a data protection breach resulting in six Excel files being made accessible on the Internet. The files contained personal data of party members. The incident affected approximately 2,000 data subjects. During its investigation, the DPA found that the party had failed to take appropriate technical and organizational measures to protect personal data, which allowed such an incident to occur. | link link |
| 1823 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022 | 1,400 | Dentist | Health Care | Unknown | Non-compliance with general data processing principles | The Hungarian DPA has fined a dentist EUR 1,300. The controller had installed several surveillance cameras in their practice, which permanently recorded employees and patients. The controller had installed the cameras for the purpose of protecting property and individuals. However, in the course of its investigation, the DPA determined that such extensive video surveillance interfered too much with the fundamental freedoms of the data subjects and that the surveillance was therefore unlawful. | link |
| 1824 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2023-02-06 | 80,500 | I&S Limited Kft | Accomodation and Hospitalty | Art. 5 (1) a), b) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR, Art. 13 (1), (2) GDPR, Art. 24 GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | The Hungarian DPA has imposed a fine of EUR 80,500 on the spa operator, ‘I&S Limited Kft’. During its investigation, the DPA found that the controller had installed video surveillance cameras in its premises, which permanently monitored guests and employees. The DPA found that the controller did not have a valid legal basis for such extensive video surveillance. The controller also failed to properly inform the data subjects about the processing of their personal data. Furthermore, the controller had processed data of customers for marketing purposes without a valid legal basis. | link |
| 1825 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2022 | 2,700 | Credit institution | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 5 (2) GDPR | Insufficient legal basis for data processing | The Hungarian DPA has imposed a fine of EUR 2,700 on a credit institution. Several individuals had filed a complaint with the DPA due to the fact that the controller had transferred claims from their loan agreements to a new bank account without their consent. | link |
| 1826 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-09 | 180 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1827 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-09 | 5,000 | ESTUDIO INMOBILIARIO SAN ISIDRO, S.L.U. | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined ESTUDIO INMOBILIARIO SAN ISIDRO, S.L.U. EUR 5,000. An individual had filed a complaint with the DPA because employees of the controller had visted their home to advertise their rental services without their consent. | link |
| 1828 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-23 | 30,000 | Bolzano municipality | Health Care | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 30,000 on Bolzano municipality. The Bolzano health authority had reported a data breach to the DPA involving unauthorized access to the health records of a number of patients, which was caused by a deficiency in the electronic health record service that the municipality had delegated to a processor. During its investigation, the DPA found that although the leak occurred at the processor’s site, the municipality should have taken appropriate technical and organizational measures to ensure that such incidents would be avoided. | link |
| 1829 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-23 | 10,000 | Informatica Alto Adige Spa | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Informatica Alto Adige Spa EUR 10,000. The municipality of Bolzano had reported a data protection breach to the DPA involving unauthorized access to the health data of a number of patients caused by a deficiency in the electronic health record that the municipality had delegated to Informatica Alto Adige Spa. During its investigation, the DPA found that Alto Adige Spa had failed to take appropriate technical and organizational measures to prevent such incidents. | link |
| 1830 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-02 | 1,000 | Razmataz Live s.r.l.. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 1,000 on Razmataz Live s.r.l.. Razmataz had contracted a processor to carry out marketing campaigns, which the processor failed to execute in a privacy-compliant manner. During its investigation, the DPA found that Razmataz had failed to carry out adequate controls at the processor. | link |
| 1831 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2022 | 12,800 | Political party | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Bulgarian DPA has imposed a fine of EUR 12,800 on a political party. Several individuals had filed a complaint with the DPA because their personal data had been added to voter lists without their consent. | link |
| 1832 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2022-05-04 | 500,000 | Bulgarian Post EAD | Transportation and Energy | Art. 32 (1) b), c), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Bulgarian DPA has imposed a fine of EUR 500,000 on Bulgarian Posts EAD. The controller had suffered a hacking attack, during which the attackers managed to access the controller’s databases. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data in order to avoid a data breach. | link |
| 1833 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2022 | 5,000 | Trucking company | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | The Bulgarian DPA has imposed a fine of EUR 5,000 on a trucking company. The controller had disclosed personal data of a former employee to third parties without a valid legal basis. | link |
| 1834 | MALTA | Data Protection Commissioner of Malta | 2022 | 2,500 | Unknown | Not assigned | Art. 24 (2) GDPR, Art. 32 (1) (b) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The controller has unlawfully disclosed personal data of a data subject. | link |
| 1835 | MALTA | Data Protection Commissioner of Malta | 2022 | 250,000 | Unknown | Not assigned | Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The controller has failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 1836 | MALTA | Data Protection Commissioner of Malta | 2020 | 5,000 | Unknown | Not assigned | Art. 5 (1) f) GDPR, Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The controller has unlawfully disclosed personal data of a data subject. | link |
| 1837 | MALTA | Data Protection Commissioner of Malta | 2020 | 2,500 | Unknown | Not assigned | Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | Accidental loss of personal data. | link |
| 1838 | MALTA | Data Protection Commissioner of Malta | 2020 | 2,500 | Unknown | Not assigned | Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The controller has disclosed a personal email address to all recipients of the email. | link |
| 1839 | FRANCE | French Data Protection Authority (CNIL) | 2023-05-10 | 5,200,000 | Clearview AI | Industry and Commerce | Unknown | Insufficient cooperation with supervisory authority | The French DPA has fined Clearview AI EUR 5.2 million. The DPA had imposed a fine of EUR 20 million on the company in 2022 for unlawfully collecting personal data. In addition to the fine, the DPA ordered the company to make its processing of personal data compliant with data protection laws within two months. However, the company did not provide evidence of compliance within this period. | link link |
| 1840 | MALTA | Data Protection Commissioner of Malta | 2020 | 2000 | Unknown | Not assigned | Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | A third party has gained unauthorized access to another person’s account. | link |
| 1841 | MALTA | Data Protection Commissioner of Malta | 2020 | 2,500 | Unknown | Not assigned | Art. 5 (1) f) GDPR, Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The controller has disclosed a personal email address to all recipients of the email. | link |
| 1842 | MALTA | Data Protection Commissioner of Malta | 2020 | 20,000 | Unknown | Not assigned | Art. 13 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The controller failed to comply with a data subject’s right to information. In addition, the data protection policy did not meet the transparency requirements. | link |
| 1843 | MALTA | Data Protection Commissioner of Malta | 2020 | 4,000 | Unknown | Not assigned | Art. 13 GDPR, Art. 15 GDPR, Regulation 9 S.L 586.01 | Insufficient fulfilment of data subjects rights | The controller had sent unsolicited commercial messages. In addition, the privacy policy did not comply with transparency requirements and the controller failed to comply with requests for information from data subjects. | link |
| 1844 | IRELAND | Data Protection Authority of Ireland | 2023-05-12 | 1,200,000,000 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Art. 46 (1) GDPR | Insufficient legal basis for data processing | The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) also do not provide sufficient protection. Meta based its data transfers on the SCCs and additional own safeguards. However, during its investigation, the DPC determined that these additional measures did not compensate for the inadequate protections provided by U.S. law.
Following the investigation, the DPC submitted a draft decision to other concerned supervisory authorities pursuant to Art. 60 GDPR. In response, the DPC received objections from supervisory authorities, which led to a dispute resolution procedure before the European Data Protection Board (EDPB). In its decision, the EDPB asked the DPC to amend the proposed fine and adapt it to the seriousness of the data protection breach. The DPC also ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months, of data already transferred to the U.S. Meta has announced that it will appeal the ruling and seek a suspension of the orders in court. |
link link |
| 1845 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-05-11 | 11,000 | Libra Internet Bank SA | Finance, Insurance and Consulting | Art. 12 (2), (4) GDPR, Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 11,000 on Libra Internet Bank SA. An individual had filed a complaint against the bank due to the bank’s failure to fully comply with their request for information. In the course of its investigation, the DPA additionally found that the bank did not provide the data subject with information on the possibility of filing a complaint with the DPA. Furthermore, the bank was unable to demonstrate that it facilitated the exercise of data subject rights. | link |
| 1846 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-05-12 | 1,500 | NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A. | Finance, Insurance and Consulting | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,500 on the insurance company NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A.. The controller had notified the authority of a data breach pursuant to Art. 33 GDPR. The controller had made a number of technical changes to its systems that allowed some website visitors to access personal data of other individuals. This led to the unauthorized access of personal data such as name, ID card number, email, etc. of two individuals. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which facilitated such an incident. | link |
| 1847 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-05-12 | 1,000 | NN Asigurări de Viață S.A. | Finance, Insurance and Consulting | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,00 on the insurance company NN Asigurări de Viață S.A.. The controller had notified the authority of a data breach pursuant to Art. 33 GDPR. The controller had made a number of technical changes to its systems that allowed some website visitors to access personal data of other individuals. This led to the unauthorized access of personal data such as name, ID card number, email, etc. of two individuals. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which facilitated such an incident. | link |
| 1848 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-05-16 | 5,000 | Compania Națională Poșta Română S.A. | Transportation and Energy | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 5,000 on the Romanian Post (Compania Națională Poșta Română S.A.). During its investigation, the DPA found that the controller had processed personal data of employees without a valid legal basis. | link |
| 1849 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-05-18 | 18,000 | AUTOMOBILE BAVARIA SRL | Industry and Commerce | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR, Art. 25 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 18,000 on AUTOMOBILE BAVARIA SRL. The data controller had notified the authority of a data breach pursuant to Art. 33 GDPR. Unknown parties had managed to unauthorizedly disclose personal data such as name, telephone number, residence, etc. of 290 customers on the controller’s website. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which allowed such an incident to occur. | link |
| 1850 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-05-23 | 1,000 | Global Baby Brand SRL | Industry and Commerce | Art. 7 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 1,000 on Global Baby Brand SRL. A person had filed a complaint with the DPA alleging that the controller had sent commercial SMS messages without their consent. In the course of its investigation, the DPA found that the controller could not prove that it had processed the data subject’s telephone number for marketing purposes with the data subject’s valid consent. | link |
| 1851 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-25 | 600 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 600 on a private individual for failing to comply with an order issued by the DPA. | link |
| 1852 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-25 | 480 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed a video surveillance camera which also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment. | link |
| 1853 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-24 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual EUR 10,000 for publishing a picture and address of another person on a website without their consent. | link |
| 1854 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-24 | 3,000 | NORDETIA CLINICS IBERIA, S.L. | Health Care | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined NORDETIA CLINICS IBERIA, S.L. EUR 3,000 for failing to provide information requested by the DPA during an investigation. | link |
| 1855 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-17 | 900 | WILLOUGHBY COLLEGE, S.A | Public Sector and Education | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined WILLOUGHBY COLLEGE, S.A. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and acknowledgement of guilt. | link |
| 1856 | GERMANY | Data Protection Authority of Berlin | 2023-05-31 | 300,000 | Deutsche Kreditbank | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 15 (1) h) GDPR, Art. 22 (3) GDPR | Insufficient fulfilment of data subjects rights | The DPA of Berlin has imposed a fine of EUR 300,000 on Deutsche Kreditbank. A customer had filed a complaint with the DPA. The customer had submitted an application for a credit card to the bank, which was rejected in the course of an automated decision, despite the customer’s good credit history and high income. The customer then requested an explanation of the reasons for the rejection of their application and the basis on which the automated decision was made. However, the controller refused to provide such information to him, which also made it difficult for the customer to appeal the decision. The DPA found that the controller violated its obligation to transparently inform the data subject about the decision upon request. | link |
| 1857 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-06-06 | 3,000 | S.C. Apollo Salon S.R.L. | Industry and Commerce | Art. 58 GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA imposed a fine of EUR 3,000 on S.C. Apollo Salon S.R.L. for failing to provide information requested by the DPA during an investigation. | link |
| 1858 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-02 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which also recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1859 | CROATIA | Croatian Data Protection Authority (azop) | 2023-05-18 | 380,000 | Sports betting operator | Industry and Commerce | Art. 6 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1) a), d) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 380,000 on a sports betting operator. AZOP had received a complaint from a data subject, stating that the controller had obtained a copy of their bank card.
During its investigation, AZOP found that the controller had collected personal data (including copies of bank cards) of data subjects without a valid legal basis. In 2022, players had the option to have their winnings paid out not only via their bank account but also via their Visa card. The controller collected copies of the bank cards with the intention of complying with requirements of the national Money Laundering Act. However, AZOP found that the collection of the copies was not necessary to comply with the requirements of the Money Laundering Act and that the processing of the data was therefore unlawful. In this context, AZOP also found that the controller had not sufficiently informed the data subjects about the processing of their personal data, in particular, it was expressly stated that the data controller does not store bank card numbers and that the numbers are not accessible to the unauthorized persons. Accordingly, the information provided to the data subjects was missing information on the legal basis, purpose of collection and retention period of the personal data. The controller also failed to take sufficient technical and organizational measures to protect personal data relating to the establishment of payment processes via Visa bank cards, as well as for the storage of data contained in the controller’s databases. As a result, in 2022 the controller collected copies of a total of 2078 bank cards, of which 655 copies were fully accessible. In assessing the fine amount, AZOP took into account as an aggravating factor that financial data is particularly sensitive data and the controller therefore should have taken special measures to protect it. As a mitigating circumstance, it was taken into account that the controller had announced that it would bring its processing procedures in line with the GDPR and had deleted all secured copies of the bank cards. |
link |
| 1860 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-06 | 56,000 | VODAFONE ONO, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on VODAFONE ONO, S.A.U.. The controller had carried out a credit check on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis.The original fine of EUR 70,000 was reduced to EUR 56,000 for voluntary payment. | link |
| 1861 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-02 | 20,000 | QUALITY-PROVIDER S.A. | Not assigned | Art. 6 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine of EUR 20,000 on QUALITY-PROVIDER S.A.. A data subject had filed a complaint with the DPA because the controller had continued to use their data for marketing purposes despite their request for deletion. | link |
| 1862 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-01 | 42,000 | PELAYO, MUTUA DE SEGUROS Y REASEGUROS A PRIMA FIJA | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on PELAYO, MUTUA DE SEGUROS Y REASEGUROS A PRIMA FIJA. An individual had filed a complaint with the DPA because the controller had disclosed their personal data to unauthorized third parties due to an internal error. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. The original fine of EUR 70,000 was reduced to EUR 42,000 due to voluntary payment and admission of guilt. | link |
| 1863 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-07 | 20,000 | RCI BANQUE, S.A. SUCURSAL EN ESPAÑA | Finance, Insurance and Consulting | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA (AEPD) has imposed a fine of EUR 20,000 RCI BANQUE, S.A. SUCURSAL EN ESPAÑA. A data subject complained that she was receiving text messages from the controller, despite having requested the deletion of their personal data from the controllers’s databases. | link |
| 1864 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-05 | 10,000 | ALPA 57 PRODUCCIONES | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on ALPA 57 PRODUCCIONES. A data subject had filed a complaint with the DPA because the controller had unlawfully transmitted their data to third parties for marketing purposes. | link |
| 1865 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-31 | 500 | Website operator | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 5,000 on a website operator for failing to ensure that the privacy policy on its website complied with the requirements of Art. 13 GDPR. | link |
| 1866 | GERMANY | Data Protection Authority of Berlin | 2022 | Unknown | Private individual | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Berlin imposed a fine on a private individual. The individual, who worked in a store, had contacted a customer privately using the contact information they had provided, which was required to access stores during the Covid 19 pandemic. | link |
| 1867 | GERMANY | Data Protection Authority of Berlin | 2022 | Unknown | Restaurant operator | Accomodation and Hospitalty | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Berlin has imposed a fine on a restaurant operator. During the Corona pandemic, the operator had required restaurant visitors to fill out forms with their personal data for the purpose of contact tracing as required by law. However, the controller unlawfully used the data to send promotional messages to the data subjects. | link |
| 1868 | GERMANY | Data Protection Authority of Berlin | 2022 | Unknown | Sports photography company | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Berlin has imposed a fine on a sports photography company. A sports photographer had published over 16,000 photos of minors who had taken part in a swimming competition on the company’s freely accessible website. During its investigation, the DPA found that the parents of the minors had not consented to the capturing and publication of the images. | link |
| 1869 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-02 | 50,000 | H&M Hennes & Mauritz s.r.l. EUR 50,000 | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined H&M Hennes & Mauritz s.r.l. EUR 50,000. H&M had installed numerous video surveillance systems in its Italian stores for the purpose of preventing theft and ensuring the safety of its employees. Each store was equipped with at least three video surveillance cameras that were active 24/7 and also covered employee areas. During its investigation, the DPA found that the video surveillance systems were being operated without the required authorization and therefore unlawfully. | link link |
| 1870 | GERMANY | Data Protection Authority of Saxony | 2022 | Fine amount between EUR 200 and EUR 1000 | Unknown | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Nine fines between EUR 200 and EUR 1000 for unlawful use of a dashcam. | link |
| 1871 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-13 | 7,631,175 | TIM S.p.A. | Media, Telecoms and Broadcasting | Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GPDR, Art. 12 (2), (3) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 (1) GDPR, Art. 32 (1) b) GDPR | Insufficient legal basis for data processing | The Italian DPA has fined TIM S.p.A. EUR 7,631,175. The DPA had received numerous complaints about the telecommunications provider, mainly for unauthorized telemarketing activities. The Italian DPA is currently taking stronger action against unauthorized telemarketing. In its investigation against TIM, the DPA found that the controller was contacting individuals for marketing purposes even though they were registered on opt-out lists or had not given their consent for their data to be processed for marketing purposes. In addition, the controller failed to adequately respond to data subject inquiries and to comply with its information obligations under Art. 13, 14 GDPR. . Finally, the DPA found that the controller failed to adequately investigate and address a data breach. | link link |
| 1872 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-07 | 84,000 | UNITED PARCEL SERVICE ESPAÑA LTD. Y CIA SRC | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on UNITED PARCEL SERVICE ESPAÑA LTD. Y CIA SRC a fine. A person had filed a complaint against the controller because a package addressed to them was delivered to a store and not to their home without their consent, resulting in their postal address and telephone number being disclosed to third parties. The DPA considered this to be a violation of Art. 5 (1) f) GDPR and Art. 32 GDPR. The original fine of EUR 140,000 was reduced to EUR 84,000 due to voluntary payment and admission of guilt. | link |
| 1873 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-06 | 70,000 | Digi Spain Telecom, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Digi Spain Telecom, S.L.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1874 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-23 | 70,000 | Digi Spain Telecom, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Digi Spain Telecom, S.L.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1875 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-17 | 50,000 | FUSIONA SOLUCIONES ENERGÉTICAS, S.A. | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 50,000 on FUSIONA SOLUCIONES ENERGÉTICAS, S.A.. The controller had submitted data from the data subject to a credit information system because of an alleged debt. However, the debt had been cancelled, which was also confirmed by a court ruling. For this reason, the DPA determined that the disclosure of the data subject’s personal data was unlawful. | link |
| 1876 | SWEDEN | Data Protection Authority of Sweden | 2023-06-12 | 4,900,000 | Spotify | Media, Telecoms and Broadcasting | Art. 12 (1) GDPR, Art. 15 (1), (2) GDPR | Insufficient fulfilment of data subjects rights | The Swedish Data Protection Authority (DPA) has imposed a fine of EUR 4.9 million on the music streaming provider Spotify. The DPA had launched an investigation after receiving a number of complaints and following a lawsuit filed against Spotify by the Austrian organization ‘None of your Business’. In its investigation, the DPA found that Spotify had not sufficiently complied with data subject rights. Spotify failed, for example, to provide data subjects with sufficient information about the origin of their data or international transfers involving their data.
Spotify also failed to provide information that was difficult to understand, such as information about technical processes, in the data subjects’ native language; rather, such information was only available in English. Spotify has already taken measures to comply with the requirements for the handling of data subject requests. In addition, the DPA classified the identified deficiencies as not very serious. |
link link |
| 1877 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-16 | 2000 | Unknown | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 2,000 on a controller for failing to provide data subjects with sufficient information to exercise their right to object. | link |
| 1878 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-07 | 400 | LEADDESK, S.L | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined LEADDESK, S.L for failing to provide information requested by the DPA during an investigation. The original fine of EUR 500 was reduced to EUR 400 due to immediate payment. | link |
| 1879 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-08 | 180 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1880 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-09 | 70,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1881 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-13 | 70,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1882 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-13 | 70,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1883 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-14 | 400 | Unknown | Not assigned | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 600 on a controller for failing to comply with an order issued by the DPA. | link |
| 1884 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-14 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1885 | GERMANY | Data Protection Authority of Niedersachsen | 2022 | 50,000 | Company | Not assigned | Art. 15 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The DPA of Niedersachsen has imposed a fine of EUR 50,000 on a company. The company sent out a newsletter by e-mail that could not be unsubscribed from due to technical malfunctions. Since the company had sent newsletters relatively frequently, this led to a significant number of unsolicited emails for some data subjects. Furthermore, the data subjects were also unable to lodge an objection via the company’s website. In addition, the DPA found that the company did not sufficiently process some requests for access from data subjects. |
link |
| 1886 | GERMANY | Data Protection Authority of Niedersachsen | 2022 | 8,900 | Company | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Niedersachsen imposed a fine of EUR 8,900 on a company. The company had a customer database on the Internet with thousands of entries. During its investigation, the DPA found that the only access protection the company had implemented was a long-form web address but not additional measures such as password-protected access. The controller relied on the fact that the web would not become known. | link |
| 1887 | GERMANY | Data Protection Authority of Niedersachsen | 2022 | 500 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Niedersachsen imposed a fine of EUR 5,00 on a private individual. The individual had taken pictures of numerous young women in public. In the course of its investigation, the DPA found that the individual had processed the personal data of the young women, although no effective consent had been given. | link |
| 1888 | GERMANY | Data Protection Authority of Berlin | 2022 | Unknown | Job center employee | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A job center employee had accessed data in the job center database systems for private research purposes | link |
| 1889 | GERMANY | Data Protection Authority of Berlin | 2022 | Unknown | Job center employee | Individuals and Private Associations | Art. 5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A job center employee had accessed data in the civil register for private research purposes. | link |
| 1890 | GERMANY | Data Protection Authority of Berlin | 2022 | Unknown | Credit agency | Finance, Insurance and Consulting | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The DPA of Berlin imposed a fine on a credit agency. In the course of its investigation, the DPA found that the controller had stored 27 false addresses and 13 false dates of birth of a data subject for more than two years. The controller did not correct this data until the data subject submitted a request for information. However, the DPA also found that the information was provided late due to an internal error. | link |
| 1891 | FRANCE | French Data Protection Authority (CNIL) | 2023-06-08 | 150,000 | KG COM | Finance, Insurance and Consulting | Art. 5 (1) c), e) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 82 Loi informatique et libertés | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 150,000 on the company KG COM. The company operates several websites and offers fortune-telling consultations to customers via chat or telephone. After the company suffered a data breach, the DPA conducted three investigations. During its investigation, the DPA found that the controller systematically recorded conversations with customers as well as potential customers without properly justifying why such extensive recording was necessary.
In addition, the controller stored banking information of its customers for the purposes of conducting transactions and combating fraud, as well as to facilitate customers’ purchase of further fortune-telling consultations. The DPA found that a legitimate interest of the controller could be affirmed for the storage of bank data for the purpose of fraud prevention, but not for the storage regarding further purchases. The DPA also found that the controller processed data on the health status as well as the sexual orientation of its customers without their explicit consent; implied consent through use of the consultations was not considered sufficient. In addition, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. The controller did not, for example, provide sufficiently robust passwords for the user accounts, which exposed the data to the risk of computer attacks. Finally, the DPA found that the controller failed to report a data leak to the DPA. |
link link |
| 1892 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-14 | 237,800 | Green Network S.p.A. | Transportation and Energy | Art. 5 (2) GDPR, Art. 25 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 237,800 against Green Network S.p.A.. The DPA had received several complaints from data subjects regarding unauthorized telemarketing. During its investigation, the DPA found that the controller had not taken appropriate technical and organizational measures to be informed about all the operations carried out in the telemarketing chain. | link link |
| 1893 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-14 | 676,956 | Sorgenia S.p.a. | Transportation and Energy | Art. 5 (2) GDPR, Art. 12 (3) GDPR, Art. 25 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 676,956 against Sorgenia S.p.a.. The DPA had received several complaints from data subjects regarding unauthorized telemarketing. During its investigation, the DPA found that the controller had not taken appropriate technical and organizational measures to be informed about all the operations carried out in the telemarketing chain. In addition, the controller failed to process a data subjects request in a timely manner. | link |
| 1894 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-06-15 | 2000 | BRD-Groupe Société Générale S.A. | Finance, Insurance and Consulting | Art. 5 (1) a), b), f) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 2,000 on BRD-Groupe Société Générale S.A.. The controller had reported a data breach to the DPA. During its investigation, the DPA found that the controller had unlawfully disclosed personal data of a bank client and other individuals. | link |
| 1895 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-06-15 | 8,000 | Artima S.A. | Industry and Commerce | Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 8,000 on Artima S.A.. The controller had reported a data breach to the DPA. During its investigation, the DPA found that employees of the controller had accessed the video surveillance system and filmed the monitor containing the recorded images with their cell phones. One of the employees then transmitted the images to a third person, who posted the images on Facebook. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1896 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 400 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined a private individual EUR 400 for unlawfully operating video surveillance cameras on their property. | link |
| 1897 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-14 | 70,000 | Digi Spain Telecom, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Digi Spain Telecom, S.L.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1898 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-14 | 70,000 | Digi Spain Telecom, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Digi Spain Telecom, S.L.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1899 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-20 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of 300 euros on a private individual. The controller had installed video surveillance cameras that recorded a neighbor’s property, among other things. The DPA considered this a violation of the principle of data minimization | link |
| 1900 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-20 | 50,000 | GRUPO TRANSAHER, SL. | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 50,000 on GRUPO TRANSAHER, SL. The controller had unlawfully installed video surveillance cameras in employee break areas. | link |
| 1901 | LATVIA | Data State Inspectorate (DSI) | 2022 | Unknown | Unknown | Not assigned | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | Five fines for failing to comply with orders issued by the DPA. | link |
| 1902 | LATVIA | Data State Inspectorate (DSI) | 2022 | Unknown | Unknown | Not assigned | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Six fines for failing to provide information requested by the DPA during an investigation. | link |
| 1903 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-21 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1904 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-06-21 | 1,000 | Vodafone Romania SA | Media, Telecoms and Broadcasting | Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 1,000 on Vodafone Romania SA. During its investigation, the DPA found that the controller had failed to sufficiently comply with a data subject’s right to information. | link |
| 1905 | BELGIUM | Belgian Data Protection Authority (APD) | 2023-06-16 | 30,000 | Belgian Order of Pharmacists | Public Sector and Education | Art. 5 (1) a), b), c), d), e) GDPR | Non-compliance with general data processing principles | The Belgian DPA has imposed a fine of EUR 30,000 on the Belgian Order of Pharmacists. The controller had conducted disciplinary proceedings against the data subject (pharmacist). As part of the disciplinary proceedings, the controller had collected personal data from the data subject in their personnel file. During its investigation, the DPA found that the controller had violated principles of data processing according to the GDPR in this context. For example, the DPA found that storing information on disciplinary actions without distinguishing the severity of the action for the period of the entire career seemde excessive and was therefore unlawful. The DPA also found that the controller had not adequately defined the associated storage purposes when storing the data. | link |
| 1906 | LATVIA | Data State Inspectorate (DSI) | 2022 | Unknown | Company | Industry and Commerce | Art.5 GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Latvian DPA has fined a company for issuing loyalty cards to customers without a valid legal basis. | link |
| 1907 | GERMANY | Data Protection Authority of Nordrhein-Westfalen | 2022 | Unknown | Physician | Public Sector and Education | Art.5 GDPR, Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The DPA of Nordrhein-Westfalen has fined a physician. The physician had responded to a negative online reviews regarding their practice, disclosing personal data of a patient. | link |
| 1908 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-05-05 | 2,200 | Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 2,200 on a municipality. The controller had reported a data breach to the DPA. An employee had unauthorizedly copied a document containing personal data from a company computer onto an unauthorized data carrier. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to prevent such unauthorized copying and to protect personal data. | link |
| 1909 | MALTA | Data Protection Commissioner of Malta | 2023 | 5,000 | Unknown | Not assigned | Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The controller unlawfully gained access to audio recordings from a surveillance camera. | link |
| 1910 | MALTA | Data Protection Commissioner of Malta | 2023 | 2,500 | Unknown | Not assigned | Art. 5 (1) a) GDPR, Art. 12 (1), (3) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 (1), (3) GDPR, Art. 24 (2) GDPR, Art. 38 (1) GDPR | Insufficient fulfilment of data subjects rights | Multiple data protection shortcomings | link |
| 1911 | MALTA | Data Protection Commissioner of Malta | 2022 | 65,000 | Unknown | Not assigned | Art. 5 (1) f) GDPR, Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 32 (1) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR | Non-compliance with general data processing principles | The controller has violated numerous GDPR regulations, involving special categories of personal data of numerous individuals. | link |
| 1912 | FRANCE | French Data Protection Authority (CNIL) | 2023-06-15 | 40,000,000 | CRITEO | Media, Telecoms and Broadcasting | Art. 7 (1), (3) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 (1) GDPR, Art. 17 (1) GDPR, Art. 26 GDPR | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 40 million on CRITEO.
The controller is specialized in ‘retargeting advertising’. This involves the company tracking the surfing behavior of Internet users via so-called Criteo trackers (cookies) in order to show them personalized advertising. In the course of its investigation, the DPA found numerous deficiencies in data processing. First, the DPA found that the controller failed to prove that Internet users had given their consent to be tracked using the Criteo trackers. Also, the controller failed to ensure that its partners obtained consent from the Internet users of whose data it was processing. The DPA further found that the controller’s privacy policy was not complete, as it did not list all the purposes for which it was processing data. In addition, some of the purposes were not clearly defined. In addition, the controller failed to adequately respond to a data subject’s requests for information regarding their personal data. The DPA also found that when data subjects requested withdrawal of their consent or deletion of their data, the controller merely ensured that users were no longer shown personalized advertising. However, the controller did not delete the personal data of the data subjects. Finally, the DPA found that the agreement between the controller and a joint controller was incomplete. In determining the amount of the fine, the DPA considered the fact that a large number of individuals were affected as an aggravating factor. |
link |
| 1913 | ITALY | Italian Data Protection Authority (Garante) | 2023-05-17 | 40,000 | Volkswagen Leasing GmbH | Industry and Commerce | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 40,000 on Volkswagen Leasing. A customer had filed a complaint with the DPA because the controller had not provided them with information about their creditworthiness, which caused the rejection of a requested financing. | link |
| 1914 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 176,000 | Roma Capitale | Public Sector and Education | Art. 5 (1) a), b), c), d), f) GDPR, Art. 9 GDPR, Art. 28 GDPR, Art. 29 GDPR, Art. 32 GDPR, Art. 2-sexies Codice della privacy, Art. 2-septies Codice della privacy | Non-compliance with general data processing principles | The Italian DPA imposed a fine of EUR 176,000 on Roma Capitale. The city had provided data of women who had abortions to the company in charge of the funeral, which included the data on boards placed on the graves of the fetuses. During its investigation, the DPA found that the disclosure of the women’s personal data was unlawful, as the related law only provides for the provision of the data of the deceased. | link |
| 1915 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 239,000 | Ama S.p.a. | Public Sector and Education | Art. 28 GDPR, Art. 29 GDPR, Art. 32 GDPR, Art. 2-quaderdecies Codice della Privacy | Insufficient legal basis for data processing | The Italian DPA imposed a fine of EUR 239,000 on Ama S.p.a.. Ama is in charge of the administration of certain cemeteries in Rome. The city of Rome had provided data of women who had abortions to Ama, which then included the data on boards placed on the graves of the fetuses. During its investigation, the DPA found that the disclosure of the women’s personal data was unlawful, as the related law only provides for the provision of the data of the deceased. | link |
| 1916 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-23 | 180 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 1917 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-22 | 90,000 | Corporación de Medios de Extremadura | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Corporación de Medios de Extremadura. The controller had published a video on its news site that included an Excel spreadsheet with personal data (first and last names) of 56 women who were identified as victims of gender-based violence. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 150,000 was reduced to EUR 90,000 due to voluntary payment and admission of responsibility. | link |
| 1918 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-22 | 90,000 | Sociedad Vascongada de Publicaciones, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on Sociedad Vascongada de Publicaciones, S.A.. The controller had published a video on its news site that included an Excel spreadsheet with personal data (first and last names) of 56 women who were identified as victims of gender-based violence. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 150,000 was reduced to EUR 90,000 due to voluntary payment and admission of responsibility. | link |
| 1919 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-06-27 | 2,500 | Farmacia Ardealul SRL | Industry and Commerce | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 2,500 on Farmacia Ardealul SRL. The controller had reported a data breach to the DPA. During its investigation, the DPA found that an unauthorized installation of malware on the controller’s website led to unauthorized processing of customer data (bank data). The DPA found that the controller had failed to install appropriate technical and organizational measures to protect personal data. | link |
| 1920 | ITALY | Italian Data Protection Authority (Garante) | 2023-05-17 | 10,000 | Azienda ULSS 6 Euganea | Health Care | Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 10,000 on Azienda ULSS 6 Euganea. The controller had mistakenly sent documents containing personal data to the wrong patients. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data, which allowed such an incident to occur. | link link |
| 1921 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-06-12 | 210,000 | Piraeus Bank | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 15 (1) GDPR, Art. 25 (1) GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 210,000 on Piraeus Bank. During its investigation, the DPA found that the bank had processed personal data of customers in violation of the principle of lawfulness. In addition, the DPA found that the bank had processed personal data without taking appropriate and effective technical and organizational measures to process only the data necessary for the specific purpose. Finally, the DPA found that the bank had failed to properly comply with a data subject’s request for access to their personal data. | link |
| 1922 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-05-29 | 150,000 | NOVA TELECOMMUNICATIONS & MEDIA ΜΟΝΟΠΡΟΣΩΠΗ Α.Ε., |
Media, Telecoms and Broadcasting | Art. 12 (3), (4), (5) GDPR, Art. 15 (1) GDPR, Art. 21 (3) GDPR, Art. 25 (1) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 150,000 on NOVA TELECOMMUNICATIONS & MEDIA ΜΟΝΟΠΡΟΣΩΠΗ. Α.Ε., imposed a fine of EUR 150,000. A customer had filed a complaint with the DPA. During its investigation, the DPA found that the controller had sent promotional emails several times despite the objection of the data subject. In addition, the controller failed to comply with the data subject’s right to access. |
link |
| 1923 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-27 | 1,000 | TRC TRUCKS 2020, S.L. | Transportation and Energy | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on TRC TRUCKS 2020, S.L. for failing to comply with an order issued by the DPA. | link |
| 1924 | ITALY | Italian Data Protection Authority (Garante) | 2023-03-23 | 40,000 | La Risorsa Umana.it s.r.l. | Employment | Art. 5 (1) a), c) GDPR, Art. 13 GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 40,000 on La Risorsa Umana.it s.r.l. An employee of the controller had filed a complaint against the controller. During its investigation, the DPA found that the controller regularly checked the e-mail account of the data subject. The DPA also found that the controller had not informed the data subject of these e-mail checks. | link |
| 1925 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 15,000 | Ufficio Scolastico Regionale per la Puglia, Ufficio VI – Ambito Territoriale di Lecce | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 15,000 on Ufficio Scolastico Regionale per la Puglia, Ufficio VI – Ambito Territoriale di Lecce. The school board had published a document, which contained personal health data of a teacher on its website. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1926 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-13 | 3,000 | Comune di Cogollo del Cengio | Employment | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on Comune di Cogollo del Cengio. A former employee had filed a complaint with the DPA due to the fact, that the municipality had published a document, containing personal health data of them, on their website. In the course of its investigation, the DPA found that the municipality had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1927 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-13 | 13,000 | Azienda socio sanitaria locale n. 3 di Nuoro | Health Care | Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 13,000 on Azienda socio sanitaria locale n. 3 di Nuoro. An individual had filed a complaint with the DPA because the health authority had published their personal data (date of birth, residence, health-related data) on the internet in the context of a medication request. In the course of its investigation, the DPA found that the controller had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 1928 | SWEDEN | Data Protection Authority of Sweden | 2023-06-26 | 1,100,000 | Bonnier News AB | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Swedish DPA has imposed a fine of EUR 1.1 million on Bonnier News AB. During its investigation, the DPA found that Bonnier News collects customer data, for example, through their surfing behavior or through purchases from different subsidiaries. However, the DPA also found that Bonnier News had collected and processed this data without the consent of the data subjects. Bonnier News relied on an predominant interest as a legal basis, but the DPA noted that customers could not expect their data to be collected for marketing purposes just because they visit a website, for example. For this reason, the DPA clarified that such extensive profiling would require the consent of the data subjects. In assessing the fine, mitigating consideration was given to the fact that Bonnier News had taken comprehensive measures to limit the harm to data subjects. | link link |
| 1929 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-05-16 | 6,700 | Municipality | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 6,700 on a municipality. The controller had reported a data breach to the DPA. During its investigation, the DPA found that the controller had suffered a ransomware attack, in which the attackers took advantage of a vulnerability present in the IT system. The DPA found that the controller had failed to install adequate technical and organizational measures to protect personal data, allowing such an attack to occur. | link |
| 1930 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 2000 | Store owner | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined a store owner EUR 2,000 for failing to provide sufficient information pursuant to Art. 13 GDPR about CCTV surveillance in their premises. | link |
| 1931 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 240,000 | Benetton Group S.r.l. | Industry and Commerce | Art. 5 (1) c), e) GDPR, Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 240,000 on Benetton Group S.r.l.. The controller had stored a large amount of customer data indefinitely. The DPA also found that the administrative database of employees of stores from 7 countries were accessible with a single password. The DPA considered this to be a breach of the obligation to implement appropriate technical and organizational measures to protect personal data. In assessing the fine, the DPA considered the fact that a very large number of people were affected by the data protection violations as an aggravating factor. | link |
| 1932 | ITALY | Italian Data Protection Authority (Garante) | 2023-05-17 | 10,000 | Grizzaffi Management Srl | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 17 GDPR, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on Grizzaffi Management Srl for sending out marketing messages, despite the fact that the data subjects had exercised their right to objection. | link |
| 1933 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-06-28 | 13,400 | Sjúkratyringur Íslands | Health Care | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Icelandic DPA has imposed a fine of EUR 13,400 on Sjúkratyringur Íslands. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. This included the lack of multi-factor authentication for access to health information and the controller’s use of real data in the development of a system. In assessing the fine, it was considered aggravating that a large number of individuals were affected by the security deficiencies. A mitigating factor was the fact that the controller cooperated fully with the investigation and implemented the measures ordered. |
link |
| 1934 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-29 | 1,000 | PUNTO ROJO LIBROS, S.L. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on PUNTO ROJO LIBROS, S.L. for failing to comply with an order issued by the DPA. | link |
| 1935 | ITALY | Italian Data Protection Authority (Garante) | 2023-05-17 | 60,000 | Website operator | Not assigned | Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 (1), (2) GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 16 GDPR Art. 17 GDPR, Art. 24 GDPR, Art. 25 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 60,000 on a website operator. The controller had published unauthorized personal data on the website www.trovanumeri.com, which it had collected through web scraping practices. The DPA also found that data subjects were not able to request the deletion of the data. In addition, the controller did not provide any contact information. | link |
| 1936 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-30 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, covered a neighbor property and joint areas of a residential area. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 1937 | SWEDEN | Data Protection Authority of Sweden | 2023-06-30 | 1,000,000 | Tele2 Sverige Aktiebolag | Media, Telecoms and Broadcasting | Art. 44 GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 1 million on Tele2 Sverige Aktiebolag. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses, as no adequacy decision had been issued by the EU Commission for the USA. In the course of its investigation, the DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU. | link |
| 1938 | SWEDEN | Data Protection Authority of Sweden | 2023-06-30 | 25,000 | CDON AB | Industry and Commerce | Art. 44 GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 25,000 on CDON AB. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses in the absence of an EU Commission adequacy decision for the USA. In the course of its investigation, the DPA determined that the use of the standard contractual clauses was not sufficient to guarantee a level of protection equivalent to that of the EU. | link |
| 1939 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-04 | 500 | EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L. EUR 500. The controller had installed video surveillance cameras which, among other things, also covered the public street. The DPA considered this a violation of the principle of data minimization. | link |
| 1940 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-07-03 | 81,000 | Heilsuveru | Health Care | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Icelandic DPA has fined Heilsuveru EUR 81,000. The controller had reported a data breach to the DPA, as two unauthorized persons had managed to view personal data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 1941 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-03 | 56,000 | ODAFONE SERVICIOS, S.L.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on VODAFONE SERVICIOS, S.L.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1942 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-07 | 15,000 | RCL CRUISES LTD | Accomodation and Hospitalty | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 15,000 on RCL CRUISES LTD. An individual had filed a complaint with the DPA. The individual, after requesting information about a cruise ship by e-mail, had received an e-mail from the controller containing personal data of another individual. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 1943 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-07 | 2000 | KUGELCHEN PROPIERTIES, S.L. | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on KUGELCHEN PROPIERTIES, S.L.. The controller had continued to process data of the data subject, despite exercising their right to erasure. | link |
| 1944 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-07 | 5,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance. | link |
| 1945 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-05 | 1,200 | LISMARTSA, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on LISMARTSA, S.L.. A data subject had filed a complaint with the DPA because the controller had added them to a WhatsGroup without their consent. The original fine of EUR 1,500 was reduced to EUR 1,200 due to voluntary payment. | link |
| 1946 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-06-27 | 24,000 | Almennri innheimtu ehf | Finance, Insurance and Consulting | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 8 laga nr. 90/2018, Art. 9 laga nr. 90/2018 | Insufficient legal basis for data processing | The Icelandic DPA has imposed a fine of EUR 24,000 on Almennri innheimtu ehf. The controller had submitted information on loan defaults for registration even though the required registration conditions for this have not been in place. For instance, unpaid small loans were registered although they were below the required minimum amount. In assessing the fine, the fact that a large number of people were affected by the incident and that the controller was pursuing profits were considered aggravating factors. | link |
| 1947 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-29 | 180 | CARROZADOS TECAI, S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on CARROZADOS TECAI, S.L.. The controller had installed a video surveillance system but had not added all the required information on the information sign for this purpose. The original fine of EUR 300 was reduced to EUR 180 for voluntary payment and acknowledgement of responsibility. | link |
| 1948 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-06-27 | 51,000 | eCommerce 2020 ApS | Finance, Insurance and Consulting | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 8 laga nr. 90/2018, Art. 9 laga nr. 90/2018 | Insufficient legal basis for data processing | The Icelandic DPA has imposed a fine of EUR 51,000 on eCommerce 2020 ApS. The controller had submitted information on loan defaults for registration even though the required registration conditions for this have not been in place. For instance, unpaid small loans were registered although they were below the required minimum amount. In assessing the fine, the fact that a large number of people were affected by the incident and that the controller was pursuing profits were considered aggravating factors. | link |
| 1949 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-10 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual for failing to provide sufficient information about a video surveillance system installed at their property. The original fine of EUR 500 was reduced to EUR 300 for voluntary payment and acknowledgement of responsibility. | link |
| 1950 | ITALY | Italian Data Protection Authority (Garante) | 2023-05-17 | 10,000 | Santander Consumer Bank S.p.a. | Finance, Insurance and Consulting | Art. 12 (3), (4) GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Santander Consumer Bank S.p.a. EUR 10,000 for not sufficiently fulfilling its obligation to comply with a data subject’s request for access to their data. | link |
| 1951 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-27 | 4,000 | Università degli studi di Cassino e del Lazio Meridionale | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 10 GDPR, Art. 2-ter Codice della privacy, Art. 2-octies Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR on Università degli studi di Cassino e del Lazio Meridionale. A professor at the university had filed a complaint against the university for allegedly processing their personal data unlawfully. In the course of its investigation, the DPA found that the controller had disclosed personal data of the data subject regarding criminal proceedings to third parties without a valid legal basis. | link |
| 1952 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-06-27 | 257,000 | Creditinfo Lánstraust hf. | Finance, Insurance and Consulting | Art. 5 (1), (2) GDPR, Art. 6 (1) GDPR, Art. 8 laga nr. 90/2018, Art. 9 laga nr. 90/2018 | Insufficient legal basis for data processing | The Icelandic DPA has imposed a fine of EUR 257,000 on Creditinfo Lánstraust hf.. The controller had registered information on loan defaults even though the required registration conditions for this have not been in place. For instance, unpaid small loans were registered although they were below the required minimum amount. In assessing the fine, the fact that a large number of people were affected by the incident and that the controller was pursuing profits were considered aggravating factors. | link |
| 1953 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-04 | 25,000 | CaixaBank, S.A. | Finance, Insurance and Consulting | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 25,000 on CaixaBank, S.A.. An individual had filed a complaint with the DPA due to the fact that when they requested information from the controller, they received information from a third party and not the requested information. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1954 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-30 | 1,800 | LISMARTSA, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on LISMARTSA, S.L.. The controller had sent an email containing personal data of 74 people to all recipients. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of responsibility. | link |
| 1955 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-05-29 | 300 | CBHNOS S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CBHNOS S.L.. The controller had installed video surveillance cameras which, among other things, also covered a public road. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 500 was reduced to EUR 300 due to voluntary payment and admission of responsibility. | link |
| 1956 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-06 | 3,000 | Private individual | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined a private individual EUR 3,000. An individual had filed a complaint with the DPA against the controller due to the fact that the controller had provided them with a false receipt that contained another customer’s data and not their own. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 1957 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-06-07 | 1,200 | CONCENTRA CENTRAL DE COMPRAS Y SERVICIOS S.L. | Transportation and Energy | Art. 21 (4) GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine on CONCENTRA CENTRAL DE COMPRAS Y SERVICIOS S.L.. During its investigation, the DPA found that the controller had failed to properly and explicitly inform data subjects about their right of withdrawal. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and acknowledgement of responsibility. | link |
| 1958 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-12 | 48,000 | Birou Gas, S.L. | Transportation and Energy | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined Birou Gas, S.L. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 60,000 was reduced to EUR 48,000 due to immediate payment. | link |
| 1959 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-20 | 1,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the video surveillance. | link |
| 1960 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-20 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of 300 euros on a private individual. The controller had installed video surveillance cameras that recorded a neighbor’s property, among other things. The DPA considered this a violation of the principle of data minimization | link |
| 1961 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-05-31 | 10,600 | Company | Not assigned | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR, Art. 33 (1) GDPR, Art. 34 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 10,600 on a company. The company had suffered a ransomware attack on their systems which resulted in the loss of personal data. During its investigation the DPA found that the company had failed to install adequate technical and organizational measures to protect personal data, allowing such an attack to occur. Furthermore the controller failed to inform the DPA and the data subject of the incident in a timely manner. | link |
| 1962 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-18 | 70,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on Digi Spain Telecom, S.L.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account. | link |
| 1963 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-21 | 720 | MADRID TOURISTIC CAPITAL, S.L. |
Industry and Commerce | Art. 13 GDRP | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 720 on MADRID TOURISTIC CAPITAL, S.L. The controller had failed to adequatly inform about video surveillance at its premises. |
link |
| 1964 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-17 | 10,000 | NANDIVALE, S.L | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on NANDIVALE, S.L.. The controller had uploaded images on social media of a party at its premises showing minors. The mother of a child had filed a complaint due to the fact that she had not given her consent to the publication of the images. The DPA therefore found that the controller had unlawfully processed the images in the absence of a valid legal basis. | link |
| 1965 | IRELAND | Data Protection Authority of Ireland | 2023-06-16 | 22,500 | Irish Departement of Health | Health Care | Art. 5 (1) c) GDPR, Art. 6 (1), (4) GDPR, Art. 9 (1) GDPR | Non-compliance with general data processing principles | The Irish DPA (DPC) has fined the Irish Department of Health EUR 22,500.
The DPA launched an investigation into the department following public allegations that the department unlawfully processed personal data from claimants and their families in the context of litigation over special educational needs. The DPC found that the departement had obtained information from the Health Service Executive (HSE) about services that the plaintiffs and their families had received. They had also been asked broad questions that led to the disclosure of sensitive private information. The data was collected to determine whether a settlement could be pursued with the plaintiff. The DPC concluded that the collection of information about the social services provided was lawful. However, the questions that led to the disclosure of the sensitive information were excessive and, according to the DPC, not necessary for the purposes of the litigation. According to the DPC, this violated the principle of data minimization. |
link |
| 1966 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-16 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDRP | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property. | link |
| 1967 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-12 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The individual, a guard at a detention center, took pictures from the detention center’s video surveillance system and forwarded them to colleagues via WhatsApp. The pictures showed a female visitor to the correctional facility. The DPA found that the individual did not have a sufficient legal basis to take and forward the pictures. | link |
| 1968 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-07-18 | 3,000 | ING Bank NV Amsterdam Sucursala București | Finance, Insurance and Consulting | Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on ING Bank NV Amsterdam Sucursala București. The bank had reported a data breach to the DPA pursuant to Art. 33 GDPR. In the course of its investigation, the DPA found that a pdf file had been unauthorizedly transmitted via Whats-App. This led to the unauthorized disclosure of numerous customer data. According to the DPA, the bank had failed to implement adequate technical and organizational measures to protect personal data, which allowed such an incident to occur. | link |
| 1969 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-24 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1970 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-25 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of 300 euros on a private individual. The controller had installed video surveillance cameras that recorded a neighbor’s property, among other things. The DPA considered this a violation of the principle of data minimization | link |
| 1971 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-26 | 1,200 | SERVICIOS E INTERVENCIONES EN EDIFICACION DEL MEDITERRÁNEO, S.L. | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on SERVICIOS E INTERVENCIONES EN EDIFICACION DEL MEDITERRÁNEO, S.L.. An individual had filed a complaint with the DPA due to the fact that the company had published a picture of themselves without their permission. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. |
link |
| 1972 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-26 | 600 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual. An individual had filed a complaint with the DPA because another individual had written reviews on the internet using a photo of them and their name without their consent. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and admission of responsibility. | link |
| 1973 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2023-04-20 | 20,000 | Company | Not assigned | Art. 5 (1) e), f) GDPR, Art. 32 (1) b), d) GDPR | Non-compliance with general data processing principles | The Lithuanian DPA has fined a company EUR 20,000. The company had suffered a data breach in which personal data of 50,000 data subjects were compromised.
During its investigation, the DPA found that the company had failed to implement appropriate technical and organizational measures to protect personal data. These included the lack of adequate access controls and authentication of IT system administrators in the controller’s information systems. |
link |
| 1974 | GERMANY | Data Protection Authority of Thüringen | 2022 | Fine in three-digit amount | Data protection officer | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Thüringen has imposed a three-digit fine on the data protection officer of a company. The controller had posted a photo in a WhatsApp group of the company which showed the data subject bleeding heavily after a physical attack. The data subject had not consented to the publication in the WhatsApp group, which is why the DPA concluded that the publication was unlawful due to the lack of a valid legal basis. | link |
| 1975 | GERMANY | Data Protection Authority of Thüringen | 2022 | Unknown | Unknown | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Thüringen has imposed a fine on a controller. The controller had installed a video surveillance camera in the public entrance area of an apartment building without a valid legal basis. | link |
| 1976 | ITALY | Italian Data Protection Authority (Garante) | 2023-05-17 | 10,000 | La Gazzetta di Parma S.r.l. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The Italian DPA has fined La Gazzetta di Parma S.r.l. EUR 10,000. The controller had published photos in its newspaper of an individual accused of murder. The photos showed the individual in handcuffs and had been taken without sufficiently blurring their face allowing them to still be identified. | link |
| 1977 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-14 | 15,000 | Citynews S.p.A. | Media, Telecoms and Broadcasting | Art. 5 (1) a), c) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Citynews S.p.A. EUR 15,000. The controller had published an article in a newspaper reporting on the arrest of an individual, including health data of the data subject without a valid legal basis. | link |
| 1978 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-06-21 | 7,500 | Company | Not assigned | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a company EUR 7,500 for failing to provide information requested by the DPA during an investigation. | link |
| 1979 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-01 | 3,000 | Comune di Napoli | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on Comune di Napoli. The municipality had sent three former employees, after termination of their employment an e-mail containing personal evaluation forms as well as a ranking list with the achieved grades of the individuals. This made it possible for all recipients to access the information of the other individuals. | link |
| 1980 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-06-02 | 4,300 | Company | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 4,300 for failing to provide information requested by the DPA during an investigation. | link |
| 1981 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-05-31 | 2,300 | Company | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 2,300 for failing to provide information requested by the DPA during an investigation. | link |
| 1982 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-01-25 | 4,100 | Company | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 4,100 for failing to provide information requested by the DPA during an investigation. | link |
| 1983 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-01 | 20,000 | QUALITY-PROVIDER S.A. | Not assigned | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined QUALITY-PROVIDER S.A. EUR 20,000 for failing to provide information requested by the DPA during an investigation. | link |
| 1984 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-01 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment. | link |
| 1985 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-01 | 56,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. Fraudulent third parties had pretended to be the data subject and asked the controller to change their phone number in order to buy a cell phone under the new phone number. The controller complied with this request and sent the new contract to the new number, which resulted in the disclosure of some of the data subject’s personal data. During its investigation, the DPA found that the company had failed to verify the identity of the third party or obtain the data subject’s consent to disclose their data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to a voluntary payment. |
link |
| 1986 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-01 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded common areas of a condominium and the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 1987 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-31 | 70,000 | TELEFÓNICA MÓVILES ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on TELEFÓNICA MÓVILES ESPAÑA, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 1988 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-08-03 | 2000 | Med Life SA | Health Care | Art. 12 (4) GDPR, Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 2,000 on Med Life SA. The controller had refused to disclose certain video recordings of the reception of a hospital to the data subject, upon request. | link |
| 1989 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-27 | 5,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual EUR 5,000 for repeatedly publishing personal data of various data subjects on a public Telegram channel without a valid legal basis. | link |
| 1990 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-07 | 5,000 | Azienda Tutela della Salute della Sardegna | Health Care | Art. 5 GDPR, Art. 9 GDPR, Art. 2-septies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 5,000 on Azienda Tutela della Salute della Sardegna. The health authority had placed a sign at the gate of a physician’s practice informing about their absence due to illness. During its investigation, the DPA found that there was no reason to disclose the physician’s health information and that the health authority did not provide a valid legal basis for doing so. | link |
| 1991 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-27 | 5,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 5,000 on a private individual. The controller was both employer and landlord of the data subject. The controller had used the bank details provided on the data subject’s employment contract to collect rent without the data subject’s consent. | link |
| 1992 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-27 | 1,200 | FONTANORTE, S.L. | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on FONTANORTE, S.L.. The controller had disposed of documents containing personal data in publicly accessible trash containers. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. | link |
| 1993 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-01 | 15,000 | Thin Srl | Health Care | Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 15,000 on Thin Srl. The authority took action following a complaint from a GP who alleged that the company had breached data protection regulations. The company was running an international project to improve patient care by collecting and analyzing health data.
To participate in the project, GPs were required to add an additional function to their existing management software. The additional function was supposed to automatically anonymize patient data and transfer it to the company’s database. However, during its investigation, the DPA found that the add-on feature installed did not effectively anonymize data. |
link |
| 1994 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-01 | 20,000 | Ew Business Machines S.p.A. | Employment | Art. 5 (1) a), c) GDPR, Art. 9 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 20,000 on Ew Business Machines S.p.A.. The controller had installed a video surveillance system that not only recorded images in real time, but also made audio recordings, capturing employees. Both the company’s legal representative and their family had access to these recordings via a smartphone. During its investigation, the DPA found that the employees were not adequately informed about the additional audio monitoring.
In addition, the company used an application to continuously track the location of some employees via GPS. The DPA found that this continuous location tracking constituted an excessive monitoring of the employees. In addition, the company had installed an alarm system based on the processing of biometric data (fingerprints). In this case, the company could not demonstrate a sufficient legal basis for the processing of the biometric data. |
link |
| 1995 | GERMANY | Data Protection Authority of Berlin | 2023 | 215,000 | Humboldt Forum Service GmbH | Employment | Unknown | Insufficient legal basis for data processing | The DPA of Berlin has imposed fines totaling EUR 215,000 on Humboldt Forum Service GmbH. Humboldt Forum had improperly documented sensitive information about individual employees and assessed their continued employment as ‘critical’ or ‘very critical’ on the basis of the information. The document also contained information on personal statements, health concerns, a possible interest in forming a works council and treatment in psychotherapy. During its investigation, the DPA found that the controller did not have a valid legal basis to process such sensitive data. | link |
| 1996 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-08 | 6,000 | ELECTRAWORKS – CEUTA, S.A. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on ELECTRAWORKS – CEUTA, S.A.. The controller had failed to provide sufficient information about the retention periods of personal data. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 1997 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-01 | 10,000 | Camedi s.r.l. | Health Care | Art. 5 GDPR, Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 10,000 on Camedi s.r.l. Medical Center. A person had filed a complaint with the DPA because they had received invoices as well as appointment reminders from another patient with the same name as theirs. | link |
| 1998 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-08 | 6,000 | ODRIA COSTAS INTERNACIONAL, S.L. | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on ODRIA COSTAS INTERNACIONAL, S.L. A data subject had filed a complaint with the DPA because the controller had published a picture of their residence on their website, which, however, also showed their underage daughters. The data subject had not consented to the publication of the children’s images. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and acknowledgement of responsibility. |
link |
| 1999 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-02 | 10,000 | GYMOOGIMNASIOS S.L. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 7 GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined GYMOOGIMNASIOS S.L. EUR 10,000. The controller had installed a reservation system where data subjects had to consent to the processing of health-related data in order to use the system and the sports facility. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2000 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-01 | 20,000 | Azienda Usl Toscana Sud Est. | Health Care | Art. 5 (1) a), c), f) GDPR, Art. 9 GDPR, Art. 25 (1), (2) GDPR, Art. 2-septies (8) Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 20,000 against Azienda Usl Toscana Sud Est. The controller had put up an information poster in the emergency room showing a healthcare professional at a computer, on which an emergency protocol with the personal data (including health data) of a data subject was visible. In response to a request from the DPA, the healthcare provider explained that the publication of the data was due to mere inattention and that the poster had only been displayed for a few weeks. | link |
| 2001 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-11 | 6,000 | ADENET SYSTEMS, S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Failure to provide requested information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. | link |
| 2002 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-11 | 500 | RING RING CLIN S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined RING RING CLIN S.L. EUR 500 for failing to provide information requested by the DPA during an investigation. | link |
| 2003 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-16 | 600 | MÁRMOLES Y GRANITOS MEJIAS, S. L. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on MÁRMOLES Y GRANITOS MEJIAS, S. L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV. | link |
| 2004 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-16 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed a video surveillance system in a shared garage without properly informing about it. | link |
| 2005 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-11 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 2006 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-06 | 5,000 | Ristorante Francesco srl | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined Ristorante Francesco srl EUR 5,000. The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras. | link |
| 2007 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-18 | 20,000 | JOLY DIGITAL, S.L.U. | Industry and Commerce | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined JOLY DIGITAL, S.L.U. EUR 20,000. A person had filed a complaint with the DPA because the controller had published an image they had posted on their private Instagram account. | link |
| 2008 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-16 | 5,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 5,000 on a private individual. The controller had installed CCTV at his house in a residential complex which also covered areas of the community pool. | link |
| 2009 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-23 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property. | link |
| 2010 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-25 | 1,500 | Homeowners’ association | Real Estate | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,500 on a homeowners’ association. A property owner had filed a complaint with the DPA. The controller had published an enforcement notice containing the personal data of the data subject on a public notice board in a common area. | link |
| 2011 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-28 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The person had published on his Facebook profile a video of another person being clearly drunk without their consent. | link |
| 2012 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-28 | 500 | MULTIGAS ASESORES S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined MULTIGAS ASESORES S.L. EUR 500 for failing to provide information requested by the DPA during an investigation. | link |
| 2013 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-08-21 | 70,000 | Uipath SRL | Industry and Commerce | Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 70,000 on Uipath SRL. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. During its investigation, the DPA found that personal data (first and last name, email address, employment details, etc.) of 600,000 users of the academy platform could unauthorizedly be accessed via a URL address. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which allowed such an incident to occur. | link |
| 2014 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 10,000 | Cat s.r.l. | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Cat s.r.l. EUR 10,000. Cat s.rl. had installed CCTV systems near waste garbage cans on behalf of the municipality of Modica in order to combat illegal waste disposal. During its investigation, the DPA found that Cat processed personal data collected by the cameras without a valid legal basis. | link |
| 2015 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 5,000 | Ermeslink di Giovanni Di Stefano | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian DPA has fined Ermeslink di Giovanni Di Stefano EUR 5,000. Ermeslink had installed CCTV systems near waste garbage cans on behalf of the municipality of Modica in order to combat illegal waste disposal. During its investigation, the DPA found that Ermeslink processed personal data collected by the cameras without a valid legal basis. | link |
| 2016 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-30 | 1,500 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 1,500 on a private individual. The individual had installed video surveillance cameras in a residential complex, which also covered common areas, without obtaining the consent of the homeowners’ association. In addition, the controller also failed to inform about the cameras. | link |
| 2017 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-30 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of 300 euros on a private individual. The controller had installed video surveillance cameras that recorded a neighbor’s property, among other things. The DPA considered this a violation of the principle of data minimization | link |
| 2018 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-30 | 180 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 2019 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-29 | 1,500 | ALBEN AIRPORT FACILITIES S.L. | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on ALBEN AIRPORT FACILITIES S.L.. The controller had sent an email with certificates of participation in a training course to all participants, thus disclosing the participants’ data, including names, surnames and ID card numbers, to all participants in the training. The original fine of EUR 2,500 was reduced to EUR 1,500 due to voluntary payment and admission of responsibility. | link |
| 2020 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-28 | 4,800 | WALL BOX CHARGERS S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on WALL BOX CHARGERS S.L.. The controller had inadvertently placed a person on CC on emails to other customers, giving them access to data from four other customers. The original fine of EUR 8,000 was reduced to EUR 4,800 due to voluntary payment and admission of responsibility. |
link |
| 2021 | SWEDEN | Data Protection Authority of Sweden | 2023-08-28 | 3,000,000 | Trygg-Hansa | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Non-compliance with general data processing principles | The Swedish DPA has fined Trygg-Hansa EUR 3 million for serious data security breaches. The security breach was discovered when a recipient of an email from Trygg-Hansa realized that by changing a web link, they could access other customers’ documents without authentication. Due to these security breaches, it was possible to access sensitive data of about 650,000 customers, including health, financial and contact information, over a span of more than two years, from October 2018 to February 2021.
The DPA found that Trygg-Hansa had failed to implement adequate technical and organizational measures to protect personal data, which allowed such an incident to occur. |
link |
| 2022 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-08 | 300,000 | Rinascente S.p.A. | Industry and Commerce | Art. 5 (1) a), b), c), e), f) GDPR, Art. 12 (1) GDPR, Art. 32 (1) b), d) GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Rinascente S.p.A. EUR 300,000.
The DPA acted on a complaint from a customer who, following an incident with a store employee, had her long-standing loyalty card cancelled and received a new, unsolicited card that contained offensive information about the complainant in her name. The customer complained that their information had been accessed without their consent. During the investigation, the DPA also found that the information on the loyalty card did not specify the retention period of the data for marketing and profiling purposes. In addition, it was not stated that activities were carried out through Facebook-Meta, in which customers’ email addresses were forwarded to the American company. As for the e-commerce activities on the website, it was found that, although broad profiling was carried out, Rinascente had not carried out a data protection impact assessment in accordance with the GDPR. In setting the fine, the DPA took into account the high number of data subjects (more than 2,000,000 people were registered in the stores or online), the duration of the violations and the financial performance of the company. |
link |
| 2023 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-22 | 1,000,000 | Autostrade per l’Italia spa | Transportation and Energy | Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Autostrade per l’Italia spa (‘ASPI’) EUR 1 million for unlawfully processing the data of approx. 100,000 registered users of the toll reimbursement app ‘Free to X.’ A consumer organization reported problems with the service, which provides toll refunds for delays caused by roadworks, to the DPA. The DPA found that Autostrade held the position of the data controller, instead of a processor, as stated in the documents governing the relationship between ‘ASPI’ and ‘Free to X’, the company that develops and operates the app, as well as in the information notice given to users. In fact, ‘ASPI’, as the operator of the highway network, was responsible for determining the reimbursement mechanism, the type of compensation measures, the processing and the causes of delays due to road works. ‘Free to X’ was only tasked with implementing the service. This incorrect assignment of privacy roles resulted in the notice to users being incorrect. The notice should have included the actual identity of the controller, namely ASPI, as well as all the necessary information for proper and transparent processing in accordance with data protection laws. The DPA finally found that ASPI also violated the GDPR by not designating Free to X as a processor. |
link |
| 2024 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-19 | 1,500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighboring property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance. | link |
| 2025 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-19 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered neighbour properties. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2026 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-05 | 80,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. The original fine of EUR 100,000 was reduced to EUR 80,000 due to voluntary payment. | link |
| 2027 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-01 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space, without properly informing the data subjects. | link |
| 2028 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-30 | 300 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The person had installed a surveillance camera in an apartment building without first obtaining permission from the owners’ association. | link |
| 2029 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-09-06 | 10,300 | University of Iceland | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Icelandic DPA has fined the University of Iceland EUR 10,300. The university had not sufficiently informerd about the existence of video surveillance cameras on university buildings and had not provided sufficient information about the purpose, nature and scope of the data processing. | link |
| 2030 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-09-18 | 1,000 | NN Asigurări de Viață S.A. | Finance, Insurance and Consulting | Art. 21 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has fined NN Asigurări de Viață S.A. EUR 1,000. A person had filed a complaint for receiving advertising messages, although they had objected to receiving advertising messages | link |
| 2031 | FINLAND | Deputy Data Protection Ombudsman | 2023-09-11 | 23,000 | Suomen Yritysrekisteri | Industry and Commerce | Art. 12 (1), (2), (6) GDPR, Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Finnish DPA has fined Suomen Yritysrekisteri EUR 23,000. The controller had not sufficiently complied with data subjects’ requests for access to their personal data. The Eastern Finland Administrative Court rejected the appeal filed by Suomen Yritysrekisteri. | link link |
| 2032 | IRELAND | Data Protection Authority of Ireland | 2023-09-01 | 345,000,000 | TikTok Limited | Media, Telecoms and Broadcasting | Art. 5 (1) c), 5 (1) f) GDPR, Art. 12 (1) GDPR, Art. 13 (1) e) GDPR, Art. 24 (1) GDPR, Art. 25 (1), (2) GDPR | Non-compliance with general data processing principles | The Irish DPA (DPC), has imposed a fine of EUR 345 million on TikTok Limited. The DPC conducted an investigation primarily focused on the processing of personal data between July 31, 2020, and December 31, 2020. During their investigation, the DPC found that the profiles of child users were set to public access by default. As a result, the DPC concluded that TikTok had failed to implement appropriate technical and organizational measures to ensure that only necessary personal data was being processed. Furthermore, the DPC noted that the ‘Family Pairing’ feature, which allowed non-child users to link their accounts with those of child users, posed a security risk to the personal data of children. Additionally, TikTok failed to provide child users with information about the categories of recipients of their personal data and clear, understandable information on the scope and implications of data processing. The DPC also found that TikTok introduced so-called ‘dark patterns,’ leading users to frequently opt for less privacy-friendly options during registration and when posting videos on the platform. In addition to the fine, the DPC issued an order requiring TikTok to bring its processing activities in line with the GDPR within three months. |
link |
| 2033 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-06 | 10,000 | AcegasApsAmga SpA | Employment | Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on AcegasApsAmga SpA. A former employee had filed a complaint with the DPA due to the controller’s failure to respond to their requests for access to their personal data. The employee needed this data for their defense in a disciplinary proceeding. | link |
| 2034 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-21 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered neighbour properties. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2035 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-21 | 4,000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 4,000 on a private individual. An individual had rented a room from the controller and filed a complaint against them due to the fact that the controller had installed a video surveillance camera in the shared kitchen without their consent. | link |
| 2036 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-07 | 70,000 | SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.. A customer had filed a complaint with the DPA due to the fact that the controller carried out a change of their electricity and gas supply company without obtaining their consent beforehand. | link |
| 2037 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 1,000 | Prodav srl | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined Prodav srl EUR 1,000. The controller had operated video surveillance cameras in one of their shops without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras. | link |
| 2038 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-30 | 140,000 | GENERAL LOGISTICS SYSTEMS SPAIN, S.A. | Transportation and Energy | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR EUR 140,000 against GENERAL LOGISTICS SYSTEMS SPAIN, S.A.. Two individuals had filed a complaint with the DPA about parcels intended for home delivery being redirected to a courier service office. During its investigation, the DPA found that changing the contractual terms and conditions without the consent of the data subject was unlawful due to the lack of a legal basis. | link |
| 2039 | HUNGARY | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 2023-06-22 | 205,000 | Digi Telecommunications and Services Ltd. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Hungarian DPA has imposed a fine of EUR 205,000 against Digi Telecommunications and Services Ltd. The controller had suffered a data breach in which an unauthorized party managed to access personal data of data subjects (e.g. customers and newsletter subscribers) via the controller’s website. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data, which facilitated such an incident. | link |
| 2040 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-25 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 2041 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-26 | 30,000 | EUROPA PRESS DE CATALUNYA, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 30,000 on EUROPA PRESS DE CATALUNYA, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim’s testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim’s right to privacy outweighed the controller’s freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim’s privacy. For this reason, the DPA found that the controller violated the principle of data minimization. | link |
| 2042 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-26 | 70,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 70,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account. | link |
| 2043 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-27 | 420 | CHINA CENTER LLEIDA | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has fined CHINA CENTER LLEIDA due to a lack of sufficient data processing information in relation to video surveillance in their premises. The original fine of EUR 700 was reduced to EUR 420 due to immediate payment and admission of responsibility. | link |
| 2044 | FRANCE | French Data Protection Authority (CNIL) | 2023-09-18 | 200,000 | SAF LOGISTICS | Employment | Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 10 GDPR, Art. 31 GDPR | Non-compliance with general data processing principles | The French DPA has fined SAF LOGISTICS EUR 200,000. An employee reported to the DPA that the controller had collected data on the private lives of its employees.
During its investigation, the DPA found that the controller had collected a large amount of information about employees’ family members, including their identity, contact details, position, employer and marital status, via a form sent to employees. The DPA considered this to be a violation of the employees’ privacy. In addition, the forms requested information on blood type, ethnicity, and political affiliation. The DPA found that the controller had no legal basis for processing such sensitive data. The DPA also found that the controller had been storing extracts from the criminal records of employees who had already been cleared by the relevant authorities following an administrative investigation. Accordingly, the DPA no longer saw a reason for the retention. |
link link |
| 2045 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-09-26 | 25,000 | RESTART ENERGY ONE S.A. | Transportation and Energy | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 25,000 on RESTART ENERGY ONE S.A.. During its investigation, the DPA found that there existed a publicly accessible file on the controller’s website containing personal data (name, surname, address, telephone numbers, email addresses, contract number and contract date) of at least 750 data subjects. The file was publicly accessible via a link generated by search engines for a period of approximately 2.5 years. The DPA concluded that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2046 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-09-25 | 2000 | UAT Comuna Albeni | Public Sector and Education | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA has fined UAT Comuna Albeni EUR 2,000 for failing to provide information requested by the DPA during an investigation. | link |
| 2047 | ITALY | Italian Data Protection Authority (Garante) | 2023-08-31 | 10,000 | RCS Mediagroup Spa | Media, Telecoms and Broadcasting | Art. 5 (1) a), c) GDPR, Art. 2-quater (4) Codice della privacy, Art. 137 Codice della privacy, Art. 139 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 10,000 on RCS Mediagroup Spa. A data subject had filed a complaint with the DPA due to the fact that their personal data had been published in an online newspaper on a photo showing the will of a recently deceased actress, of whom they had been a witness. The data subject stated that after the publication they had been contacted by acquaintances and journalists who asked for more information on the death of the actress. The DPA found that the controller did not have a valid legal basis to publish the personal data and that the publication was not relevant for the coverage. | link |
| 2048 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-25 | 17,000 | FEDERACIÓN DE BALONMANO DE CASTILLA LA MANCHA | Public Sector and Education | Art. 9 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 17,000 on FEDERACIÓN DE BALONMANO DE CASTILLA LA MANCHA. Athletes were required to upload the vaccination certificate against COVID with the complete vaccination schedule or a certificate of recovery from the disease or an antigen test with a negative result to the controller’s website 48 hours before sports events in order to participate in sports competitions. During its investigation, the DPA found that the controller did not have a valid legal basis for processing this sensitive health data. The DPA also found that the controller had not provided sufficient information about the processing of personal data. | link |
| 2049 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-05 | 500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2050 | CYPRUS | Cypriot Data Protection Commissioner | 2023 | 3,000 | Breikot Management Ltd | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Cypriot DPA has imposed a fine of EUR 3,000 on Breikot Management Ltd. The DPA found that the company had violated the principle of minimization by processing excessive personal data during reporting although less data would also have served the journalistic interest of the public. | link |
| 2051 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 400 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined a private individual EUR 400 for unlawfully operating video surveillance cameras on their property. | link |
| 2052 | FINLAND | Deputy Data Protection Ombudsman | 2023-09-04 | 1,600 | Company | Health Care | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Finnish DPA has imposed a fine of EUR 1,600 on a company providing psychotherapy services. A customer had submitted a request for access to their stored personal data. However, the company had not informed the customer of the reason why the records of the psychotherapy sessions could not be provided. | link |
| 2053 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-07-12 | 2,500 | Company | Not assigned | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects. | link |
| 2054 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 12,000 | Azienda Socio Sanitaria Territoriale Ovest Milanese | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 12,000 on Azienda Socio Sanitaria Territoriale Ovest Milanese. The controller had suffered data breaches that affected the privacy of several data subjects. For example, a patient’s health records were given to the wrong patient. In addition, the controller had sent an email regarding Covid-19 behavior in multiple scelrose patients to 198 recipients, allowing all recipients to openly view the other email addresses. In addition, the controller sent an invitation for a disability assessment to the wrong person. | link |
| 2055 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-10 | 15,000 | ILUNION SEGURIDAD, S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 15,000 on ILUNION SEGURIDAD, S.A. The controller had sent labor communications by e-mail without using the blind copy option, revealing the personal e-mail addresses of employees to all e-mail recipients. | link |
| 2056 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-10 | 1,500 | NORDETIA CLINICS MÓSTOLES S.L. | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,500 on NORDETIA CLINICS MÓSTOLES S.L.. The controller had sent an e-mail without using the blind copy option, revealing the email addresses of all recipients to the other recipients. | link |
| 2057 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-09 | 4,000 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined a private individual EUR 4,000 for installing a video surveillance camera that captured parts of a commonly shared garage. The DPA considered this a violation of the principle of data minimization. | link |
| 2058 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-09 | 500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 500. The individual had installed video surveillance cameras on their property which covered, among other things, the public space and a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization. | link |
| 2059 | CROATIA | Croatian Data Protection Authority (azop) | 2023-09-13 | 25,000 | Zagreb Holding d.o.o. | Public Sector and Education | Art. 13 (1) c) GDPR, Art. 13 (2) a), e) GDPR, Art. 25 (2) GDPR | Insufficient fulfilment of information obligations | The Croatian DPA (AZOP) has imposed a fine of EUR 25,000 on Zagreb Holding d.o.o., utilities company owned by the city of Zagreb. The DPA had received a complaint from a citizen concerning Zagreb Holding’s practice of requesting a copy of users’ personal identification cards before issuing invoices via email. Previously, to receive invoice by email the users only needed to provide their name, surname, address, personal identification number, facility number and their user number.
During the investigation, it was found that Zagreb Holding lacked established rules for identifying service users requesting invoice copies via email and only collected copies of identification documents when there was suspicion of false representation. The company requested personal identification document copies from users whose email addresses had a different name/ structure than their name and surname, or if the user’s name and surname in the email address did not match the requested invoice copy email address’s structure. The DPA found that the mere inclusion of the correct name and surname in an email address is an insufficient protective measure. Consequently, the data controller failed to implement appropriate technical and organizational measures for user identification, contrary to Art. 25 (2) GDPR. According to the explanation given by the DPA, the data controller should have developed a process for identification via email ensuring a uniform procedure for all users, regardless of the email address structure. |
link |
| 2060 | CROATIA | Croatian Data Protection Authority (azop) | 2023-09-26 | 15,000 | Hotel | Accomodation and Hospitalty | Art. 6 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 32 (1) a), d) GDPR, Art. 32 (4) GDPR, Art. 38 (6) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests’ credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data.
The hotel claimed it collected the CVC numbers of credit cards and even copies of personal identification document, when the booking was made via email, in order to prevent misuse of the credit cards. The booking was possible via third party platforms and the hotel’s email and web form. The booking via email and web form enables solely booking, but not payment. Regardless of this, the hotel still requested provision of financial data (information on the credit card and CVC number). Taking into consideration that the booking was possible without provision of the CVC number, AZOP found that hotel did not have a legal basis for processing of such data. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. Neither the hotel’s general terms and conditions nor the form of consent for use of personal data provided sufficient information on circumstances of processing. In addition, the hotel did not undertake adequate technical and organisational measures, e.g. encryption of data. Finally, by appointing the hotel manager as the data protection officer, the controller violated the provisions of Art. 38 (6) GDPR. Although the data protection officer may also perform other tasks and duties, the controller must ensure that such tasks and duties do not lead to a conflict of interest. Accordingly, the controller should have been aware that there is a conflict of interest in relation to the tasks and duties that the hotel manager performs. It is clear from the job description of the hotel manager that they are largely responsible for making management decisions concerning personal data processing, while on the other hand, as the data protection officer, they are obliged to monitor the compliance of the business with the regulations governing the protection of personal data. |
link |
| 2061 | CROATIA | Croatian Data Protection Authority (azop) | 2023-09-14 | 20,000 | Betting company | Industry and Commerce | Art. 6 (1) GDPR, Art. 7 GDPR, Art. 13 (1), (2) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR.
Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent voluntarily, thereby violating Art. 7 GDPR. AZOP noted that the visitor should give separate consent for each type of cookie according to their functionality, that is, consent cannot be given for „all types of cookies“. In these cases, there was no option for separate granting or revocation of consent for each type of cookie. Lastly, it was determined that the controller did not adequately inform data subjects (website visitors) about the processing of personal data, particularly regarding data processing through cookies, thereby violating Art. 13 (1), (2) GDPR. The controller did not inform transparently on matters such as the legal basis, the function of each cookie, and the cookie retention period. |
link |
| 2062 | CROATIA | Croatian Data Protection Authority (azop) | 2023-09-14 | 30,000 | Betting company | Industry and Commerce | Art. 6 (1) GDPR, Art. 7 GDPR, Art. 13 (1), (2) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 30,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR.
Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent voluntarily, thereby violating Art. 7 GDPR. AZOP noted that the visitor should give separate consent for each type of cookie according to their functionality, that is, consent cannot be given for „all types of cookies“. In these cases, there was no option for separate granting or revocation of consent for each type of cookie. Lastly, it was determined that the controller did not adequately inform data subjects (website visitors) about the processing of personal data, particularly regarding data processing through cookies, thereby violating Art. 13 (1), (2) GDPR. The controller did not inform transparently on matters such as the legal basis, the function of each cookie, and the cookie retention period. |
link |
| 2063 | CROATIA | Croatian Data Protection Authority (azop) | 2023-10-05 | 5,470,000 | Debt collection company | Finance, Insurance and Consulting | Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 (1) GDPR, Art. 32 (1) b) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed of fine of EUR 5,470,000 to a debt collection company. The investigation was triggered by an anonymous complaint stating that controller unlawfully processed personal data, with USB stick attached to the complaint containing personal data of 181,641 individuals. As a controller, the debt-collection company unlawfully processed sensitive data (health related) of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, most often collecting telephone number, first and last name and residential address. It was determined that the data controller did not adequately implement sufficient technical protection measures that could timely detected leakage of data from their system. Although there was a security system, the DPA determined that due to deficiencies the company lost control over the movement of their data subjects´ personal data. Furthermore, the company recorded comments related to the debtor´s state of health that the DPA found to be excessive processing without an adequate legal basis. Additionally, the DPA determined that the data controller has unlawfully recorded telephone conversations with data subject as the legitimate interest test assessment that established a legal basis for processing has not been conducted prior to the start of such processing. Finally, the DPA found that the data subjects have not been transparently informed on the processing of their data. |
link |
| 2064 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-11 | 5,300 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 5,300 on a private individual. An individual had rented a room from the controller and filed a complaint due to the fact that the controller had installed a video surveillance camera in the apartment without their consent and had not properly informed them about the video surveillance. | link |
| 2065 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-11 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 300. The individual had installed video surveillance cameras on their property which covered, among other things, the public space. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization. | link |
| 2066 | CYPRUS | Cypriot Data Protection Commissioner | 2023 | 8,000 | Cypriot Ministry of the Interior | Public Sector and Education | Art. 5 (1) a), c), f) GDPR | Non-compliance with general data processing principles | The Cypriot DPA has imposed a fine of EUR 8,000 on the Cypriot Ministry of the Interior. The Ministry of Interior had unlawfully transmitted personal data of employees to the House of Representatives. | link |
| 2067 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2023-10-03 | 70,000 | Schockholm School borard | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Swedish DPA has fined the Stockholm School Board EUR 70,000 for excessive video surveillance in a school.
A school had installed extensive video surveillance due to past problems with incendiary crimes. During its investigation, the DPA found that there were about 50 fixed cameras in the school monitoring hallways, stairwells and corridors in conjunction with doors, toilets and student lockers. Surveillance was taking place 24/7 with image recording. The DPA concluded that video surveillance for the purpose of preventing incendiary crimes is generally permissible, but that the area covered by the cameras must be limited to the absolute necessary areas. According to the DPA, the video surveillance in the school was too wide and not all cameras were necessary to monitor potential fire hazards. |
link |
| 2068 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-14 | 90,000 | GFB One s.r.l. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 157 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 90,000 on GFB One s.r.l.. An individual had filed a complaint with the DPA because SIM cards were registered in their name, although they had never requested this. The individual had received two emails and an SMS notifying them that a Vodafone business, which belongs to the controller, had activated two SIM cards in their name.
The individual, after requesting the phone company to block the SIM cards, had reconstructed that the cards had been activated with a barely legible photocopy of their ID card. During its investigation, the DPA found that the controller had neither requested an original ID card for registration nor verified the legitimacy of the data. The controller also failed to inform the data subject how he had obtained the photocopies of his ID. |
link |
| 2069 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-15 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined a private individual EUR 600 for installing a video surveillance camera that captured parts of a commonly shared garage. The DPA considered this a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 2070 | SWEDEN | Data Protection Authority of Sweden | 2023-10-17 | 30,000 | H&M Hennes & Mauritz GBC AB | Industry and Commerce | Art. 12 (3) GDPR, Art. 21 (3) GDPR | Insufficient fulfilment of data subjects rights | The Swedish DPA has imposed a fine of EUR 30,000 on H&M for sending out marketing messages, despite the fact that data subjects had exercised their right to objection. Six data subjects had filed a complaint against the controller with the DPA. The DPA found that the controller did not have sufficient systems and procedures in place to facilitate data subjects exercising their right to object to direct marketing. | link link |
| 2071 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-14 | 20,000 | Shardana Working Soc. Coop. a r.l. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Shardana Working Soc. Coop. a r.l. EUR 20,000 for failing to respond adequately to requests from employees for access to information regarding their personal data. The employees wanted to obtain information on the calculation of their mileage allowances, their hourly wages and the procedure for the determination of their salary. In particular, they wanted to know what data was collected through the smartphone provided by the company, which had a geolocation system installed. | link link |
| 2072 | FRANCE | French Data Protection Authority (CNIL) | 2023-10-12 | 600,000 | GROUPE CANAL + | Media, Telecoms and Broadcasting | Art. 7 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. L. 34-5 CPCE | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 600,000 on GROUPE CANAL+ for multiple violations of the GDPR. The DPA determined that the data controller failed to demonstrate that it had obtained valid prior consent from individuals for sending electronic promotional messages. Additionally, the DPA found that the data controller did not provide adequate information regarding the retention periods of personal data in its privacy statement. Furthermore, the DPA observed that the data controller’s processors did not furnish sufficient information to potential customers during marketing calls. Moreover, the DPA found that the data controller did not adequately respond to requests from data subjects in certain cases. In addition, the data controller failed to establish contractual regulations for the processing of personal data by its processors. Finally, the DPA noted that the controller had not properly secured passwords for the company’s employees and failed to report a data breach. In determining the amount of the fine, the DPA considered the violations identified, as well as the company’s cooperation and corrective actions taken during the proceedings to ensure compliance. | link link |
| 2073 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-14 | 10,000 | Azienda Sanitaria dell’Alto Adige – Suedtiroler Sanitaetsbetrieb | Employment | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on Azienda Sanitaria dell’Alto Adige – Suedtiroler Sanitaetsbetrieb for failing to adequately comply with its obligation to comply with a data subject’s request for information on the lawfulness and accuracy of the processing of their personal data. | link |
| 2074 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-10-20 | 1,000 | DANTE INTERNATIONAL SA | Industry and Commerce | Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 1,000 on DANTE INTERNATIONAL SA. The controller had sent marketing SMS to a data subject without a valid legal basis. | link |
| 2075 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-14 | 10,000 | San Severo municipality | Employment | Art. 5 (1) a) GDPR, Art. 6 (1) c), e) GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA imposed a fine of EUR 10,000 on San Severo municipality. The municipality had published a document containing personal data of employees on its website without a valid legal basis. | link |
| 2076 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2023-06-16 | 1,000 | Private individual | Individuals and Private Associations | Art. 6 (1), (4) GDPR | Insufficient legal basis for data processing | The Austrian DPA has imposed a fine of EUR 1,000 on a private individual. The controller had sent data subjects electoral advertising without a valid legal basis. | link |
| 2077 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 10,000,000 | Axpo Italia Spa | Transportation and Energy | Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 24 (2) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 10 million on electricity and gas supplier Axpo Italia Spa.
The DPA had received numerous complaints from data subjects who complained that, without their knowledge, electricity and gas contracts had been activated in their own names, of which they had only learned after receiving termination letters from the previous supplier or reminders to pay outstanding bills. They also discovered that their personal data provided in the contract (e.g., email address, phone number and utility number) was incorrect or outdated. During its investigation, the DPA found that the controller had been acquiring new electricity and gas supply contracts through a network of approximately 280 vendors without ensuring that the data entered into the database by the vendors actually corresponded to utility users. This resulted in unsolicited contracts that often contained inaccurate and outdated personal data. |
link link |
| 2078 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-30 | 240 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 240 on a private individual for unlawfully installing a video surveillance camera on their house capturing the public space. | link |
| 2079 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-25 | 500 | BILBAO AD INFINITUM, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined BILBAO AD INFINITUM, S.L. EUR 500. The controller had installed video surveillance cameras which, among other things, also covered the public street. The DPA considered this a violation of the principle of data minimization. | link |
| 2080 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 30,000 | Asl Napoli 3 Sud | Health Care | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Asl Napoli 3 Sud EUR 30,000. The healthcare facility had suffered a ransomware attack that used a virus to restrict access to the healthcare facility’s database and demanded a ransom to restore the functionality of its systems. During its investigation, the Garante DPA found that the controller had failed to install adequate technical and organizational measures to protect personal data. The incident affected data (including health data) of 842,000 patients and employees. |
link link |
| 2081 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-10-02 | 1,000 | Cez Vânzare S.A. | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on Cez Vânzare S.A.. The controller had accidentally sent emails containing personal customer data to the wrong recipients. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. |
link |
| 2082 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-07-18 | 3,400 | Company | Not assigned | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 3,400 on a company. The controller had reported a data breach to the DPA. The company car of a senior employee had been broken into, resulting in the theft of a company laptop on which personal data of three persons were processed. During its investigation, the DPA determined that the controller had failed to implement appropriate technical and organizational measures to protect personal data. Among other things, the laptop had not been properly encrypted. | link |
| 2083 | ITALY | Italian Data Protection Authority (Garante) | 2023-08-31 | 20,000 | Bar association | Public Sector and Education | Art. 5 GDPR, Art. 2-octies Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 20,000 on a bar association. Two individuals had filed a complaint with the DPA against the controller because documents relating to a court case concerning them could be viewed and downloaded in non-anonymous form on the association’s website. In addition, the documents were available to be found via Google search. The association had failed to delete the documents even after repeated requests for deletion by the data subjects. | link |
| 2084 | ITALY | Italian Data Protection Authority (Garante) | 2023-08-31 | 10,000 | Mednow Medical Center di Giugni Marco | Health Care | Art. 5 (1) d), f) GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 18 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has fined Mednow Medical Center di Giugni Marco EUR 10,000. An individual had filed a complaint with the DPA because the controller had inadvertently sent the results of a medical examination to the wrong recipient. In addition, the controller had failed to properly fulfill the individual’s data subject rights and only complied with the data subject’s requests upon the DPA’s notice. | link |
| 2085 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-14 | 42,000 | Intesa Sanpaolo Spa | Finance, Insurance and Consulting | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Failure to respond to the data subject’s request for access to their data in a timely manner. | link |
| 2086 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-10-24 | 3,000 | Mensajero SRL | Industry and Commerce | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Mensajero SRL. The controller had suffered a data breach where a link on the controller’s website was publicly accessible allowing numerous files containing customer data to be viewed and downloaded. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data and prevent such incidents. |
link |
| 2087 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 75,000 | Università Telematica E-Campus | Public Sector and Education | Art. 5 (1) a), d) GDPR, Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 7 (1) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 24 GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 75,000 on Università Telematica E-Campus. The controller had sent advertising messages and made advertising calls without the consent of the data subjects, although some data subjects had also objected to such messages. In addition, the controller had never responded to complaints regarding this matter. In calculating the fine, the fact that the controller had not cooperated sufficiently with the DPA was taken into account as an aggravating factor. | link link |
| 2088 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-10-25 | 1,000 | SC Spark Car Sharing SRL | Transportation and Energy | Art. 5 (1) a), b) GDPR, Art. 6 (1) GDPR, Art. 7 GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 1,000 on SC Spark Car Sharing SRL. An individual had filed a complaint with the DPA because the controller had processed their email address for third party marketing purposes without their consent. The DPA also noted that the individual had requested the deletion of all their data. Although the controller informed the customer it would delete their data, the controller continued to send a series of direct marketing messages to their email address. | link |
| 2089 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-10-27 | 500 | Homeowners Association | Individuals and Private Associations | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Fine for failure to comply with an order of the supervisory authority. | link |
| 2090 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-31 | 180 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 180 on a private individual. The controller had installed video surveillance cameras without properly informing data subjects. | link |
| 2091 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-20 | 800,000 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. | Finance, Insurance and Consulting | Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has fined BANCO BILBAO VIZCAYA ARGENTARIA, S.A. EUR 800,000. A customer had lost her handbag, which also contained her bank card. The individual therefore requested the controller to block all banking products. However, the controller failed to comply, which is why it was then possible for third parties to access the individual’s bank products and transfer money under false identities. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to prevent such a case and protect personal data. | link |
| 2092 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-18 | 2000 | UNIQUE HOTEL APARTMENT S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on UNIQUE HOTEL APARTMENT. The controller had copied identification documents for the purposes of guest registration and stored the copies. However, the DPA found that a copy of the identification documents was excessive and not strictly necessary for the purpose of guest registration. | link |
| 2093 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-18 | 600 | FESTINA LOTUS S.A. | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Spanish Data Protection Authority has imposed a fine of EUR 600 on FESTINA LOTUS S.A. due to the fact that the controller had not properly complied with a data subject’s request for erasure of their personal data. | link |
| 2094 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-03 | 600 | Hotel | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 600 on a hotel. The controller had installed video surveillance cameras which, among other things, also covered the public space and private properties. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the data processing by the video surveillance and thus violated its duty to inform. | link |
| 2095 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 5,000 | Physician | Health Care | Art. 5 (1) a), c), f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on a physician for unlawfully disclosing patient data. | link |
| 2096 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-06 | 240 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA (AEPD) has imposed a fine of EUR 240 on a private individual. The controller had installed video surveillance cameras without properly informing data subjects. | link |
| 2097 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-07 | 70,000 | THE BEE LOGISTICS, S.L. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 70,000 on THE BEE LOGISTICS, S.L. for delivering a parcel to a person other than the recipient, thereby unlawfully disclosing the recipient’s data. | link |
| 2098 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-06 | 200,000 | DIGI SPAIN TELECOM, S.L. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account. | link |
| 2099 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-06 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) fined a private individual EUR 300. The individual had installed video surveillance cameras on their property which covered, among other things, the public space. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization. | link |
| 2100 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-06 | 400 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 400 on a private individual for failing to comply with an order issued by the DPA. | link |
| 2101 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-11-03 | 3,000 | OTP BANK ROMANIA SA | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on OTP BANK ROMANIA SA. The controller had accidentally transmitted personal data of an individual to an unauthorized third party. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2102 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-13 | 1,000 | TRACTAMENT D’AIGUES TEIA, S.L. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1000 on TRACTAMENT D’AIGUES TEIA, S.L. for failing to comply with an order issued by the DPA. | link |
| 2103 | SWEDEN | Data Protection Authority of Sweden | 2023-11-07 | 43,000 | Indcap AB | Finance, Insurance and Consulting | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 43,000 on Indecap AB.
The controller had accidentally sent an email to a large number of its customers containing an Excel document including a report with personal data of other customers. The document cotained information on social security numbers, e-mail addresses, information on selected funds, etc. of more than 52,000 individuals. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data, allowing such an incident to occur. |
link link |
| 2104 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-09-23 | 12,000 | CHATWITH.IO WORLDWIDE, S.L. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 13 GDPR, Art. 22 (2) LSSI | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 12,000 on the website operator CHATWITH.IO WORLDWIDE, S.L. During its investigation, the DPA found that the controller had failed to adequately comply with its information obligations under Art. 13 GDPR. For example, there was a lack of detailed information on the purposes of processing personal data on the website. Furthermore, the design of a cookie banner used so-called dark patterns, with the pop-up giving users only the choice between consent and access to the settings page. This meant that it was not possible for users to simply refuse the use of cookies, but that they could only do so via the settings menu and many clicks. The fine is made up of EUR 5,000 for the violation of Art. 5 (1) a) GDPR, EUR 5,000 for the violation of Art. 13 GDPR and EUR 2,000 for the violation of the national law Art. 22 LSSI. | link |
| 2105 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 3,000 | Palombaro s.r.l. | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined Palombaro s.r.l. EUR 3,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. | link |
| 2106 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-02 | 30,000 | APOLLONIA TOPCO, S.L. | Not assigned | Art. 5 (1) c) GDPR, Art. 38 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 30,000 on APOLLONIA TOPCO, S.L.. An individual had filed a complaint with the DPA due to the fact that, in order to receive a refund, they were required to send in their driving license as proof of identity. The DPA considered this to be a violation of the principle of data minimization, as the processing of the data on the driver’s license was not necessary for the refund and the identity check could have been carried out with less intrusive means for the privacy of the data subject. In addition, the controller’s data protection officer failed to properly respond to a request from the data subject. |
link |
| 2107 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 60,000 | Salvator Mundi International Hospital s.r.l | Health Care | Art. 5 (1) a), b) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 60,000 on Salvator Mundi International Hospital s.r.l. The hospital had restricted access to its services to people with a Covid-19 Green Pass. The DPA emphasizes that the handling of personal data in the context of the green pass controls had a legal basis during the pandemic, but points out that the requirement of the green pass for access to healthcare services after the end of the pandemic could not be justified anymore. | link |
| 2108 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 50,000 | Azienda Usl Toscana centro | Health Care | Art. 5 (1) a), e), f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 50,000 on Azienda Usl Toscana centro. A person had reported that medical records containing sensitive patient data were still being stored in one of the healthcare facility’s former and vacant buildings which were publicly accessible. | link |
| 2109 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-28 | 5,000 | Ministero dell’Ambiente e della Sicurezza Energetica | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy, Art. 2-septies (8) Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on Ministero dell’Ambiente e della Sicurezza Energetica. The controller had published a document on its website that contained numerous data, including employee health data, without a valid legal basis. The document was publicly accessible for 16 days. | link |
| 2110 | ITALY | Italian Data Protection Authority (Garante) | 2023-10-12 | 70,000 | Scionti Selezioni Superiori S.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. 24 (1), (2) GDPR, Art. 25 GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 70,000 on Scionti Selezioni Superiori S.r.l.. The controller had made unsolicited marketing calls, in some cases to individuals who were registered in opt-out registers or had not given their consent. The DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure that the processing of the data subjects’ personal data was lawful, for example by checking whether the data subjects were registered in an opt-out register. In addition, the controller failed to provide the data subject with sufficient information on the processing of their personal data, such as information on data subject rights. | link link |
| 2111 | ITALY | Italian Data Protection Authority (Garante) | 2023-09-14 | 5,000 | Nimbus s.r.l. | Employment | Art. 5 (1) a) GDPR, Art. 9 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on Nimbus s.r.l.. The controller had introduced a biometric attendance system at the workplace without adequately informing the employees and obtaining their consent. | link |
| 2112 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-11-13 | 110,000 | Rompetrol Downstream SRL | Transportation and Energy | Art. 32 (1) b), (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 110,000 on Rompetrol Downstream SRL. The controller had suffered a data breach in which customer data was repeatedly accessed and used internally without authorization. This resulted in the unauthorized disclosure of personal data such as identity card number, name, address, place of birth, etc.
The DPA found that the controller had not taken measures to ensure that any person who has access to personal data only processes it at the controller’s instruction, nor had it taken appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. |
link |
| 2113 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 40,000 | Compara Facile S.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 21 (2) GDPR, Art. 24 (1), (2) GDPR, Art. 25 (1) GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 40,000 on Compara Facile S.r.l.. The controller had made unsolicited marketing calls, in some cases to individuals who were registered in opt-out registers, had not given their consent or had requested the deletion of their data. The DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure that the processing of the data subjects’ personal data was lawfu In addition, the controller failed to provide the data subject with sufficient information on the processing of their personal data. | link link |
| 2114 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 100,000 | Tiscali Italia SpA | Industry and Commerce | Art. 5 (1) a), b), c), e) GDPR, Art. 5 (2) GDPR, Art. 12 (1) GDPR, Art. 13 (1) a) GDPR, Art. 24 GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 100,000 on Tiscali Italia SpA. The controller had sent advertising messages to more than 160,000 customers within four months, even though they had not given their consent and there was also no other valid legal basis. The DPA also found that the controller had not sufficiently fulfilled its information obligations. For example, there was a lack of information on the retention period for personal data processed for marketing purposes. | link link |
| 2115 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-15 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The controller had uploaded an individual’s personal data, including their name, a picture and their telephone number, to advertise a massage service on a website, even though the individual had not given their consent. | link |
| 2116 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-10-11 | 1,000 | Unknown | Not assigned | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | Unlawful disclosure of health data. | link |
| 2117 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-09-25 | 50,000 | Athens Urban Transport Organization | Transportation and Energy | Art. 5 (1) e) GDPR, Art. 25 (1) GDPR, Art. 35 (1) GDPR | Non-compliance with general data processing principles | The Hellenic DPA imposed a fine of EUR 50,000 on the Athens Urban Transport Organization. As part of its investigation, the DPA found that the controller had failed to comply with the principle of data protection by design and by default. It also failed to carry out a data protection impact assessment and to set appropriate retention periods for the storage of personal data. | link |
| 2118 | ITALY | Italian Data Protection Authority (Garante) | 2023-08-31 | 25,000 | Robin Srl | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 137 (3) Codice della privacy, Art. 139 Codice della privacy, Art. 6 Regole deontologiche, Art. 7 Regole deontologiche, | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 25,000 on Robin Srl. The controller had unlawfully published images of minors that were not sufficiently blurred in the context of reporting on a violent incident. | link |
| 2119 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-16 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The person had recorded a video of a violent incident involving minors without a valid legal basis. | link |
| 2120 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-16 | 500 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 500 on a private individual. The individual had installed a video surveillance system in a laundromat operated by them without sufficiently informing data subjects about the CCTV. The DPA considered this to be a breach of Art. 13 GDPR. | link |
| 2121 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-16 | 20,000 | FORO ASTURIAS | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 20,000 on FORO ASTURIAS. An individual had filed a complaint with the DPA due to the fact that personal data stored by the controller had been disclosed to a media company without authorization and which then published the data in a newspaper. | link |
| 2122 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2023-09-21 | 2,500 | Unknown | Employment | Art. 5 (1) b), c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The DPA of Luxembourg has imposed a fine of EUR 2,500 on a controller. The controller had used location systems on his service vehicles and construction machinery. During its investigation, the DPA found that the controller had failed to provide its employees with sufficient information about the location systems. In addition, the DPA found a breach of the principle of data minimization, as the location system was also operated outside working hours and had no deactivation function, which meant that employees could be excessively monitored. | link |
| 2123 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-16 | 20,000 | QUALITY-PROVIDER S.A. | Not assigned | Art. 6 (1) GDPR, Art. 58 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 20,000 on QUALITY-PROVIDER S.A.. The controller had processed the personal data of a data subject without a valid legal basis and had not sufficiently cooperated with the DPA. | link |
| 2124 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-11-20 | 1,500 | Libra Internet Bank SA | Finance, Insurance and Consulting | Art. 58 (2) GDRP | Insufficient cooperation with supervisory authority | The Romanian DPA has imposed a fine of EUR 1500 on Libra Internet Bank SA for failing to comply with an order issued by the DPA. | link |
| 2125 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-20 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 2126 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-22 | 400 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The original fine of EUR 500 was reduced to EUR 400 due to immediate payment and admission of responsibility. | link |
| 2127 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-24 | 10,000 | Pharmacy owner | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 10,000 on a pharmacy owner. The controller had disposed of a large number of personal documents, including medical information of data subjects, in public trash containers that were accessible to other people. | link |
| 2128 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-24 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered a neighbour property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2129 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-20 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual for unlawfully using the photo of a minor to create a social media profile. | link |
| 2130 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2023-09-26 | 10,000 | Phyisician | Health Care | Art. 5 (1) a), b), c) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Austrian DPA has imposed a fine of EUR 10,000 on a physician. The physician had responded to an online review regarding their practice, disclosing personal health data of a patient | link |
| 2131 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-27 | 50,000 | SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 50,000 on SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.. A customer had filed a complaint with the DPA due to the fact that the controller had concluded a contract without obtaining their consent beforehand. | link |
| 2132 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2023-11-02 | 30,000 | Voorschoten municipality | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) e) GDPR, Art. 14 (1) c), d) GDPR | Non-compliance with general data processing principles | The Dutch DPA has imposed a fine of EUR 30,000 on Voorschoten municipality. The municipality had kept information about household waste for longer than necessary and had not sufficiently informed residents.
In 2018 and 2019, the municipality of Voorschoten had replaced the waste garbage cans for houses and the underground containers for apartments. These bins were fitted with chips with numbers that were linked to a house address. The aim was to increase the collection of separate waste by limiting the amount of residual waste that residents could dispose of. However, the municipality stored the waste collection data of households for too long. For example, garbage can data was kept for as long as it was in use and underground container token data was stored for five years. According to the DPA, this is much longer than is necessary to check whether a household is exceeding the permitted amount. In addition, the municipality did not sufficiently inform residents about the use of their personal data when collecting waste. |
link link |
| 2133 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-17 | 72,000 | Eurocollege Oxford English Institute S.L. | Public Sector and Education | Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 72,000 on Eurocollege Oxford English Institute S.L.
The data subject stated that they had signed a training contract with the affiliated school Centro De Estudios Aeronauticos, S.L. (CEAE). Prior to enrolment, CEAE required the complainant to undergo a medical examination with the presentation of a medical certificate, complete a health declaration with personal health information and present a police clearance certificate. However, during its investigation, the DPA found that the personal information requested by CEAE was neither necessary nor required by law. The controller therefore had no valid legal basis to process the requested data. |
link |
| 2134 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-22 | 56,000 | VODAFONE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish data protection authority has imposed a fine of EUR 50,000 on VODAFONE ESPAÑA, S.A.U.. A customer had filed a complaint with the DPA regarding the fact that due to a system error, an Amazon sales partner had concluded a contract without first obtaining the consent of the data subject. | link |
| 2135 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-06-20 | 40,000 | Dante International SA | Industry and Commerce | Art. 12 (2) GDPR, Art. 17 (1) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 40,000 on Dante International SA.
During its investigation, the DPA found that the controller had failed to properly comply with a deletion request from a data subject. In addition, the employees were not properly trained to handle data subject requests. Finally, the DPA found that despite requests from a data subject to delete their email, the controller continued to process it without their consent. |
link |
| 2136 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2023-11-27 | 1,700,000 | Norwegian Labor and Welfare Administration | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1) d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has imposed a fine of EUR 1.7 million on Arbeids- og velferdsetaten, the Norwegian Labor and Welfare Administration (NAV). During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. For example, the IT systems were not adequately secured. In addition, an excessive number of employees had access to personal data, including very sensitive data in some cases. At the same time, the controller failed to carry out systematic controls regarding employee use of IT systems. In assessing the fine, the DPA considered the fact that the data had been handled insecurely over a long period of time. | link |
| 2137 | SWEDEN | Data Protection Authority of Sweden | 2023-11-28 | 26,500 | Östersund Municipality’s Department for Children and Education | Public Sector and Education | Art. 35 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 26,500 on the Östersund Municipality’s Department for Children and Education. The authority had failed to carry out a data protection impact assessment before introducing the digital school platform Google Workspace in 24 schools in the municipality. | link |
| 2138 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-10-08 | 24,000 | Link4 Towarzystwo Ubezpieczeń S. A. | Finance, Insurance and Consulting | Art. 33 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner. | link |
| 2139 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-12-06 | 16,600 | Reykjanesbær municipality | Public Sector and Education | Art. 5 (1) GDPR, Art. 24 (1) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Reykjanesbær. The municipality had used the Google Education system without sufficiently complying with data protection regulations.
In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other than those specified by the municipality. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children’s data. Although no demonstrable damage had occurred, it was criticized that Reykjanesbær had not sufficiently ensured the secure transfer of data to the US in the past. However, the municipality cooperated transparently with the data protection authority and revised its data protection practices. |
link |
| 2140 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-12-06 | 13,300 | City of Reykjavik | Public Sector and Education | Art. 5 (1) GDPR, Art. 24 (1) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has imposed a fine of EUR 13,300 on the city of Reykjavik. The city had used the Google Education system in schools without sufficiently complying with data protection regulations.
In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city. In imposing the fine, particular consideration was given to the protection of sensitive children’s data. Although no demonstrable damage had occurred, it was criticized that the city had not sufficiently ensured the secure transfer of data to the US in the past. However, the municipality cooperated transparently with the data protection authority and revised its data protection practices. |
link |
| 2141 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-12-06 | 16,600 | Garðabær municipality | Public Sector and Education | Art. 5 (1) GDPR, Art. 24 (1) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations.
In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other than those specified by the municipality. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children’s data. Although no demonstrable damage had occurred, it was criticized that Garðabær had not sufficiently ensured the secure transfer of data to the US in the past. However, the municipality cooperated transparently with the data protection authority and revised its data protection practices. |
link |
| 2142 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-12-06 | 18,600 | City of Hafnarfjörður | Public Sector and Education | Art. 5 (1) GDPR, Art. 24 (1) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has imposed a fine of EUR 18,600 on the city of Hafnarfjörður. The city had used the Google Education system without sufficiently complying with data protection regulations.
In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children’s data. Although no demonstrable damage had occurred, it was criticized that the city had not sufficiently ensured the secure transfer of data to the US in the past. However, the city cooperated transparently with the data protection authority and revised its data protection practices. |
link |
| 2143 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-11 | 500 | ALBEN AIRPORT FACILITIES S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined ALBEN AIRPORT FACILITIES S.L. EUR 500 for failing to provide information requested by the DPA during an investigation. | link |
| 2144 | CYPRUS | Cypriot Data Protection Commissioner | 2023-11-22 | 45,000 | Open University of Cyprus | Public Sector and Education | Art. 5 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Cypriot DPA has imposed a fine of EUR 45,000 on Open University of Cyprus. The university had suffered a data breach involving hackers publishing personal data of students, alumni etc. on the dark web. During its investigation, the DPA found that the university had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2145 | ITALY | Italian Data Protection Authority (Garante) | 2023-10-12 | 40,000 | Azienda socio sanitaria territoriale di Lodi CF | Health Care | Art. 5 (1) a), b), c), f) GDPR, Art. 9 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of ERU 40,000 on the health authority Azienda socio sanitaria territoriale di Lodi CF. Employees of the health authority had accessed the file of another employee, who was also a patient, without a medical reason or any other legal basis. | link |
| 2146 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-11-07 | 5,000 | Municipality | Public Sector and Education | Art. 6 (1) GDPR, Art. 17 GDPR | Insufficient legal basis for data processing | The Hellenic DPA has imposed a fine of EUR 5,000 on a municipality. The municipality had published a person’s personal data on the municipality’s website and failed to comply with the data subject’s request for deletion. | link |
| 2147 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-11-10 | 20,000 | Piraeus Leasing S.M.S.A. | Finance, Insurance and Consulting | Art. 5 (1) GDPR, Art. 15 GDPR | Non-compliance with general data processing principles | The Hellenic DPA has imposed a fine of EUR 20,000 on Piraeus Leasing S.M.S.A.. An individual had filed a complaint with the DPA because the controller processed an image on which the license plate of the individual’s car was visible. The DPA also found that the controller had not complied with the request for access to their personal data. | link |
| 2148 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-12-07 | 24,000 | Hora Credit IFN SA | Finance, Insurance and Consulting | Art. 12 (3) GDPR, Art. 15 GDPR, Art. 32 GDPR, Art. 33 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA imposed a fine of EUR 24,000 on Hora Credit IFN SA. The controller had accidentally sent documents containing the personal data of another person to a customer by e-mail. Although the customer reported the error to the controller, messages continued to be sent to the wrong e-mail address. The controller also failed to respond to the data subject’s request for access to their data in a timely manner. During its investigation, the DPA found that the controller failed to implement sufficient technical and organizational measures to protect personal data. The controller also failed to report the incident to the DPA in a timely manner. |
link |
| 2149 | ITALY | Italian Data Protection Authority (Garante) | 2023-10-26 | 20,000 | Region of Lombardy | Public Sector and Education | Art.5 GDPR, Art. 6 (1) c), e) GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 20,000 on the Region of Lombardy. In the context of the sale of company shares held by the region, personal data of employees of the companies were unlawfully disclosed. Employees discovered that when they entered their first name and surname in a search engine, a link appeared to the draft contract between the Region and the acquiring company, containing personal data such as income information, employment information, etc. of employees. | link |
| 2150 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-28 | 10,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on a private individual for publishing intimate images of the data subject on YouTube without their consent. | link |
| 2151 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-11-16 | 3,200 | Unknown | Not assigned | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 3,200 for failing to provide information requested by the DPA during an investigation. | link |
| 2152 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-08-30 | 13,000 | Unknown | Not assigned | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 13,000 for failing to provide information requested by the DPA during an investigation. | link |
| 2153 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2023-12-06 | 20,000 | City of Kópavogur | Public Sector and Education | Art. 5 (1) GDPR, Art. 24 (1) GDPR, Art. 28 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city. Furthermore, the retention period was not considered appropriate but rather too extensive. In imposing the fine, particular consideration was given to the protection of sensitive children’s data. Although no demonstrable damage had occurred, it was criticized that the city had not sufficiently ensured the secure transfer of data to the US in the past. However, the city cooperated transparently with the data protection authority and revised its data protection practices. | link |
| 2154 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-16 | 100,000 | Autostrade per l’Italia S.p.A. | Transportation and Energy | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has fined Autostrade per l’Italia S.p.A. EUR 100,000 for failing to adequately respond to requests from employees for access to their personal data. | link |
| 2155 | FRANCE | French Data Protection Authority (CNIL) | 2023-12-12 | 5,000 | Kourou municipality | Public Sector and Education | Art. 31 GDPR, Art. 37 GDPR | Insufficient cooperation with supervisory authority | The French DPA has imposed a fine of EUR 5,000 on Kourou municipality for failing to appoint a data protection officer and to sufficiently cooperate with the DPA. | link link |
| 2156 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-23 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 2157 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-26 | 500 | UPMOBILE SOLUTIONS, S.L. | Media, Telecoms and Broadcasting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined UPMOBILE SOLUTIONS, S.L. EUR 500 for failing to provide information requested by the DPA. | link |
| 2158 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-19 | 500 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2159 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-12-11 | 3,000 | Veranda Obor S.A. | Industry and Commerce | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Veranda Obor S.A.. The controller had disclosed personal data (e.g. name, e-mail adress etc.) of lottery participants on its website. | link |
| 2160 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2023-12-15 | 200 | Private individual | Individuals and Private Associations | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA has fined a private individual EUR 200 for failing to provide information requested by the DPA during an investigation. | link |
| 2161 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-07 | 600 | Store owner | Not assigned | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 600 on a store owner. The controller had installed video surveillance cameras which, among other things, also covered a neighbour property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2162 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-07 | 1,000 | Homeowners’ association | Real Estate | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,000 on a homeowners’ association. A property owner had filed a complaint with the DPA. The controller had published an enforcement notice containing the personal data of the data subject on a notice board. | link |
| 2163 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-03 | 600 | Homeowners’ association | Real Estate | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a Homeowners Association. The association had installed several video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2164 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-16 | 40,000 | Amazon Italia Transport s.r.l. | Transportation and Energy | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 40,000 on Amazon Italia Transport s.r.l. for failing to respond adequately to a data subject’s request for access to their personal data. | link |
| 2165 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-16 | 18,000 | Cluster S.r.l. | Health Care | Art. 5 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA imposed a fine of EUR 18,000 on Cluster S-r.l. A data subject had complained to the DPA because their son’s health-related data and their own personal data had been published on the internet. The controller had organized a medical training event at which documents containing personal data of the data subject and their deceased son were forwarded to the participants without sufficient anonymization. Some documents were later published on the internet by a third party. | link |
| 2166 | FRANCE | French Data Protection Authority (CNIL) | 2023-12-22 | Unknown | Company | Employment | Art. 5 (1) b) GDPR | Non-compliance with general data processing principles | The French DPA has imposed a fine on a company. The controller had collected data from applicants, even though the processing of the specific data was not necessary for the job application. | link |
| 2167 | FRANCE | French Data Protection Authority (CNIL) | 2023-12-22 | Unknown | Candidate for parliamentary elections | Individuals and Private Associations | Art. 21 (2) GDPR | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine on a candidate for parliamentary elections. The candidate had sent the data subject election advertising by email despite the data subject’s objection. | link |
| 2168 | FRANCE | French Data Protection Authority (CNIL) | 2023-12-22 | Unknown | Municipality | Public Sector and Education | Unknown | Non-compliance with general data processing principles | Fine against municipality for lack of security measures (insufficient passwords) | link |
| 2169 | FRANCE | French Data Protection Authority (CNIL) | 2023-12-22 | Unknown | Unknown | Not assigned | Unknown | Insufficient cooperation with supervisory authority | The French DPA has imposed a fine on a data controller for lack of cooperation. | link |
| 2170 | UNITED KINGDOM | Information Commissioner (ICO) | 2023-12-13 | 400,000 | UK Ministry of Defense | Public Sector and Education | Unknown | Insufficient technical and organisational measures to ensure information security | The UK DPA has fined the Ministry of Defense EUR 400,000 for disclosing personal data of individuals who were to be relocated to the UK after the Taliban took control of Afghanistan in 2021. The Ministry of Defense had sent an email to a distribution list of Afghan nationals who were eligible for evacuation without hiding the e-mail adresses and thus revealing the personal e-mail addresses and personal data of the recipients to the other e-mail recipients. The ICO stated that if the data had fallen into the hands of the Taliban, it could have led to a threat to lives. | link |
| 2171 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-12-20 | 23,000 | Polish Minister of Health | Health Care | Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR, Art. 34 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 23,000 on the Polish Minister of Health. The controller had accessed information via a database relating to a physician who had prescribed themselves psychotropic drugs and then later published this information on a social network. | link |
| 2172 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-21 | 180 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility. | link |
| 2173 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-21 | 8,000 | EASYJET AIRLINE COMPANY LIMITED | Transportation and Energy | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine on EASYJET AIRLINE COMPANY LIMITED. A data subject had filed a complaint against the controller with the DPA due to the controller’s failure to properly comply with their request for access to their personal data. The original fine of EUR 10,000 was reduced to EUR 8,000 due to voluntary payment. | link |
| 2174 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-30 | 1,000 | Techno Security s.r.l. | Not assigned | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 1,000 on Techno Security s.r.l.. A data subject had filed a complaint with the DPA due to the controller’s failure to respond to a request of access to their personal data. | link |
| 2175 | GREECE | Hellenic Data Protection Authority (HDPA) | 2023-11-23 | 10,000 | Alpha Bank | Finance, Insurance and Consulting | Art. 12 (3) GDPR, Art. 15 (1), (3) GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 10,000 on Alpha Bank. A data subject had filed a complaint with the DPA due to the controller’s failure to respond to a request of access to their personal data in a timely manner. | link |
| 2176 | ITALY | Italian Data Protection Authority (Garante) | 2023-10-26 | 1,000 | Homeowner administrator | Real Estate | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian DPA imposed a fine of EUR 1,000 on a homeowner administrator who had installed a video surveillance system without a permit from the homeowners’ association. | link |
| 2177 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-16 | 20,000 | Comune di Lonato del Garda | Public Sector and Education | Art. 5 (1) a), b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 20,000 on the municipality ‘Comune di Lonato del Garda’ for the unlawful use of audio-video recordings of a work interview. | link link |
| 2178 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-16 | 50,000 | Comune di Castel Goffredo | Public Sector and Education | Art. 5 (1) a), e) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 35 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 50,000 on the municipality ‘Comune di Castel Goffredo’ for the unlawful use of audio-video recordings of a work interview. | link link |
| 2179 | ITALY | Italian Data Protection Authority (Garante) | 2023-06-08 | 40,000 | RCS Mediagroup S.p.a. | Media, Telecoms and Broadcasting | Art. 5 (1) a), c) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 40,000 on RCS Mediagroup S.p.a. for publishing images of an individual without a valid legal basis. | link link |
| 2180 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-30 | 3,000 | A R.L Spartan Gym | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined A R.L Spartan Gym EUR 3,000. The controller had operated video surveillance cameras in one of their premises without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras. | link |
| 2181 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-04-20 | 5,400 | Disciplinary officer | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 5,400 on a disciplinary officer of the Polish Bar Association after an unencrypted USB stick containing personal data was lost. | link |
| 2182 | POLAND | Polish National Personal Data Protection Office (UODO) | 2022-12-30 | 6,300 | Company | Not assigned | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a company EUR 6,300 for failing to provide information requested by the DPA during an investigation. | link |
| 2183 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-01-15 | 150,000 | International Card Services B.V. | Finance, Insurance and Consulting | Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Dutch DPA has imposed a fine of EUR 150,000 on International Card Services B.V. (ICS). ICS failed to carry out a data protection impact assessment before starting the digital identification of customers in the Netherlands in 2019. The identity check covered around 1.5 million people and involved sensitive personal data such as pictures of the data subjects. | link |
| 2184 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-01 | 30,000 | UNIPREX, S.A. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on UNIPREX, S.A.. The controller had published a video of a violent incident on the internet without anonymizing the faces of the individuals involved. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of responsibility. | link |
| 2185 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-01-12 | 17,000 | Alior Bank SA | Finance, Insurance and Consulting | Art. 5 (1) a), b) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 17,000 on Alior Bank SA. The investigation was initiated following complaints that the bank continued to send unsolicited electronic correspondence after the termination of the contractual relationship, even though the affected customer had requested the deletion of their data. | link |
| 2186 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-01-15 | 3,000 | TECHNINK LEB SRL | Industry and Commerce | Art. 32 (1) a), b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on TECHNINK LEB SRL. The controller had suffered a data breach in which personal customer data had been unlawfully disclosed. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. | link |
| 2187 | ITALY | Italian Data Protection Authority (Garante) | 2023-11-30 | 60,000 | Limit Call S.r.l.s. | Media, Telecoms and Broadcasting | Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 24 GDPR, Art. 130 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 60,000 on Limit Call S.r.l.s. for unauthorized telemarketing. The controller had acquired lists of personal data without checking the legality of the data transfer, e.g. whether the data could also be used for commercial purposes or whether the data subjects had given their consent. In addition, it was not checked whether the telephone numbers called were entered in the public objection register. | link link |
| 2188 | ITALY | Italian Data Protection Authority (Garante) | 2023-12-07 | 1,000 | Sirio S.p.A. | Employment | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 1,000 on Sirio S.p.A.. An employee filed a complaint with the DPA because the controller had passed on their personal data to a bank without their consent and without informing them. | link |
| 2189 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-17 | 4,000 | LEADDESK, S.L | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined LEADDESK, S.L EUR 4,000 for failing to provide information requested by the DPA. | link |
| 2190 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-20 | 200 | Private individual | Individuals and Private Associations | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined a private individual EUR 200 for failing to provide information requested by the DPA. | link |
| 2191 | ITALY | Italian Data Protection Authority (Garante) | 2023-12-07 | 40,000 | Azienda socio sanitaria territoriale nord Milano, C.F. | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 25 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 40,000 on Azienda socio sanitaria territoriale nord Milano, C.F.. During its investigation, the DPA found that a patient’s spouse had received their husband’s COVID test report from an employee of the health authority without authorization. | link |
| 2192 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-23 | 32,000,000 | AMAZON FRANCE LOGISTIQUE | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The French DPA (CNIL) has imposed a fine of EUR 32 million on AMAZON FRANCE LOGISTIQUE for unlawful surveillance of employees.
CNIL found that Amazon France equips its warehouse employees with a scanner to document certain tasks. Each scan records data that is stored and can be used to calculate a series of indicators that provide information on the productivity of each employee. The CNIL considered the establishment of a system that measures interruptions in activity with precision and potentially forces the employee to justify each break or interruption to be unlawful. The CNIL also noted that the data collected by the system and the statistical indicators derived from it should be stored for 31 days. While the CNIL did not doubt that Amazon’s intensive business needs and high performance objectives could justify the implementation of the scanner system for business management, it considered that the extensive storage of all these data was unlawful. Overall, however, it considered the extensive storage of all these data and statistical indicators to be disproportionate. The CNIL also found a breach of the information and transparency obligation under the GDPR, as employees and external visitors were not adequately informed about the systems. Finally, the CNIL found that the video surveillance software was not sufficiently secured. |
link link |
| 2193 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-12-07 | 2,700 | Unknown | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 2,700 for failing to provide information requested by the DPA during an investigation. | link |
| 2194 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-12-21 | 4,300 | Unknown | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 4,400 for failing to provide information requested by the DPA during an investigation. | link |
| 2195 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-01-30 | 2000 | Sectorul 1 al Municipiului București | Public Sector and Education | Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA has fined Sectorul 1 al Municipiului București EUR 2,000 for failing to provide information requested by the DPA during an investigation. | link |
| 2196 | ITALY | Italian Data Protection Authority (Garante) | 2023-12-07 | 2000 | Mushtaq Rubina Kebabish | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined Mushtaq Rubina Kebabish EUR 2,000. The controller had operated video surveillance cameras in one of their premises without properly informing about the CCTV and the processing of personal data by the cameras. | link |
| 2197 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-17 | 400 | TITAN STRONG, S.L. | Industry and Commerce | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine on TITAN STRONG, S.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 500 was reduced to EUR 400 due to voluntary payment. |
link |
| 2198 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-07 | 3,200 | SOLAR PROGRESS, S.L. | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on SOLAR PROGRESS, S.L.. The controller had published a screenshot with an email from a former employee who had a professional question in a WhatsApp group without deleting the personal details of the data subject. The original fine of EUR 5,000 was reduced to EUR 3,200 due to voluntary payment and admission of responsibility. | link |
| 2199 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2023-12-11 | 10,000,000 | Uber Technologies Inc. Uber B.V. |
Employment | Art. 12 (1), (2) GDPR, Art. 13 (1) f) GDPR, Art. 13 (2) a), b) GDPR | Insufficient fulfilment of information obligations | The Dutch DPA has fined Uber Technologies Inc. and Uber B.V. EUR 10 million for failing to provide sufficient information about the storage period of European drivers’ data and the countries outside of the EU to which the data was transferred. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data. Although there was a digital form in the app that drivers could use to request access, it was not placed in an easily accessible position. In addition, Uber did not respond to the requests of data subjects in a comprehensible manner. In determining the amount of the fine, the DPA took into account the size of the company and the severity and scope of the infringements. At the time of Uber’s infringements, around 120,000 drivers were working for Uber in Europe. | link link |
| 2200 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2023-01-24 | 8,000 | Company | Health Care | Art. 5 (1) a) GDPR, Art. 15 (1) a), b), c), d), g) GDPR, Art. 15 (3) GDPR | Insufficient fulfilment of data subjects rights | The Lithuanian DPA has fined a company EUR 8, 000. The controller failed ot properly fulfil the data subject’s right to access their personal data processed by the company. The controller partially provided information about the processing of the data subject’s personal data, but the data subject was not given the opportunity to verify the legal basis (or bases) for the processing of their personal data, the specific data being processed, the purposes of processing, the retention period, etc. | link |
| 2201 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-07-28 | 2,500,000 | Open Bank, S.A. | Finance, Insurance and Consulting | Art. 25 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has fined Open Bank, S.A. EUR 2,5 million. A data subject had filed a complaint with the DPA after being asked to provide proof of origin for payments on their account to ensure compliance with anti-money laundering regulations. However, the controller did not provide a secure mechanism for submitting this information, but requested the data subject to submit the documents by email. The DPA therefore found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which would have been necessary given the sensitivity of the data concerned. | link |
| 2202 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-01-29 | 25,000 | Ministry of Rural Development and Food | Public Sector and Education | Art. 31 GDPR, Art. 37 GDPR | Insufficient involvement of data protection officer | The Hellenic DPA has imposed a fine of EUR 25,000 on the Ministry of Rural Development and Food for failing to appoint a data protection officer and not sufficiently cooperating with the DPA. | link |
| 2203 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-01-29 | 5,000 | Municipality of Athens | Public Sector and Education | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Hellenic DPA has imposed a fine of EUR 5,000 on the municipality of Athens for failing to sufficiently cooperate with the DPA. | link |
| 2204 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-20 | 200 | Private individual | Individuals and Private Associations | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined a private individual EUR 200 for failing to provide information requested by the DPA. | link |
| 2205 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-01-11 | 1,000 | ATLAS ENTERTAINMENT, S.L. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on ATLAS ENTERTAINMENT, S.L. for failing to comply with an order issued by the DPA. | link |
| 2206 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-08-23 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2207 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2023-12-12 | 5,900 | Unknown | Not assigned | Art. 31 (1) GDPR, Art. 33 (1) GDPR, Art. 33 (3) a), d) GDPR | Insufficient fulfilment of data breach notification obligations | The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA. | link |
| 2208 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-02-05 | 500 | Owners’ association | Individuals and Private Associations | Art. 5 (1) a), c) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 (3), (4) GDPR | Non-compliance with general data processing principles | The Romanian DPA has imposed a fine of EUR 500 on an owners’ association for publishing personal data of an individual in a WhatsApp group without a valid legal basis and for failing to respond appropriately to a request to exercise data subject rights. | link |
| 2209 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-02-07 | 2000 | Account Exchange SRL | Finance, Insurance and Consulting | Art. 5 (1) a), c) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 2,000 on Account Exchange SRL for using personal data without the consent of the data subjects. | link |
| 2210 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-02-26 | 3,000 | VESTA CEU ROMÂNIA SRL. | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on VESTA CEU ROMÂNIA SRL. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had disclosed personal data such as name, place of residence, salary, CV and copies of passports to employees without authorization, who then accessed the data internally and illegally passed it on to third parties. According to the DPA, the controller had failed to implement adequate technical and organizational measures to protect personal data, which allowed such an incident to occur. |
link |
| 2211 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-24 | 6,000 | Municipality | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) c), e) GDPR, Art. 9 GDPR, Art. 37 (7) GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy, Art. 2-septies (8) Codice della privacy, Art. 157 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 6,000 on a municipality. The municipality had unlawfully published information on citizens’ Covid cases on its Facebook page. The municipality also failed to appoint a data protection officer and provide the authority with their contact details in due time. | link |
| 2212 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-24 | 8,000 | Municipality of Salento | Public Sector and Education | Art. 58 (2) c) GDPR, Art. 157 Codice della privacy | Insufficient cooperation with supervisory authority | The Italian DPA has imposed a fine of EUR 8,000 on the municipality of Salento for failing to respond to an information request from the DPA in a timely manner. | link |
| 2213 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-01-18 | 2,300 | Unknown | Not assigned | Art. 33 (1) GDPR, Art. 34 (1), (2) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner. | link |
| 2214 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-13 | 200,000 | CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. The controller had included the data subject’s personal data in a credit reporting register without a sufficient legal basis. The controller justified this with alleged debts that the data subject had with the controller. In fact, however, the parties were still involved in ongoing court proceedings. | link |
| 2215 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-17 | 600 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 600 on a private individual. The controller had installed a video surveillance camera in a residential building which recorded a communal area without this having been approved by the owners’ meeting and without providing information about the video surveillance. | link |
| 2216 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-26 | 5,000,000 | CAIXABANK, S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 5 million on CAIXABANK, S.A.. A customer had filed a complaint about having access to a document containing information on a transfer from a third party. The document contained personal data of the third party, such as the name and bank details of the data subject. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data and prevent such incidents. The DPA also found that the controller had failed to comply with the principle of data protection by design and by default, as it acted reactively rather than proactively in handling the complaint. | link |
| 2217 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-23 | 50,000 | Oney Servicios Financieros E.F.C. | Finance, Insurance and Consulting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 50,000 on Oney Servicios Financieros E.F.C… The controller had submitted data from the data subject to a credit information system because of an alleged debt. However, the debt had been cancelled, which was also confirmed by a court ruling. For this reason, the DPA determined that the disclosure of the data subject’s personal data was unlawful. | link |
| 2218 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-30 | 600 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. | link |
| 2219 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-31 | 300 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 600 on a private individual. The controller had installed a video surveillance camera which recorded a communal area without this having been approved by the owners’ meeting. | link |
| 2220 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-25 | 6,100,000 | ENDESA ENERGÍA, S.A.U. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 34 GDPR, Art. 44 GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined ENDESA ENERGÍA, S.A.U. EUR 6,1 million due to a security breach resulting in unauthorized access to its systems. The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the Endesa platform, resulting in the compromise of data such as names, first names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers, of millions of individuals.
The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such incidents. In addition, the controller failed to inform the DPA and the data subjects of the security incident in a timely manner. Finally, the DPA found that the controller did not implement adequate safeguards for the transfer of personal data to countries not covered by an adequacy decision of the EU Commission. |
link |
| 2221 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-31 | 5,000 | Municipality of Siracusa | Public Sector and Education | Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 5,000 on the municipality of Siracusa for failing to provide the DPA with the contact details of their data protection officer in good time. | link |
| 2222 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-31 | 2000 | Libero Consorzio comunale di Caltanissetta | Public Sector and Education | Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 2,000 on Libero Consorzio comunale di Caltanissetta for failing to provide the DPA with the contact details of their data protection officer in good time. | link |
| 2223 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-31 | 2000 | Provincia di Catanzaro | Public Sector and Education | Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 2,000 on Provincia di Catanzaro for failing to provide the DPA with the contact details of their data protection officer in good time. | link |
| 2224 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-31 | 2000 | Provincia di Sassari | Public Sector and Education | Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 2,000 on Provincia di Sassari for failing to provide the DPA with the contact details of their data protection officer in good time. | link |
| 2225 | BELGIUM | Belgian Data Protection Authority (APD) | 2024-01-16 | 174,640 | Black Tiger Belgium | Industry and Commerce | Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 15 GDPR Art. 24 GDPR, Art. 25 GDPR, Art. 30 GDPR | Insufficient fulfilment of information obligations | The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller’s failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Finally, the DPA found that the company’s register of processing activities lacked information. | link link |
| 2226 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-01-24 | 1,200 | VUKMAL TRADE, S.L. | Employment | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on a VUKMAL TRADE, S.L.. A former employee had filed a complaint against the controller due to unlawful disclosure of their private mobile number. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. | link |
| 2227 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-08 | 2,800,000 | UniCredit S.p.a. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 2.8 million on UniCredit S.p.a.. The bank had suffered a cyberattack on its mobile banking portal, during which the attackers gained access to numerous data (e.g. name, social security number, identification codes) of thousands of customers and former customers. The attackers were also able to determine the PIN to access the portal of over 6,800 customers.
During its investigation, the DPA found that the controller had failed to implement appropriate technical and security measures to counter such a cyber attack. The controller also did not prevent customers from using weak PINs. In setting the fine, the DPA considered the large number of data subjects and the seriousness of the breach. However, the fact that the bank took remedial action in good time and that no bank data was affected was taken into account positively. |
link link |
| 2228 | ITALY | Italian Data Protection Authority (Garante) | 2024-01-24 | 2000 | Istituto Comprensivo Statale “F.S. Cabrini | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) c), e) GDPR, Art. 2-ter (1), (3) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 2,000 on Istituto Comprensivo Statale “F.S. Cabrini. The controller had published a document, which contained personal data of school employees on its website. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 2229 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2023 | Unknown | Private individual | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA in Baden-Wuerttemberg imposed a fine on a private individual for installing a motion tracker on the data subject’s car without their consent. | link |
| 2230 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2023 | Fine in four-digit amount | Pizza delivery service | Accomodation and Hospitalty | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The DPA of Baden-Wuerttemberg has imposed a four-digit fine on a pizza delivery service. The controller had disposed of receipts containing customers’ personal data at a public waste disposal site. | link |
| 2231 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2023 | Fine in four-digit amount | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | Unlawful use of a dashcam | link |
| 2232 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2023 | 2000 | Private individual | Individuals and Private Associations | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The DPA of Baden-Wuerttemberg has imposed a fine of EUR 2,000 on a clinic employee. The employee had unlawfully accessed a patient administration system in order to find out more about their new neighbor. This not only gave them access to personal details of the data subject, but also to medical information about them. | link |
| 2233 | GERMANY | Data Protection Authority of Baden-Wuerttemberg | 2023 | 1,200 | Police officer | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Baden-Wuerttemberg has imposed a fine of EUR 1,200 on a police officer. The officer had accessed data in police databases for private research purposes without a valid legal basis. | link |
| 2234 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Company | Employment | Unknown | Insufficient legal basis for data processing | The DPA of Bremen has imposed a fine on a company. The controller had installed video cameras in the offices and monitored employees before, during and after their working hours as well as customers without authorization over a period of two years. | link |
| 2235 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Company | Employment | Art. 6 (1) a) GDPR | Insufficient legal basis for data processing | The DPA in Bremen has imposed a fine on a company. The controller had stored an applicant’s application documents after the application process for the purpose of further retention for the purpose of considering the applicant for future vacancies but had not obtained consent from the applicant in question. | link |
| 2236 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Company | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Bremen has imposed a fine on a company. The controller had stored the contact details of former employees without their prior consent in order to contact them in the future to offer them further job opportunities. | link |
| 2237 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Clinic | Health Care | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Bremen has imposed a fine on a clinic for transmitting an unredacted treatment report on the psychiatric treatment of the data subject to an accident insurance fund without a valid legal basis. | link |
| 2238 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Real estate agency | Real Estate | Unknown | Insufficient legal basis for data processing | The DPA of Bremen has imposed five fines on a real estate agency. The controller had repeatedly sent advertising messages to a former prospect and tried to contact them by telephone, even after the data subject had asked for their data to be deleted. | link |
| 2239 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Operator of a dating platform | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Bremen has imposed a fine on the operator of an online dating platform. The controller had not provided an email verification procedure for registration on its dating platform. This resulted in a third party being able to register on the portal using the email address of the data subject. | link |
| 2240 | GERMANY | Data Protection Authority of Bremen | 2023 | Unknown | Website operator | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Bremen has imposed five fines on website operators for using the tracking tool ‘Google Analytics’ without the prior consent of website users. | link |
| 2241 | GERMANY | Data Protection Authority of Bremen | 2023 | Fine amount between EUR 100 and EUR 1,000 | Police officers | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Bremen has imposed ten fines between EUR 100 and EUR 1,000 on police officers for unlawfully accessing police databases. | link |
| 2242 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-08 | 800,000 | NTT Data Italia S.P.A | Industry and Commerce | Art. 28 (2) GDPR, Art. 33 (2) GDPR | Insufficient fulfilment of data breach notification obligations | The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the data controller. | link link |
| 2243 | FINLAND | Deputy Data Protection Ombudsman | 2024-03-06 | 856,000 | Verkkokauppa.com | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 25 (2) GDPR | Non-compliance with general data processing principles | The Finnish DPA has imposed a fine of EUR 856,000 on Verkkokauppa.com Plc for not specifying the retention period of customer account data of e-commerce customers. The DPA also found that in order to make an online purchase, customers were required to create a customer account or register. |
link link |
| 2244 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-03-05 | 5,000 | EURO MINI STORAGE ROMANIA SRL | Industry and Commerce | Art. 24 GDPR, Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of 5,000 euros on EURO MINI STORAGE ROMANIA SRL. The controller had suffered a data breach in which customer data was accessed without authorization. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to prevent such an incident. | link |
| 2245 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-08 | 300,000 | Medtronic Italia | Health Care | Art. 5 (1) a), f) GDPR, Art. 9 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 300,000 on Medtronic Italia. The controller had sent emails in an open distribution list to hundreds of individuals using the controller’s app to measure their blood glucose levels, making the email addresses of all recipients visible to the other recipients. This made it possible to draw conclusions about whether the data subjects had diabetes. The controller also failed to adequately inform data subjects about the processing of their personal data. | link link |
| 2246 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-01 | 36,000 | HISPAPOST, S.A. | Transportation and Energy | Art. 28 (3) GDPR | Insufficient fulfilment of data breach notification obligations | The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment. | link |
| 2247 | CYPRUS | Cypriot Data Protection Commissioner | 2023-12-07 | 1,500 | Physician | Health Care | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The Cypriot DPA has imposed a fine of EUR 1,500 on a physician. An individual had filed a complaint with the DPA because the physician had accessed their personal data in a healthcare system, even though the physician had not treated the individual or obtained their consent. | link link |
| 2248 | CYPRUS | Cypriot Data Protection Commissioner | 2023 | 8,000 | Bank of Cyprus Public Company Ltd. | Finance, Insurance and Consulting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Cypriot DPA has imposed a fine of EUR 8,000 on Bank of Cyprus Public Company Ltd.. The controller had stored inaccurate data about a data subject in its system. | link |
| 2249 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-01-19 | 56,000 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. An individual had filed a complaint with the DPA because the controller had disclosed their personal data to their spouse without their consent. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment. | link |
| 2250 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-01-23 | 200,000 | ORANGE ESPAGNE S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Orange Espagne S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 2251 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-23 | 3,500 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 5,300 on a private individual. The private individual had installed a camera in their apartment, where they also rented out a room, covering common areas. In addition, the person failed to inform about the video surveillance. | link |
| 2252 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-12 | 10,000 | VACACIONES EDREAMS, S.L. | Industry and Commerce | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine of EUR 10,000 on VACACIONES EDREAMS, S.L.. A data subject had filed a complaint against the controller with the DPA due to the controller’s failure to properly comply with their request for access to their personal data. | link |
| 2253 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-12-19 | 2,300 | District Court Krakow | Public Sector and Education | Art. 33 (1), (3) GDPR, Art. 34 (1), (2) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner. | link |
| 2254 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-10-18 | 24,000 | Insurance company | Finance, Insurance and Consulting | Art. 33 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner. | link |
| 2255 | ITALY | Italian Data Protection Authority (Garante) | 2023-12-21 | 2000 | Company | Not assigned | Art. 5 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined a company s.r.l. EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. | link |
| 2256 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2023 | 50,700 | Political party | Public Sector and Education | Unknown | Unknown | The Austrian DPA has imposed a fine of EUR 50,700 on a political party. The controller had sent two emails in an open distribution list. This allowed the recipients to view the email addresses of all other recipients and to determine the workplace of the data subjects. | link |
| 2257 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2024-03-24 | 10,000 | Stjörnuna ehf | Industry and Commerce | Art. 5 (1) a), b), c) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Icelandic DPA has imposed a fine of EUR 10,000 on Stjörnuna ehf. (the operator of a Subway branch). An employee had filed a complaint with the DPA regarding video surveillance in the restaurant. During its investigation, the DPA found that the video surveillance of the employees lacked a valid legal basis and was not considered necessary. The DPA also found that the controller failed to inform the employees about the video surveillance. | link |
| 2258 | POLAND | Polish National Personal Data Protection Office (UODO) | 2023-12-13 | 5,500 | Company | Not assigned | Unknown | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 5,500 for failing to sufficiently cooperate with the DPA during an investigation. | link |
| 2259 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-22 | 50,000 | Azienda Trasporto Passeggeri Emilia-Romagna S.p.A. | Transportation and Energy | Art. 5 (1) a), e) GDPR, Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 7 GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 21 (4) GDPR, Art. 130 (2), (3) Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 50,000 on the transport company azienda Trasporto Passeggeri Emilia-Romagna S.p.A.. The controller provided insufficient information on data processing on a form used to conclude a public transport subscription. The form did not allow a distinction between mandatory and optional data (such as cell phone number and email address) and did not clearly inform users of their right to object to processing for direct marketing purposes. | link link |
| 2260 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-03-12 | 326,000 | Santander Bank Polska S.A. | Finance, Insurance and Consulting | Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner. | link link |
| 2261 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-03-12 | 18,000 | Toyota Bank Polska S.A. | Finance, Insurance and Consulting | Art. 33 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner. | link link |
| 2262 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-13 | 40,000 | IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA. | Transportation and Energy | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine on IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA. A data subject had filed a complaint against the controller with the DPA due to the controller’s failure to properly comply with their request for access to their personal data. The original fine of EUR 50,000 was reduced to EUR 40,000 due to the voluntary payment. | link |
| 2263 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-08 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 2264 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-07 | 5,000 | Wi-Planet sas di Torri Carlo Alberto e c. | Media, Telecoms and Broadcasting | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 5,000 on Wi-Planet sas di Torri Carlo Alberto e c.. A data subject had filed a complaint with the DPA due to the controller’s failure to respond to a request of access to their personal data. | link |
| 2265 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-08 | 30,000 | CENTRO MÉDICO SALUS BALEARES, S.L. | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 30,000 on CENTRO MÉDICO SALUS BALEARES, S.L.. An individual had filed a complaint with the DPA due to the clinic’s use of an electronic clinical thermometer with a temperature display attached to a screen on the wall so that the body temperature could be briefly visible to third parties in the waiting room when the individual moved away from the device. | link |
| 2266 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-04-02 | 175,000 | Greek Ministry of Immigration and Asylum | Public Sector and Education | Art. 25 GDPR, Art. 31 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 175,000 on the Greek Ministry of Immigration and Asylum. The DPA found that the controller had failed to properly carry out a required data protection impact assessment and had not cooperated properly with the DPA. | link link |
| 2267 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-12 | 365,000 | CTC EXTERNALIZACIÓN, S.L | Employment | Art. 13 GDPR, Art. 32 GDPR, Art. 35 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 365,000 on CTC EXTERNALIZACIÓN, S.L.. An employee had filed a complaint with the DPA due to the fact that the controller had requested fingerprints of employees in order to implement a new time and attendance system. However, it was not communicated that the fingerprints would also be stored in the staff portal. For this reason, the DPA found that the controller had violated its duty to inform. The DPA also found that the controller was unable to demonstrate sufficient security measures for the processing of fingerprints. Finally, the DPA found that the controller had failed to carry out a required data protection impact assessment. | link |
| 2268 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-08 | 18,000 | Azienda socio-sanitaria locale n. 1 di Sassari | Health Care | Art. 5 GDPR, Art. 9 GPDR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Ist das gut: The Italian DPA has imposed a fine of EUR 18,000 on Azienda socio-sanitaria locale n. 1 di Sassari. The controller had mistakenly sent an e-mail containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data. | link |
| 2269 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-01-23 | 7,500 | ROUNDED TECHNOLOGIES, S.L. | Industry and Commerce | Art. 21 LSSI, Art. 21 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine of EUR 7,500 on ROUNDED TECHNOLOGIES, S.L. The company continued to send a customer a newsletter by e-mail, although they had previously expressly objected to the sending of further e-mails. | link |
| 2270 | ITALY | Italian Data Protection Authority (Garante) | 2023-07-18 | 45,000 | Municipality of Modica | Public Sector and Education | Art. 5 (1) a), c), e) GDPR, Art. 5 (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 37 (1), (7) GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 45,000 on the municipality of Modica for monitoring waste disposal sites with CCTV without providing sufficient information to citizens. During its investigation, the DPA also found that the municipality had not properly regulated the processing with the companies responsible for the CCTV management. The municipality also failed to appoint a data protection officer and stored the recorded images excessively. | link |
| 2271 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-13 | 4,000 | ASNEF-EQUIFAX, SERVICIOS DE INFORMACIÓN SOBRE SOLVENCIA Y CRÉDITO, S.L. | Finance, Insurance and Consulting | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine on ASNEF-EQUIFAX, SERVICIOS DE INFORMACIÓN SOBRE SOLVENCIA Y CRÉDITO, S.L.. A data subject had filed a complaint against the controller with the DPA due to the controller’s failure to properly comply with their request for access to their personal data. The original fine of EUR 5,000 was reduced to EUR 4,000 due to voluntary payment. | link |
| 2272 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-13 | 100,000 | VODAFONE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA imposed a fine of EUR 100,000 on VODAFONE ESPAÑA, S.A.U. for insufficient legal basis for data processing. The data subject had filed a complaint against the controller due to the fact that fraudulent third parties had requested the portability of their mobile line without their consent and had concluded a contract for the purchase of a cell phone in their name. The controller failed to adequately verify whether the contracts were lawful and had actually been concluded by the data subject. | link |
| 2273 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-22 | 2000 | Camera di Commercio Industria Artigianato e Agricoltura | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 2,000 on Camera di Commercio Industria Artigianato e Agricoltura. An individual had filed a complaint against the controller with the DPA because the controller had published a decision without redacting the personal data of the data subject. The controller had previously been involved in a legal dispute with the data subject. | link |
| 2274 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-06 | 160,000 | SANITAS, S.A. DE SEGUROS | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on SANITAS, S.A. DE SEGUROS. A customer had filed a complaint with the DPA due to the fact that the controller had concluded a contract without obtaining their consent. The original fine of EUR 200,000 was reduced to EUR 160,000 due to voluntary payment. | link |
| 2275 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-06-22 | 1,600 | URQUÍA & BAS, CORREDURÍA DE SEGUROS S.L. | Finance, Insurance and Consulting | Art. 33 GDPR | Insufficient fulfilment of data breach notification obligations | The spanish DPA has fined URQUÍA & BAS, CORREDURÍA DE SEGUROS S.L.for failing to report a data breach to the DPA in a timely manner. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. | link |
| 2276 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-15 | 800 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 1000 was reduced to EUR 800 due to voluntary payment. | link |
| 2277 | BULGARIA | Bulgarian Commission for Personal Data Protection (KZLD) | 2023-02-09 | 5,100 | Unknown | Employment | Art. 5 (1) a), b) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The Bulgarian DPA has imposed a fine of EUR 5,100 on a data controller. An employee of the controller had lodged a complaint with the DPA. The employee had received a ticket for a traffic offense in Germany that they apparently committed while driving one of the controller’s vehicles. However, the data subject correctly stated that at the time of the traffic offense they had been on sick leave and someone else had been driving the vehicle. For this reason, the DPA found that the controller had unlawfully disclosed the data subject’s personal data to the German authorities. | link |
| 2278 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-25 | 27,000 | 20 MINUTOS EDITORA, S.L. | Media, Telecoms and Broadcasting | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine 20 MINUTOS EDITORA, S.L. for failing to prove compliance with an order issued by the DPA. The original fine of EUR 45,000 was reduced to EUR 27,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 2279 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-02 | 48,000 | INSTITUT MARQUÉS OBSTETRICIA I GINECOLOGIA, S.L.P. | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 34 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a finea INSTITUT MARQUÉS OBSTETRICIA I GINECOLOGIA, S.L.P. The controller had suffered a data breach in which personal patient and employee data had been unlawfully accessed. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. The DPA also found that the controller failed to properly inform data subjects about the data breach. The original fine of EUR 80,000 was reduced to EUR 48,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 2280 | GERMANY | Data Protection Authority of Hamburg | 2023 | 75,000 | Company | Employment | Art. 9 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg imposed a fine of EUR 75,000 on a company. An employee had lodged a complaint with the DPA due to the fact that they had to report their sickness-related absences by e-mail in an e-mail distribution list with 25 colleagues and superiors, although the internal company guideline stipulated that the sickness report only had to be submitted to the manager of the respective department. In addition, their manager had sent an email to a e-mail distribution list with several recipients listing all their sick days. During its investigation, the DPA found that such extensive disclosure was not necessary and therefore unlawful. | link |
| 2281 | GERMANY | Data Protection Authority of Hamburg | 2023 | Fine in four-digit amount | Private individual | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The DPA of Hamburg has imposed a mid-four-figure fine on a private individual for improper use of the personal data of an opponent in a video game. The case occurred on the live streaming platform Twitch, where the streamer obtained the real name of their opponent during a game. With this knowledge, the streamer used their professional access to a customer database to find out the opponent’s address. They then announced that they would personally seek out their opponent. | link |
| 2282 | GERMANY | Data Protection Authority of Hamburg | 2023 | Fine in four-digit amount | Daycare center | Public Sector and Education | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg has imposed a four-figure fine on a daycare center that had disposed of documents containing personal data of children and their parents in a publicly accessible waste container. | link |
| 2283 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-11-03 | 2000 | SINDICATO LIBRE DE TRANSPORTES | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on SINDICATO LIBRE DE TRANSPORTES. A member of the union had shared the data subject’s payslip in a WhatsApp group without the data subject’s consent. This revealed data such as their identity card number and social security number. The original fine of EUR 5,000 was reduced to EUR 2,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 2284 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-02-28 | 2,995,140 | Hellenic Post (ΕΛΛΗΝΙΚΑ ΤΑΧΥΔΡΟΜΕΙΑ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ) | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 2,995,140 on the Hellenic Post (ΕΛΛΗΝΙΚΑ ΤΑΧΥΔΡΟΜΕΙΑ ΑΝΩΝΥΜΗ ΕΤΑΙΡΕΙΑ). The controller had suffered a data breach which resulted in personal data being accessed and later published on the Dark Web. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to prevent such an incident. | link link |
| 2285 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-12 | 1,800 | PRESTAMER, S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on PRESTAMER, S.L.. The controller had sent an e-mail without using the blind copy option, revealing the email addresses of all recipients to the other recipients. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and acknowledgement of responsibility. | link |
| 2286 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-05 | 112,000 | VODAFONE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on VODAFONE ESPAÑA, S.A.U.. A person had lodged a complaint with the DPA because they had received their telephone bill which, however, had been issued to a different name. The original fine of EUR 140,000 was reduced to EUR 112,000 due to voluntary payment. | link |
| 2287 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-10-26 | 6,400 | AIO E-COMMERCE, S.L. | Industry and Commerce | Art. 5 (1) c), f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on AIO E-COMMERCE, S.L.. The controller had suffered a data breach resulting in personal data such as bank details being siphoned off and subsequently sold on the internet. As part of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. The DPA also found that the controller had violated the principle of data minimization by storing all digits of the affected credit card numbers rather than just the last four. The original fine of EUR 8,000 was reduced to EUR 6,400 due to voluntary payment. | link |
| 2288 | SPAIN | Spanish Data Protection Authority (aepd) | 2022-11-07 | 60,000 | INFORMÁTICA MÉDICA, S.L. | Health Care | Art. 28 GDPR | Insufficient data processing agreement | The Spanish DPA has imposed a fine of EUR 60,000 on INFORMÁTICA MÉDICA, S.L.. The company acted as a processor for other companies and had engaged a subcontractor without, however, contractually regulating the relationship as required by Art. 28 GDPR. | link |
| 2289 | ITALY | Italian Data Protection Authority (Garante) | 2024-03-21 | 10,000 | Azienda sanitaria locale Roma 3 | Health Care | Art. 33 (1), (2), (5) GDPR | Insufficient fulfilment of data breach notification obligations | The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach. | link |
| 2290 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-19 | 400 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 400 on a private individual for failing to prove compliance with an order issued by the DPA. | link |
| 2291 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-10-26 | 7,000 | Ophthalmologic institute | Health Care | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 7,000 on a ophthalmologic institute. The controller had responded to an online review, disclosing personal data of a patient. | link |
| 2292 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-02-08 | 500 | Hiper Store S.L. | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 500 on Hiper Store S.L.. The controller had installed a video surveillance system in its premises without sufficiently informing data subjects about the CCTV. | link |
| 2293 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-01 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 2294 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-29 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 2295 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-12 | 1,200,000 | CAIXABANK, S.A | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on CAIXABANK, S.A. A person filed a complaint with the DPA because they were asked to fill out a form with personal data. A clause on the form included consent for the data to be transferred to the General Treasury of Social Security, without the option to refuse consent. The original fine of EUR 2,000,000 was reduced to EUR 1,200,000 due to immediate payment and acknowledgement of responsibility. | link |
| 2296 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-04-22 | 2000 | S.C. Tensa Art Design S.A.. | Not assigned | Art. 6 GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 2,000 on S.C. Tensa Art Design S.A.. The controller had processed the personal data of a data subject for marketing purposes without the data subject’s consent. | link |
| 2297 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-04-23 | 2000 | ALPHA BANK ROMANIA SA. | Finance, Insurance and Consulting | Art. 29 GDPR, Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on ALPHA BANK ROMANIA SA. The controller had suffered a data breach due to an employee mismanaging recording systems. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2298 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2024-04-15 | 13,900,000 | Avast Software s.r.o. | Industry and Commerce | Unknown | Unknown | The Czech DPA has fined Avast Software s.r.o. EUR 13.9 million. The company had disclosed the personal data of around 100 million users of its antivirus software to the US company Jumpshot. Avast had transferred this data, including the users’ pseudonymized Internet browsing history in connection with a unique ID, to Jumpshot, but falsely declared it to be anonymized. Users were incorrectly informed about the transfer of anonymized data, although partial identification of the data subjects was possible. | link |
| 2299 | GERMANY | Data Protection Authority of Brandenburg | 2023 | Fine in five-digit amount | Supermarket | Employment | Art. 6 (1) GDPR, Art. 9 (1) GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a five-figure fine on a company. The controller had posted a list of employees’ sickness-related absences for the year 2022 in the employee break room. The list contained details of the days on which they were absent from work due to their own illness or the illness of their child. The table was displayed for four weeks and in some cases third parties such as suppliers also had access to the list. | link |
| 2300 | GERMANY | Data Protection Authority of Brandenburg | 2023 | Fine in three-digit amount | Private individual | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a three-figure fine on six private individuals. The individuals, who worked in a hospital, had accessed the medical records of a colleague who was undergoing treatment in the hospital at the time, without being involved in their treatment. | link |
| 2301 | GERMANY | Data Protection Authority of Brandenburg | 2023 | Fine in three-digit amount | Police officer | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a three-figure fine on a police officer. The police officer had used the telephone number of a person who had filed a criminal complaint for private contacts, although such contact was only intended for the purpose of obtaining further evidence. | link |
| 2302 | GERMANY | Data Protection Authority of Brandenburg | 2023 | Fine in three-digit amount | Fishing club | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The DPA of Brandenburg has imposed a three-figure fine on a fishing club due to the fact that lists of members’ personal data such as first and last names, full addresses with telephone numbers, dates of birth and bank account details were freely accessible on their website. | link |
| 2303 | CROATIA | Croatian Data Protection Authority (azop) | 2024-04-22 | Fine amount between EUR 500 and EUR 4,000 | Unknown | Not assigned | Art. 27 Croatin Law on the Implementation of the GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Croatian DPA (AZOP) has imposed seven fines totaling EUR 16,000 on data controllers for failing to adequately mark video-monitored areas. This lack of marking resulted in people entering these areas not being informed of the surveillance, as the signs were either not visible on entry or did not contain all the necessary information. The fines ranged from EUR 500 to 4,000 and were imposed on various establishments, including hotels, restaurants, and shops.
According to Art. 27 (1) of the Law on the Implementation of the General Data Protection Regulation, it is the responsibility of data controllers to ensure that areas under video surveillance are clearly marked. These signs must be visible to individuals at the latest when entering the surveillance perimeter. Furthermore, according to Paragraph 2 of the same article, the signs must contain all relevant information as stipulated in Art. 13 GDPR. This especially includes informing individuals that the area is under video surveillance, providing details about the data controller, and offering contact information through which individuals can exercise their data protection rights. |
link |
| 2304 | CROATIA | Croatian Data Protection Authority (azop) | 2024-04-22 | 15,000 | Betting company | Industry and Commerce | Art. 6 (1) a) GDPR, Art. 7 GDPR, Art. 13 (1), (2) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such as the cookie banner, must be clearly distinguishable, easily accessible, and use language that is clear and simple to understand. However, in this specific case, the data controller failed to separate the cookie banner, preventing data subjects from giving clear consent for different purposes like marketing or analytics. Furthermore, an examination of the privacy policy of the data controller revealed deficiencies. This document lacked information regarding the legal basis for data processing, types of cookies used, the purpose of each cookie, and the duration of cookie storage. Consequently, data subjects were not adequately informed about the processing of their personal data, breaching Art. 13 (1) and (2) GDPR. This failure to inform data subjects about cookie processing violated the transparency principle, depriving website visitors of crucial information about how their data was handled. | link |
| 2305 | CROATIA | Croatian Data Protection Authority (azop) | 2024-04-22 | 20,000 | Betting company | Industry and Commerce | Art. 6 (1) a) GDPR, Art. 7 GDPR, Art. 13 (1), (2) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such as the cookie banner, must be clearly distinguishable, easily accessible, and use language that is clear and simple to understand. However, in this specific case, the data controller failed to separate the cookie banner, preventing data subjects from giving clear consent for different purposes like marketing or analytics.
Moreover, the DPA found that the controller processed personal data of data subjects as soon as they accessed the webpage, even before they consented to certain cookies. This practice was considered unfair since the data subjects were unaware that their personal data was being collected at the time of website access. Such unfair processing violates the principle of lawful, fair, and transparent processing of personal data outlined in Art. 5 (1) GDPR. |
link |
| 2306 | ITALY | Italian Data Protection Authority (Garante) | 2024-02-08 | 79,100,000 | Enel Energia SpA | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 24 (1) GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has fined Enel Energia SpA EUR 79.1 million due to its lack of compliance with technical and organisational measures aimed at limiting the potential abuses by agencies that unlawfully performed telemarketing activities. According to the DPA, Enel Energia acquired as many as 978 contracts from four different previously sanctioned companies, even though they did not belong to the energy company’s sales network. Moreover, following subsequent inspections at Enel Energia, the DPA ascertained that the information systems used for customer management and service activation by the company showed the abovementioned serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised agents who fuelled for years an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers by identifying easy ‘front doors’ in the company’s information systems. | link link |
| 2307 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-13 | 500,000 | Mas s.r.l. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 28 GDPR, Art. 29 GDPR, Art. 30 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 500,000 on Mas s.r.l.. As part of its investigation, the DPA found that the controller had acquired illegally created lists containing personal data and used them for marketing purposes without the consent of the data subjects in order to provide them with commercial offers from various energy companies. | link link |
| 2308 | ITALY | Italian Data Protection Authority (Garante) | 2023-04-13 | 200,000 | Mas s.r.l.s. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 13 GDPR, Art. 28 GDPR, Art. 29 GDPR, Art. 30 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 200,000 on Mas s.r.l.s.. During its investigation, the DPA found that the controller had acquired illegally created lists containing personal data and used them for marketing purposes without the consent of the data subjects in order to provide them with commercial offers from various energy companies. | link link |
| 2309 | GERMANY | Data Protection Authority of Hessen | 2023 | 3,600 | Physician | Health Care | Art. 5 (1) f) GDPR, Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | A physician’s office had disposed of records containing patient data in a public waste disposal site. | link |
| 2310 | GERMANY | Data Protection Authority of Hessen | 2023 | 25,000 | Company | Not assigned | Art. 21 (3) GDPR | Insufficient fulfilment of data subjects rights | The DPA of Hessen has fined a company EUR 25,000. A person had filed a complaint for receiving advertising messages, although they had objected to receiving advertising messages | link |
| 2311 | GERMANY | Data Protection Authority of Hessen | 2023 | 5,000 | Company | Not assigned | Art. 31 GDPR | Insufficient cooperation with supervisory authority | Fine of EUR 5,000 for failing to sufficiently cooperate with the DPA. | link |
| 2312 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-15 | 500 | CORPORACIÓN DUAL GRUPO LC, S.L. | Not assigned | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined CORPORACIÓN DUAL GRUPO LC, S.L. EUR 500 for failing to provide information requested by the DPA. | link |
| 2313 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-21 | 500 | JUNTA DE CONSERVACION SECTOR RESIDENCIAL ELORDIGAN SAT | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 500 on JUNTA DE CONSERVACION SECTOR RESIDENCIAL ELORDIGAN SAT. The controller had installed a video surveillance system without sufficiently informing data subjects about the CCTV. |
link |
| 2314 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-05-09 | 2000 | IRIDEX GROUP SALUBRIZARE SRL | Not assigned | Art. 32 (1) b) GDPR, Art. 32 (2), (3), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on IRIDEX GROUP SALUBRIZARE SRL. The controller had sent an e-mail to customers without using the blind copy option, revealing the email addresses of all recipients to the other recipients. | link |
| 2315 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-05-09 | 1,000 | MEDICOVER SRL | Health Care | Art. 32 (1) b) GDPR, Art. 32 (2), (3), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on MEDICOVER SRL. The healthcare facility had mistakenly forwarded a patient file to the wrong patient. | link |
| 2316 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-05-08 | 5,000 | CENTRUL MEDICAL UNIREA SRL | Health Care | Art. 32 (1) b) GDPR, Art. 32 (2), (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 5,000 on CENTRUL MEDICAL UNIREA SRL. The controller had suffered a data breach in which personal data of patients and employees were disclosed on the internet without authorization. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2317 | UNITED KINGDOM | Information Commissioner (ICO) | 2024-04-30 | 8,700 | Central Young Men’s Christian Association | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The UK DPA (ICO) has fined the Central Young Men’s Christian Association EUR 8,700. The controller had sent an email to individuals participating in a program for individuals suffering from HIV without using the blind copy option, which made the email addresses of all recipients known to other recipients. 166 individuals could be identified or potentially identified based on their email addresses. From this it could be concluded that these people were probably living with HIV. | link link |
| 2318 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-07 | 1,000 | DENTAL REY-GAR, S.L. | Health Care | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on DENTAL REY-GAR, S.L. for failing to prove compliance with an order issued by the DPA. | link |
| 2319 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-19 | 400 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 400 on a private individual for failing to prove compliance with an order issued by the DPA. | link |
| 2320 | ITALY | Italian Data Protection Authority (Garante) | 2024-03-07 | 2000 | Bar | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has fined the owner of a bar EUR 2,000. The controller had operated video surveillance cameras in one of their premises without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras. | link |
| 2321 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-01-08 | 2000 | Private individual | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The controller had published a video showing an individual without their consent. | link |
| 2322 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-021 | 1,000 | CLÍNICA PARÍS, S.L. | Health Care | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on CLÍNICA PARÍS, S.L for failing to prove compliance with an order issued by the DPA. | link |
| 2323 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-23 | 90,000 | TELEFÓNICA DE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined TELEFÓNICA DE ESPAÑA, S.A.U. EUR 90,000 for failing to provide information requested by the DPA. | link |
| 2324 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-07 | 480 | Homeowners’ association | Individuals and Private Associations | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a homeowners’ association. The controller had sent an email to all owners containing a list of the owners’ individual monthly heating consumption, broken down by floor. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment. | link |
| 2325 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-09 | 1,600 | Homeowners’ association | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a homeowners’ association. A person had filed a complaint with the DPA due to the fact that the data controller had published a picture with their personal data unredacted in a WhatsApp group chat. The original fine of EUR 2,000 was reduced to EUR 1,600 due to voluntary payment. | link |
| 2326 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-04-30 | 210 | Association | Individuals and Private Associations | Art. 33 (1) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner. | link |
| 2327 | AUSTRIA | Austrian Data Protection Authority (dsb) | 2024-01-04 | 10,000 | Website operator | Individuals and Private Associations | Art. 17 (1) GDPR, Art. 25 (1) GDPR, Art. 58 (2) c) GDPR | Insufficient fulfilment of data subjects rights | The Austrian DPA has imposed a fine in the amount of EUR 11,000 on a website operator. An individual had filed a complaint with the DPA because the controller had failed to comply with the data subject’s request to delete their data. | link |
| 2328 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-30 | 1,200 | DELPASO CAR HIRE, S.L.U. |
Industry and Commerce | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Spanish DPA has imposed a fine on DELPASO CAR HIRE, S.L.U.. A data subject had filed a complaint against the controller with the DPA due to the controller’s failure to properly comply with their request for access to their personal data. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility. |
link |
| 2329 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-15 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 200,000 on Vodafone España, S.A.U. A data subject had filed a complaint against the data controller as unauthorized fraudsters managed to make changes to their contract as well as to concluede a prepaid contract. During its investigation, the DPA found that Vodafone had carried out the changes without verifying the identity of the person requesting them and determining whether they were actually requested by the data subject. | link |
| 2330 | ITALY | Italian Data Protection Authority (Garante) | 2024-03-07 | 20,000 | Banca di Credito Cooperativo Appulo Lucana soc. cooperativa | Employment | Art. 12 (3), (4) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 20,000 on Banca di Credito Cooperativo Appulo Lucana soc. cooperativa. A former employee had requested access to the personal data in their personnel file. However, the controller did not fully comply with this request. | link |
| 2331 | ITALY | Italian Data Protection Authority (Garante) | 2024-03-07 | 20,000 | Centro Riparazioni Piacentino S.p.A. | Employment | Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA (Garante) imposed a fine of EUR 20,000 on Centro Riparazioni Piacentino S.p.A.. The controller had kept a former employee’s email account active despite the termination of his/her employment. Furthemrore the data subject had not been informed about such a further use of their e-mail account. | link |
| 2332 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-25 | 2,400 | Restaurant owner | Accomodation and Hospitalty | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The data controller had installed a video surveillance camera in their restaurant, which also captured the guest area. The DPA found that such extensive recording of the guests was not necessary and considered this to be a violation of the principle of data minimization. The original fine of EUR 4,000 was reduced to EUR 2,400 due to the voluntary payment and admission of responsibility. | link |
| 2333 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-04-29 | 56,000 | Res-Gastro M. Gaweł Sp. k. | Accomodation and Hospitalty | Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA (UODO) has imposed a fine of EUR 56,000 on Res-Gastro M. Gaweł Sp. k. The controller had reported a data breach involving the loss of an unencrypted USB stick by an employee. The data medium contained documents with data such as name, adress, gender, date of birth etc. of another employee. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. | link link |
| 2334 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-11 | 25,000 | Innova Camara | Public Sector and Education | Art. 5 (1) e), f) GDPR, Ar.t 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 25,000 on Innova Camara. The controller had suffered a cyber attack in which databases were accessed and malicious files (backdoors) were inserted. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. | link |
| 2335 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-11 | 6,000 | Libero Consorzio comunale di Enna | Public Sector and Education | Art. 37 (1), (7) GDPR, Art. 38 (2), (6) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 6,000 on Libero Consorzio comunale di Enna for failing to appoint a data protection officer | link |
| 2336 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-08 | 12,000 | DENTALCUADROS BCN S.L.P. | Health Care | Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on DENTALCUADROS BCN S.L.P.. The controller had suffered a cyberattack in which patient data was unlawfully accessed. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. In addition, the controller failed to report the data breach to the DPA in a timely manner. The original fine of EUR 20,000 was reduced to EUR 12,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 2337 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-11 | 1,000 | Store owner | Industry and Commerce | Art. 5 GDPR, Art. 13 GDPR | Insufficient fulfilment of information obligations | The Italian DPA has fined a store owner EUR 1,000. The controller had installed video surveillance cameras in its premises without properly informing data subjects about the processing of personal data by the video surveillance. | link |
| 2338 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-07 | 360,000 | 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. |
Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U.. The controller had suffered a data breach that led to the unlawful access to customer profiles. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data in order to prevent such an incident. The original fine of EUR 600,000 was reduced to EUR 360,000 due to voluntary payment and acknowledgement of responsibility. |
link |
| 2339 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-22 | 96,000 | WATIUM S.L. | Transportation and Energy | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined WATIUM S.L. for failing to provide information requested by the DPA. The original fine of EUR 160,000 was reduced to EUR 96,000 due to voluntary payment and acknowledgement of responsibility. | link |
| 2340 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-11 | 100,000 | Facile.Energy S.r.l. | Transportation and Energy | Art. 5 (1) a), f) GDPR, Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 24 (1) GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 100,000 on Facile.Energy S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being registered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects’ personal is carried out in accordance with data protection regulations throughout the supply chain. | link link |
| 2341 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-11 | 100,000 | Olimpia S.r.l. | Transportation and Energy | Art. 5 (1) a), f) GDPR, Art. 5 (2) GDPR, Art. 6 (1) a) GDPR, Art. 24 (1) GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 100,000 on Olimpia S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being entered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects’ personal is carried out in accordance with data protection regulations throughout the supply chain. | link link |
| 2342 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-03-21 | 5,000 | HIPERBAZAR YONGFA 2018 SL | Not assigned | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 5,000 on HIPERBAZAR YONGFA 2018 SL. A person had filed a complaint with the DPA against the controller. The controller had provided recordings from his video surveillance system showing the data subject to a third party who then published them on Facebook. | link |
| 2343 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-07 | 1,200 | ARRENDAMIENTOS DEUDORES, S.L. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on ARRENDAMIENTOS DEUDORES, S.L.. The controller had carried out a credit check on the data subject without any valid legal basis for this. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and acknowledgement of responsibility. | link |
| 2344 | FRANCE | French Data Protection Authority (CNIL) | 2024-06-05 | Unknown | Company | Not assigned | Art. 5 (1) a) GDPR | Non-compliance with general data processing principles | The French DPA has imposed a fine on a company. The company published a promotional video on its website and social networks in which images of patient files of one of its customers were shown. The images, which made personal data such as the name of the data subject visible, were used without their consent. | link |
| 2345 | FRANCE | French Data Protection Authority (CNIL) | 2024-06-05 | Unknown | Company | Not assigned | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The French DPA has imposed a fine on a company operating a call center. The controller had systematically recorded all incoming and outgoing calls for training, evaluation and dispute purposes. The CNIL found that such comprehensive recording violated the principle of data minimization and that random and selective recording for training purposes was sufficient. | link |
| 2346 | FRANCE | French Data Protection Authority (CNIL) | 2024-06-05 | Unknown | Unknown | Not assigned | Unknown | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine on a controller for not sufficiently respecting data subjects’ rights (exercising the right of access to a medical file). | link |
| 2347 | FRANCE | French Data Protection Authority (CNIL) | 2024-06-05 | Unknown | Unknown | Not assigned | Unknown | Insufficient cooperation with supervisory authority | The French DPA has imposed a fine on a data controller for failing to cooperate sufficiently with the DPA. | link |
| 2348 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-05-30 | 2000 | Corint Logistic SRL. | Not assigned | Art. 5 (1) a), b) GDPR, Art. 17 GDPR, Art. 21 (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 2,000 on Corint Logistic SRL. A customer had filed a complaint with the DPA because they had received advertising text messages from the controller, even though they had exercised their right to erasure and received confirmation that their personal data had been deleted. | link |
| 2349 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-30 | 4,200 | PILLOW HOTELS, S.L. | Accomodation and Hospitalty | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR, Art. 33 (1) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on PILLOW HOTELS, S.L.. A person had filed a complaint with the DPA. The individual had made a booking for an overnight stay with the controller via booking.com. A few days before the trip, they received a WhatsApp message from a person claiming to be the director of the hotel, addressing them by name and asking them to confirm the booking by referring to a fraudulent link to enter their credit card details. The data subject contacted the hotel to confirm the fraud and learned that similar cases were already known. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to prevent such fraud incidents. The DPA also found that the controller had failed to report these data breaches. The original fine of EUR 7,000 was reduced to EUR 4,200 upon admission of responsibility and voluntary payment. | link |
| 2350 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-23 | 600 | President of a workers’ council | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on the president of the workers’ council of a company following a complaint by a former employee. During their employment, the company carried out a collective redundancy procedure that affected the employee. The council had publicly posted a record of a meeting between the employee representatives and the works council, which contained a list of the employees affected with personal data such as names, ID card numbers, dates of birth, etc. The original fine of EUR 1,000 was reduced to EUR 600 upon admission of responsibility and voluntary payment. | link |
| 2351 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-06-04 | 6,000 | Ambitious People Group B.V. | Finance, Insurance and Consulting | Art. 12 (3) GDPR, Art. 17 (1) GDPR | Insufficient fulfilment of data subjects rights | The Dutch DPA has imposed a fine of EUR 6,000 on the recruitment company Ambitious People Group B.V. . The controller had not deleted the data of data subjects after they had requested it. | link |
| 2352 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-19 | 1,000 | CONSULTORÍA PERITACIONES ALMERIENSES, S.L | Finance, Insurance and Consulting | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1,000 on CONSULTORÍA PERITACIONES ALMERIENSES, S.L for failing to comply with an order issued by the DPA. | link |
| 2353 | GERMANY | Data Protection Authority of Bavaria | 2023 | Unknown | Private individual | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The DPA of Bavaria has imposed a fine on a private individual for installing a video surveillance camera in a bush at a naturist beach and capturing video and audio recordings of beach visitors. | link |
| 2354 | GERMANY | Data Protection Authority of Bavaria | 2023 | Unknown | Private individual | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The DPA of Bavaria has imposed a fine on an individual. The individual had been pulled over by a police officer and afterwards managed to obtain their telephone number in order to contact them. As the individual had already insulted and threatened the police officer during the check, the officer felt endangered by the contact. | link |
| 2355 | GERMANY | Data Protection Authority of Bavaria | 2023 | Unknown | Store detective | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The DPA of Bavaria has imposed a fine on a store detective. The detective had collected the contact details of a person accused of shoplifting in their professional function. However, they later contacted the person for private purposes. | link |
| 2356 | GERMANY | Data Protection Authority of Bavaria | 2023 | Unknown | Private individual | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The DPA of Bavaria has imposed a fine on a private individual. The individual, who was employed in a store, had contacted a customer, who had provided their contact details for business purposes, for private purposes and sent them pornographic material. | link |
| 2357 | GERMANY | Data Protection Authority of Bavaria | 2023 | Fine in four-digit amount | Physician | Health Care | Unknown | Non-compliance with general data processing principles | The DPA of Bavaria has imposed a fine in the four figure range on a physician. The physician had responded to an online review regarding their practice, disclosing personal health data of a patient. | link |
| 2358 | GERMANY | Data Protection Authority of Bavaria | 2023 | Fine in four-digit amount | Private individual | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The DPA of Bavaria has imposed a four-figure fine on a private individual who had attached an AirTag to another person’s car in order to track their location. | link |
| 2359 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-09 | 10,000 | Azzurro Club Hotels S.r.l. | Accomodation and Hospitalty | Art. 6 (1) a) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 130 (2) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 10,000 on Azzurro Club Hotels S.r.l.. The controller had sent a data subject unsolicited advertising e-mail and failed to respond properly to their requests for information about the origin of their data. | link |
| 2360 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-05 | 6,000 | EUROBOX S.A. | Not assigned | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on EUROBOX S.A.. A person had filed a complaint with the DPA because, after having their account with the controller blocked, they were asked to submit various documents, such as proof of identity, address and financial situation, in order to reactivate it. During its investigation, the DPA found that this extensive data processing was not necessary and found it to be a violation against the principle of data minimisation. The original fine of EUR 10,000 was reduced to EUR 6,000 due to immediate payment and acknowledgement of responsibility. | link |
| 2361 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-09 | 3,000 | Medical association | Health Care | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on a medical association. A doctor had filed a complaint because the professional association suspended them for not fulfilling the COVID-19 vaccination obligation and also informed their employer of this. An email from the association requesting notification of the employer was inadvertently sent to other individuals, as a result of which their email addresses and vaccination status became known. | link |
| 2362 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-09 | 3,000 | Polisportiva Mimmo Ferrito s.r.l.. | Individuals and Private Associations | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 3,000 on Polisportiva Mimmo Ferrito s.r.l.. A data subject had filed a complaint with the DPA due to the controller’s failure to respond to a request of access to their personal data. | link |
| 2363 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-24 | 5,000 | Dly S.r.l. | Employment | Art. 5 (1) a) GDPR, Art. 88 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5,000 on Dly S.r.l.. The company had installed video surveillance systems in its premises, however, their specific use was not authorized. | link |
| 2364 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-24 | 3,000 | I.N.P.A.S. | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 2-ter Codice della privacy, Art. 2-sexies Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 3,000 on I.N.P.A.S. (Istituto Nazionale di Previdenza e di Assistenza Sociale). During its investigation, the DPA found that a former employee had access to databases containing personal data even after the termination of their employment relationship. | link |
| 2365 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-24 | 10,000 | C.I.E.L. S.p.A. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on C.I.E.L. S.p.A.. An employee working for the controller filed a complaint with the DPA due to the controller’s failure to grant them access to training certificates. | link |
| 2366 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-24 | 30,000 | Gestore Dei Servizi Energetici – Gse S.p.A. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA imposed a fine of EUR 30,000 against Gestore Dei Servizi Energetici – Gse S.p.A. for failing to comply with a former employee’s request for access to their personal data. | link |
| 2367 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-10 | 100,000 | NATURGY IBERIA, S.A. | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 100,000 on NATURGY IBERIA, S.A.. A customer had filed a complaint with the DPA because an amendment had been made to their electricity supply contract without their consent. In the course of their investigations, the DPA discovered that a fraudster had pretended to be the data subject and managed to change the data subject’s contract. According to the DPA, the controller had not properly verified the identity of the fraudster before amending the contract. |
link |
| 2368 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-12 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which, among other things, also recorded public spaces. In addition, the person forwarded the recordings via WhatsApp. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2369 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-04-24 | 2,500 | Committee | Individuals and Private Associations | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 2,500 on a committee. The controller had collected signatures in favor of a legislative initiative and later stored the signature lists unprotected in a church, which led to the sensitive data of the signatories not being sufficiently protected against loss, disclosure etc. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. | link link |
| 2370 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-09 | 75,000 | Azienda ospedale università di Padova | Health Care | Art. 5 (1) a), c), f) GDPR, Art. 9 GDPR, Art. 25 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 75,000 on Azienda ospedale università di Padova. During its investigation, the DPA found that employees had accessed patient files without authorization and that the controller did not have appropriate access restrictions in place. This allowed employees to access patient files that were not necessary for their work, e.g. because they were not treating the patients in question. | link |
| 2371 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-20 | 42,000 | CUI ZSQ FOOD, S.L. | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CUI ZSQ FOOD, S.L.. An employee had filed a complaint with the DPA as video recordings of the company’s surveillance system in which they appeared had been published in a company group chat. The original fine of EUR 70,000 was reduced to EUR 42,000 due to immediate payment and admission of responsibility. | link |
| 2372 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-17 | 600 | Club Balonmano Gijón | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on Club Balonmano Gijón. The sports club had published pictures of minors without the consent of parents. The original fine of EUR 1,000 was reduced to EUR 800 due to immediate payment and admission of responsibility. |
link |
| 2373 | CYPRUS | Cypriot Data Protection Commissioner | 2024-02-08 | 1,500 | Aylo Social LTD | Industry and Commerce | Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Cypriot DPA has imposed a fine of EUR 1,500 on Aylo Social LTD for failing to comply with a deletion request. | link |
| 2374 | CYPRUS | Cypriot Data Protection Commissioner | 2024-02-08 | 2000 | Brivio Limited | Not assigned | Art. 12 (3) GDPR | Insufficient fulfilment of data subjects rights | The Cypriot DPA has imposed a fine of EUR 2,000 on Brivio Limited for failing to respond to a request for information in a timely manner. | link |
| 2375 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-06-25 | 3,000 | Rețele Electrice Muntenia SA. | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Rețele Electrice Muntenia SA. A user who logged into their account was able to access the personal data of other customers. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2376 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-06-25 | 1,000 | Rețele Electrice Dobrogea SA | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 1,000 on Rețele Electrice Dobrogea SA. A user who logged into their account was able to access the personal data of other customers. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2377 | SWEDEN | Data Protection Authority of Sweden | 2024-06-24 | 1,300,000 | Avanza Bank AB | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 1.3 million on Avanza Bank AB. The controller had used so-called meta pixels on its website and app, which caused personal data such as securities holdings and account numbers to be transmitted to Meta. These transfers took place from November 15, 2019 to June 2, 2021 due to incorrect settings. After becoming aware of this, Avanza deactivated the pixels and confirmed that Meta had deleted the data. Avanza has also improved its internal data security processes. | link link |
| 2378 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-10 | 160,000 | ALLIANZ COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on ALLIANZ COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A.. A person had filed a complaint with the DPA because their ex-partner had been given unauthorized access to the data subject’s insurance documents. The original fine of EUR 200,000 was reduced to EUR 160,000 due to immediate payment. | link |
| 2379 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-12 | 120,000 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. | Finance, Insurance and Consulting | Art. 5 (1) d) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. A data subject had filed a complaint with the DPA because the controller had proposed to a credit reference agency to include their personal data in a solvency file without being properly informed in advance. It turned out that the controller had provided an incorrect address and the data subject had therefore not received any notification. The original fine of EUR 200,000 was reduced to EUR 120,000 due to the voluntary payment and the acknowledgement of responsibility. | link |
| 2380 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-06 | 120,000 | Cappello Giovanni & Figli s.r.l. | Employment | Art. 5 (1) a), c), e) GDPR, Art. 6 GDPR, Art. 9 (2) b) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 120,000 on Cappello Giovanni & Figli s.r.l.. The controller had used facial recognition technology to monitor the attendance of employees. During its investigation, the DPA found that such extensive recording of biometric data to monitor attendance was not permitted. The controller referred to the consent given by the employees as the legal basis for the data processing. However, the DPA concluded that the controller could not rely on consent, as voluntary consent is questionable in an employee-employer relationship. In addition, the DPA found that the recordings were stored for an excessively long time. | link |
| 2381 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-06 | 6,419,631 | Eni Plenitude S.p.A. | Transportation and Energy | Art. 5 (1) a), d), f) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 6.419.631 on Eni Plenitude S.p.A.. The DPA initiated an investigation against the controller due to 107 notifications and 8 complaints from data subjects regarding undesired marketing calls. It found that the controller had repeatedly called data subjects without their consent or registration in the national opt-out register. The DPA also found that a large number of the contracts concluded resulted from the illegal calls. The high number of unauthorized advertising calls was mainly due to the controller’s lack of control over its contracted advertising agencies. | link link |
| 2382 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-11 | 20,000 | Istituto Nazionale di Previdenza Sociale | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 2-ter Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 20,000 on the Italian National Institute of Social Security (INPS). The controller had published personal data of participants in a competitive selection procedure on its website without an appropriate legal basis. | link link |
| 2383 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-26 | 600 | Homeowners’ association | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a Homeowners’ association. The association had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The DPA also found a breach of the controller’s obligation to provide information on data processing under Art. 13 GDPR. The original fine of EUR 1000 was reduced to EUR 600 due to the voluntary payment and the acknowledgement of responsibility. | link |
| 2384 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-25 | 150,000 | BANCO CETELEM, S.A. | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 17 (1) d) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on BANCO CETELEM, S.A.. A person had filed a complaint against the controller with the DPA due to the fact that debits had been made from their account by the controller to a third party without there even being a contractual relationship between the data subject and the controller. The DPA also found that further debits were made despite complaints and requests for the data to be deleted. The original fine of EUR 250,000 was reduced to EUR 150,000 due to the voluntary payment and the acknowledgement of responsibility. | link |
| 2385 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-26 | 10,000 | ASSOCIACIO OASIS CULTURAL | Accomodation and Hospitalty | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 10,000 on ASSOCIACIO OASIS CULTURAL. A discotheque operated by the controller had published videos of dancing minors on a social media account without providing a valid legal basis for the publication. | link |
| 2386 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-05 | 180 | Website operator | Not assigned | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on the operator of a website for storing data of a data subject for an excessively long period of time and contrary to the principle of storage limitation under Art. 5 (1) e) GDPR. The original fine of EUR 300 was reduced to EUR 180 due to the voluntary payment and the acknowledgement of responsibility. | link |
| 2387 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-05 | 800 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 1,000 was reduced to EUR 800 due to voluntary payment. | link |
| 2388 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-17 | 3,000 | 20 AÑOS DE MÚSICA A.I.E. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on 20 AÑOS DE MÚSICA A.I.E.. A person had filed a complaint with the DPA due to the fact that in order for minors to attend concerts organized by the controller, powers of attorney from their legal guardians as well as copies of the identity documents of both the legal guardians and the minors were required. During its investigation, the DPA found that such extensive data collection would not have been necessary and violated the principle of data minimization. The DPA also found that the controller had not sufficiently informed the data subjects about the data processing. For example, the controller failed to provide precise information on the exercise of data subjects’ rights. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and admission of responsibility. | link |
| 2389 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-13 | 3,000 | DQG NORTE A.I.E | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on DQG NORTE A.I.E.. A person had filed a complaint with the DPA due to the fact that in order for minors to attend concerts organized by the controller, powers of attorney from their legal guardians as well as copies of the identity documents of both the legal guardians and the minors were required. During its investigation, the DPA found that such extensive data collection would not have been necessary and violated the principle of data minimization. The DPA also found that the controller had not sufficiently informed the data subjects about the data processing. For example, the controller failed to provide precise information on the exercise of data subjects’ rights. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and admission of responsibility. | link |
| 2390 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-23 | 3,500 | Professional association | Public Sector and Education | Art. 5 (1) a), d) GDPR Art. 6 GDPR, Art. 27 (7) GDPR, Art. 2-ter Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 3,500 on a professional association. An individual had filed a complaint with the DPA, for the unlawful publication of their personal data. The individual had reported another person to the professional association for the unlawful use of a professional title. The association then forwarded the report to its disciplinary board and informed the accused and also put the complainant on CC with the result that their identity was also revealed to the accused. | link |
| 2391 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-24 | 1,000 | VOX ESPAÑA | Public Sector and Education | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,000 on VOX ESPAÑA. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The DPA also found a breach of the controller’s obligation to provide sufficient information on data processing under Art. 13 GDPR. | link |
| 2392 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-22 | 3,000 | CUBILLO GALLEGO S.L. | Real Estate | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 3,000 on CUBILLO GALLEGO S.L. for failing to ensure that the privacy policy on a website they operate complied with the requirements of Art. 13 GDPR. | link |
| 2393 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-12 | 600 | Website operator | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 600 on a website operator for failing to ensure that the privacy policy on a website complied with the requirements of Art. 13 GDPR. | link |
| 2394 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-06 | 500 | Comune di Ustica | Public Sector and Education | Art. 5 (1) a), c) GDPR, Art. 6 (1) c), e) GDPR, Art. 6 (2) GDPR, Art. 6 (3) b) GDPR, Art. 9 (1), (2), (4) GDPR, Art. 37 (7) GDPR, Art. 2-ter (1), (3) Codice della privacy, Art. 2-septies (8) Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 500 on Comune di Ustica. The municipality had published a document, containing personal data (including health data) of private individuals. In the course of its investigation, the DPA found that the municipality had published the data without a valid legal basis and therefore had acted unlawfully. | link |
| 2395 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-12 | 1,000 | DELSA ALQUILERES S.L. | Real Estate | Art. 6 GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 1,000 on DELSA ALQUILERES S.L.. The controller had installed video surveillance cameras in a residential complex which, among other things, also recorded common areas, although this was not authorized by the homeowners’ association. In addition, the controller did not sufficiently comply with its information obligations under Art. 13 GDPR. | link |
| 2396 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-10 | 300 | WWPD CINVENTO INTERNATIONAL PATENT TRADING, S.L. | Not assigned | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on WWPD CINVENTO INTERNATIONAL PATENT TRADING, S.L.. The controller had sent postal advertising to a private individual without their consent by misusing their data from a property register to do so. The original fine of EUR 500 was reduced to EUR 300 due to immediate payment and admission of responsibility. | link |
| 2397 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-26 | 80,000 | AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. y SEUR GEOPOST, S.L. | Real Estate | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. y SEUR GEOPOST, S.L.. The controller had suffered a security incident which, according to the DPA, had occurred due to the company’s failure to implement appropriate technical and organizational measures to protect personal data. The original fine of EUR 100,000 was reduced to EUR 80,000 due to voluntary payment. | link |
| 2398 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2024-07-02 | 2,385,276 | Vinted | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 12 (1), (4) GDPR | Insufficient fulfilment of data subjects rights | The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store ‘Vinted’. The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using ‘shadow blocking’ to remove users from the platform without their knowledge, which violated the principles of fairness and transparency. This also impaired users’ ability to exercise their rights under the GDPR. In addition, the DPA found that the company had not taken sufficient technical and organizational measures to ensure compliance with the principle of accountability and to be able to demonstrate that it had taken appropriate measures regarding the right of access. | link |
| 2399 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-05-02 | 600,000 | A.S. Watson Health & Beauty Continental Europe B.V. | Industry and Commerce | Art. 5 (1) a) GDPR, Ar.t 6 (1) GDPR | Insufficient legal basis for data processing | The Dutch DPA has imposed a fine of EUR 600,000 on A.S. Watson Health & Beauty Continental Europe B.V.. The controller had tracked visitors to their drugstore website “Kruidvat.nl” with tracking cookies without their consent. The cookie banner on the website had the boxes for consenting to the placement of tracking software pre-ticked by default. Visitors who nevertheless wanted to reject the cookies could only do so with greater difficulty. This allowed the controller to collect sensitive personal data from millions of website visitors and create profiles. Among other things, the controller collected location data and information on purchased products. Since the products purchased included drugstore products, it was also possible to draw conclusions about health conditions based on the purchase of pregnancy tests or medication, for example. | link link |
| 2400 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-06-27 | 50,000 | METRO SA | Industry and Commerce | Art. 15 GDPR, Art. 17 GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA has imposed a fine of EUR 50,000 on METRO SA. A former employee had sent text messages to the private mobile phone of a customer who had a user account in the company’s online store and had placed orders that had been delivered to them by the employee a few days earlier.
The customer then reported the incident to the controller and requested access to and deletion of their personal data. However, the controller did not respond to the incident, arguing that the order was in their husband’s name. However, the DPA found that the controller should have complied with the request and that the controller had failed to install appropriate technical and organizational measures to protect personal data in order to avoid such an incident. |
link link |
| 2401 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-17 | 600 | DIGIMAN ALICANTE S.L. | Transportation and Energy | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine on DIGIMAN ALICANTE S.L.. The data controller had installed a video surveillance system without adequately providing information for data subjects. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and acknowledgement of responsibility. | link |
| 2402 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-18 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined Vodafone España, S.A.U. EUR 200,000 for failing to provide information requested by the DPA. | link |
| 2403 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-18 | 600 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on a private individual. The individual had shared personal data of a data subject in a Facebook group without their consent. The original fine of EUR 1000 was reduced to EUR 600 due to voluntary payment and admission of responsibility. | link |
| 2404 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-20 | 4,000 | Medical association | Health Care | Art. 12 (3) GDPR, Art. 13 (2) a) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 4,000 on the medical association ‘Ordine dei Medici Chirurghi e degli Odontoiatri’. A patient had filed a complaint with the DPA. During its investigation the DPA fount that the controller had not responded to the data subject’s request for access to their personal data in a timely manner. Additionally, the controller failed to provide sufficient information regarding the retention period of their personal data. | link |
| 2405 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-23 | 4,500 | Azienda Socio-sanitaria Territoriale Rhodense | Health Care | Art. 5 (1) d) GDPR, Art. 12 GDPR, Art. 16 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 4,500 on Azienda Socio-sanitaria Territoriale Rhodense. An individual had filed a complaint with the DPA because the controller had not properly complied with their request to rectify their incorrectly data stored with them. | link |
| 2406 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-04-15 | 400 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 400 on a private individual for failing to prove compliance with an order issued by the DPA. | link |
| 2407 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-28 | 70,000 | CAIXABANK S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 70,000 on CAIXABANK S.A.. A person had filed a complaint with the DPA because an employee of the controller had accidentally disclosed tax data of the data subject to their ex-spouse without their consent. | link |
| 2408 | ITALY | Italian Data Protection Authority (Garante) | 2024-05-23 | 8,400 | Azienda Sanitaria Locale TO4 | Health Care | Art. 5 (1) f) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 8,400 on Azienda Sanitaria Locale TO4. The controller had sent an email containing information on medical treatment plans to several pacients in an open distribution list. This allowed the recipients to view the email addresses of all other recipients, 44 in total. | link |
| 2409 | ITALY | Italian Data Protection Authority (Garante) | 2024-04-24 | 30,000 | Rossi Carta S.r.l. | Industry and Commerce | Art. 6 GDPR, Art. 7 GDPR, Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 30,000 on Rossi Carta S.r.l.. An individual had filed a complaint with the DPA after repeatedly receiving unsolicited advertising emails from the controller. Additionally, the controller failed to properly process the individual’s request to exercise their data subject rights. | link |
| 2410 | FRANCE | French Data Protection Authority (CNIL) | 2024-07-22 | 6,900 | Municipality of Korou | Public Sector and Education | Art. 31 GDPR, Art. 37 GDPR | Insufficient involvement of data protection officer | The French DPA has imposed a fine of EUR 6,900 on the municipality of Korou for failing to appoint a data protection officer. | link link |
| 2411 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-20 | 20,000 | Municipality of Nepi | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 28 GDPR, Art. 2-ter Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 20,000 on the municipality of Nepi. The controller had published a document containing the ranking list of a pre-selection test for a public competition, which included personal data of the participants. During its investigation, the DPA found that the controller did not have a valid legal basis for publishing this personal data. | link |
| 2412 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-09 | 1,500 | Website operator | Not assigned | Unknown | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 1,500 on a website operator. The fine was imposed due to a lack of cooperation with the DPA and a lack of fulfillment of data subject rights. | link |
| 2413 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-15 | 5,000 | Attorney | Finance, Insurance and Consulting | Unknown | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 5000 on an attorney. The fine was imposed due to a lack of cooperation with the DPA and a lack of fulfillment of a request of erasure of personal data. | link |
| 2414 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-22 | 500 | Attorney | Finance, Insurance and Consulting | Unknown | Insufficient cooperation with supervisory authority | The French DPA has imposed a fine of EUR 500 on an attorney. The fine was imposed due to a lack of cooperation with the DPA. | link |
| 2415 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-24 | 20,000 | Pharmaceutical wholesaler | Industry and Commerce | Unknown | Unknown | The French DPA has imposed a fine of EUR 20,000 on a pharmaceutical wholesaler due to violations of several regulations, including a lack of data security and insufficient cooperation with the DPA. Additionally, deficiencies were found regarding the maintenance of the record of processing activities, and the obligation to use only processors providing sufficient guarantees and assigned after authorization by the controller was not met. | link |
| 2416 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-14 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which also recorded the entrance area of the neighboring apartment. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2417 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-07 | 2000 | EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L. | Accomodation and Hospitalty | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on EXPLOTACIONES HOSTELERAS Y DE OCIO ALBACETEÑAS, S.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The DPA also found a breach of the controller’s obligation to provide sufficient information on data processing under Art. 13 GDPR. | link |
| 2418 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-28 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which also recorded parts of a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2419 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-08-06 | 1,000 | BEST ELAN ONLINE SRL | Not assigned | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Romanian DPA has fined BEST ELAN ONLINE SRL EUR 1,000 for failing to provide information requested by the DPA. | link |
| 2420 | FRANCE | French Data Protection Authority (CNIL) | 2024-06-10 | 5,000 | Bakery | Industry and Commerce | Unknown | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 5,000 on a bakery. The DPA found that the controller had violated its information obligations and the principle of data minimization in the context of data processing involving video surveillance. | link |
| 2421 | FRANCE | French Data Protection Authority (CNIL) | 2024-05-23 | 6,000 | Pubilc educational institution | Public Sector and Education | Unknown | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 6,000 on a public educational institution for violating the principle of data minimization and its information obligations unter the GDPR. | link |
| 2422 | FRANCE | French Data Protection Authority (CNIL) | 2024-04-25 | 16,000 | Association | Individuals and Private Associations | Art. 6 GDPR | Insufficient legal basis for data processing | The French DPA has imposed a fine of EUR 16,000 on an association for processing personal data without a sufficient legal basis. | link |
| 2423 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-31 | 5,000 | Dentist | Health Care | Unknown | Insufficient fulfilment of data subjects rights | The French DPA has imposed a fine of EUR 5,000 on a dentist due to a lack of data security and a failure to respect the right of access of a data subject. | link |
| 2424 | FRANCE | French Data Protection Authority (CNIL) | 2024-05-25 | 10,000 | Association | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The French DPA has fined an association EUR 10,000 due to a lack of data security, non-compliance with the principle of data minimisation and a failure to comply with its information obligations under the GDPR. | link |
| 2425 | FRANCE | French Data Protection Authority (CNIL) | 2024-05-25 | 15,000 | Association | Individuals and Private Associations | Unknown | Non-compliance with general data processing principles | The French DPA has fined an association EUR 15,000 due to a lack of data security, non-compliance with the principle of data minimisation and a failure to comply with its information obligations under the GDPR. | link |
| 2426 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-03-16 | 145,000 | AFIANZA ASESORES S.L. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 145,000 on AFIANZA ASESORES S.L.. The controller had reported a data breach to the DPA, stating that a backpack containing a USB stick with personal data (including data relating to court proceedings) had been stolen. During its investigation, the DPA found that the USB stick was not encrypted and that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2427 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-20 | 10,000 | TS Food Processing s.r.l. | Employment | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 10,000 on TS Food Processing s.r.l.. A data subject (former emplyee) had filed a complaint with the DPA due to the controller’s failure to properly comply with a request of access to their personal data stored with the controller. | link |
| 2428 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-05-20 | 336,000 | Company | Health Care | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 336,000 on a company. The company had suffered a ransomware attack on their systems which resulted in the loss of personal data. During its investigation the DPA found that the company had failed to install adequate technical and organizational measures to protect personal data, allowing such an attack to occur. | link |
| 2429 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-31 | 10,000 | Unknown | Not assigned | Unknown | Unknown | The French DPA has imposed a fine of EUR 10,000 on a data controller due to data security vulnerabilities. | link |
| 2430 | FRANCE | French Data Protection Authority (CNIL) | 2024-01-31 | 20,000 | Website editor | Not assigned | Unknown | Unknown | The French DPA has imposed a fine of EUR 20,000 on a website editor for data security vulnerabilities. | link |
| 2431 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-08-12 | 270,000 | UNIQLO EUROPE, LTD, SUCURSAL EN ESPAÑA | Employment | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on UNIQLO EUROPE, LTD, SUCURSAL EN ESPAÑA. An individual who provided services to the controller filed a complaint with the DPA due to the fact that, after requesting their payslip, they received a document containing their payslip and those of 446 employees. The document revealed data such as name, surname and bank account number of the data subjects. During its investigation, the DPA found that the controller failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. The original fine of EUR 450,000 was reduced to EUR 270,000 due to immediate payment and admission of responsibility. | link |
| 2432 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2024-08-14 | 26,800 | Municipality of Vejen | Public Sector and Education | Unknown | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 26,800 on the municipality of Vejen. The municipality had suffered a security incident involving the theft of three unencrypted computers containing information about children. During its investigation, the DPA found that 300 other computers were not encrypted either. | link |
| 2433 | GERMANY | Data Protection Authority of Niedersachsen | 2023 | 16,600 | Company | Real Estate | Art. 6 GDPR, Art. 12 GDPR, Art. 26 GDPR | Unknown | The DPA of Niedersachsen has imposed a fine of EUR 16,600 on a company in the real estate industry for failing to conclude a joint controllership agreement. In addition, the controller had collected personal data without a legal basis and had not complied with a deletion request in good time. | link |
| 2434 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-04 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera which also recorded parts of a neighbouring property and the public space. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2435 | GERMANY | Data Protection Authority of Hamburg | 2024 | 16,000 | Hotel | Accomodation and Hospitalty | Unknown | Insufficient legal basis for data processing | The DPA of Hamburg has imposed a fine of EUR 16,000 on a hotel for processing ID card data without a legal basis. | link |
| 2436 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-26 | 4,000 | ALTERNATIVA CORELLANA INDEPENDIENTE | Individuals and Private Associations | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined ALTERNATIVA CORELLANA INDEPENDIENTE EUR 4,000 for failing to provide information requested by the DPA. | link |
| 2437 | GERMANY | Data Protection Authority of Hamburg | 2024 | 6,000 | Online retailer | Industry and Commerce | Unknown | Insufficient fulfilment of data breach notification obligations | The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner. | link |
| 2438 | GERMANY | Data Protection Authority of Hamburg | 2024 | Unknown | Private individual | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Hamburg has imposed a fine on a private individual for recording a video of their neighbor in the bathroom without their consent. | link |
| 2439 | GERMANY | Data Protection Authority of Hamburg | 2024 | Unknown | Private individual | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Hamburg has imposed five fines of private individuals for taking or storing photos of individuals without their consent. | link |
| 2440 | GERMANY | Data Protection Authority of Hamburg | 2024 | Unknown | Police employees | Individuals and Private Associations | Unknown | Insufficient legal basis for data processing | The DPA of Hamburg has imposed two fines on members of the police for accessing police databases for private research purposes. | link |
| 2441 | GERMANY | Data Protection Authority of Hamburg | 2024 | Unknown | Company | Not assigned | Unknown | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg has imposed a fine on a company due to technical security vulnerabilities in its support ticket systems. | link |
| 2442 | GERMANY | Data Protection Authority of Hamburg | 2024 | Unknown | Company | Not assigned | Unknown | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg has imposed a fine on a company due to technical security vulnerabilities in its support ticket systems. | link |
| 2443 | GERMANY | Data Protection Authority of Hamburg | 2024 | 11,500 | Company | Industry and Commerce | Unknown | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg imposed a fine of EUR 11,500 on a company operating in the advertising industry for failing to comply with its deletion obligations. In addition, it was found that the company’s IT system showed technical security gaps. | link |
| 2444 | GERMANY | Data Protection Authority of Hamburg | 2024 | 32,000 | Company | Transportation and Energy | Unknown | Insufficient technical and organisational measures to ensure information security | The DPA of Hamburg has imposed a fine of EUR 32,000 on a logistics company for incorrectly disposing of delivery lists. | link |
| 2445 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2024-09-06 | 20,900 | Eidskog municipality | Public Sector and Education | Art. 6 GDPR | Insufficient legal basis for data processing | The Norwegian DPA imposed a fine of EUR 20,900 on Eidskog municipality for giving two former employees access to a whistleblower’s report without redacting sensitive health and financial data. The the DPA found that the municipality had no legal basis for processing this information and had previously published confidential information about the whistleblower. | link |
| 2446 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-09-02 | 19,800 | National Prosecutor’s Office | Public Sector and Education | Art. 6 (1) GDPR, Art. 9 (1) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR | Insufficient legal basis for data processing | The Polish DPA has imposed a fine of EUR 19,800 on the National Prosecutor’s Office. During a press conference, the public prosecutor’s office disclosed an individual’s personal data, such as their first and last name and special categories of data, without a valid legal basis. The DPA also found that the controller failed to report the data breach to the DPA and the data subject. | link link |
| 2447 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-07-22 | 290,000,000 | Uber Technologies Inc., Uber B.V. | Employment | Art. 44 GDPR | Non-compliance with general data processing principles | The Dutch DPA has imposed a fine of EUR 290 million on Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards. The DPA launched an investigation after 170 French drivers filed complaints with the ‘Ligue des droits de l’Homme’. The DPA’s investigation revealed that Uber had stored sensitive personal data—such as location information, payment details, identity documents, and health data—on US servers without adequate safeguards for over two years. Since the European Court of Justice declared the EU-US Privacy Shield invalid, the transfer of personal data to the USA is only permitted under certain conditions that must ensure a level of protection for personal data that is equivalent to the level of protection within the EU. However, Uber had not used sufficient safeguards such as the so-called ‘standard contractual clauses’ since August 2021, which meant that the personal data of drivers from the EU was inadequately protected. Only at the end of 2023 did Uber begin to apply the successor to the Privacy Shield, the EU-US Data Privacy Framework, to secure the transfer of data to the USA. | link link |
| 2448 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-05-16 | 30,500,000 | Clearview AI Inc. | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR, Art. 12 (1), (2) GDPR, Art. 14 (1), (2) GDPR, Art. 27 (1) GDPR | Non-compliance with general data processing principles | The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company’s database had been processed unlawfully and without a valid legal basis. Furthermore the company violated the principle of transparency by failing to adequately inform data subjects about the processing of their data. Additionally, the company did not respond to two access requests from data subjects. The company also failed to facilitate the right of access of data subjects located within the territory of the Netherlands. Lastly, the company had not appointed a representative within the European Union as required under the GDPR. |
link link link |
| 2449 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2024-08-29 | 3,200,000 | Apoteket AB. | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 3.2 million on Apoteket AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to avoid such an incident. | link link |
| 2450 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2024-08-29 | 698,000 | Apohem AB | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 698,000 on Apohem AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers who had consented to marketing cookies to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to avoid such an incident. The decision has been appealed and the process is ongoing. | link link |
| 2451 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-06-25 | 300 | Private individual | Individuals and Private Associations | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 300 on a private individual. The individual had installed a video surveillance camera in their garage area, which however also recorded parts of a neighboring property. The DPA considered this to be a violation of the principle of data minimization. | link |
| 2452 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-09-23 | 2000 | PPC ENERGIE MUNTENIA S.A. | Transportation and Energy | Art. 12 (3) GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 2,000 on PPC ENERGIE MUNTENIA S.A. for failing to respond to a data subject’s request for the deletion of their personal data in a timely manner.. | link |
| 2453 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-09-23 | 1,400 | Attorney | Finance, Insurance and Consulting | Art. 12 (3) GDPR, Art. 31 GDPR | Insufficient fulfilment of data subjects rights | The Hellenic DPA has imposed a fine of EUR 1,400 on an attorney. An individual had filed a complaint with the DPA because the controller did not adequately respond to their request for access to their personal data in a case file. Furthermore, the DPA found that the controller had not sufficiently cooperated with the DPA. | link link |
| 2454 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-09-16 | 1,000 | SC Class IT Outsourcing SRL | Industry and Commerce | Art. 12 (3) GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 1,000 on SC Class IT Outsourcing SRL for failing to respond to a data subject’s request for the deletion of their personal data in a timely manner.. | link |
| 2455 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-09-16 | 3,000 | Vodafone România SA | Media, Telecoms and Broadcasting | Art. 12 (3) GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 3,000 on Vodafone România SA for failing to respond to a data subject’s request for access and deletion of their personal data in a timely manner.. | link |
| 2456 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-09-17 | 3,000 | Constanța South Container Terminal SRL | Transportation and Energy | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Constanța South Container Terminal SRL. The controller had suffered a data breach in which personal data of employees had been unlawfully accessed. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organisational measures to protect personal data. | link |
| 2457 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-08-20 | 940,000 | mBank | Finance, Insurance and Consulting | Art. 34 (1), (2) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller informed the DPA of the incident, it failed to notify the data subjects in a timely manner. | link link |
| 2458 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2024-09-04 | 12,700 | University of Agder | Public Sector and Education | Art. 32 GDPR, Art. 24 GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA has fined the University of Agder (UiA) EUR 12,700. An employee of UiA had discovered that documents containing personal data of employees, students and external individuals were stored in open Microsoft Teams foldersand that employees with no business need were able to access them. During its investigation, the DPA found that UiA had failed to implement appropriate technical and organisational measures to protect personal data. | link |
| 2459 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-08-22 | 50,000 | SANTANDER CONSUMER FINANCE, S.A. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 50,000 on SANTANDER CONSUMER FINANCE, S.A.. The fine followed a complaint from an individual who received advertising from the company, despite having previously informed them that their personal data should only be used for managing their credit card. The controller stated that this incident had occurred due to an employee error. | link |
| 2460 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-08-06 | 10,000 | LOCAL VERTICALS, S.L. | Not assigned | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has fined LOCAL VERTICALS, S.L. EUR 10,000. An individual filed a complaint with the DPA because they could not access the privacy policy during the registration process on the controller’s website. The link to the privacy policy led to a third-party company’s website, making it impossible for the data subject to obtain the required information regarding data processing. | link |
| 2461 | IRELAND | Data Protection Authority of Ireland | 2024-09-27 | 91,000,000 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR, Art. 33 (1), (5) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish DPA (DPC) has imposed a fine of EUR 91 million on Meta Platforms Ireland Limited (MPIL). The DPC had initiated an investigation after MPIL reported that user passwords had been stored unencrypted on internal systems; however, external parties did not have access to these passwords.
During the investigation, the DPC found that MPIL had not implemented appropriate technical and organizational measures to protect personal data, as the passwords should have been stored in encrypted form. The DPC noted that storing unencrypted passwords increases the risk of misuse. Furthermore, MPIL failed to report and properly document a data breach involving the storage of unencrypted passwords. |
link |
| 2462 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-05 | 10,000 | Clinic owner | Health Care | Art. 6 (1) GDPR, Art. 9 GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined the owner of a plastic surgery clinic EUR 10,000. The controller posted before-and-after pictures of an individual who had undergone surgery at the clinic on social media (Facebook and Instagram) without obtaining the individual’s consent. | link |
| 2463 | ITALY | Italian Data Protection Authority (Garante) | 2024-09-26 | 4,000 | CI & DI Food s.r.l. | Employment | Art. 12 GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA imposed a fine of EUR 4,000 against CI & DI Food s.r.l. for failing to comply with a former employee’s request for access to their personal data. | link |
| 2464 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-07-11 | 600 | ASSOCIACIO CANNABICA DEL MARESME ACANNAM | Individuals and Private Associations | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has imposed a fine of EUR 600 on ASSOCIACIO CANNABICA DEL MARESME ACANNAM. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly provided information about the data processing by the cameras and thus violated its duty to inform. | link |
| 2465 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-08-06 | 1,000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined a private individual EUR 1,000. The controller had uploaded images from their video surveillance camera to Instagram showing, amongst others, a minor and members of the national armed forces. During its investigation, the DPA found that the controller had no valid legal basis for uploading these images. | link |
| 2466 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-08-30 | 4,500 | Unknown | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 4,500 for failing to provide information requested by the DPA during an investigation. | link |
| 2467 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-07-10 | 5,000 | Unknown | Not assigned | Art. 31 GDPR, Art. 58 (1) a), e) GDPR | Insufficient cooperation with supervisory authority | The Polish DPA has fined a data controller EUR 5,000 for failing to provide information requested by the DPA during an investigation. | link |
| 2468 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-06-13 | 9,200 | Healthcare facility | Health Care | Art. 24 (1) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR, Art. 34 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 9,200 on a healthcare facility. The company suffered a ransomware attack on its systems, resulting in the loss of personal data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such incidents. Furthermore, the controller failed to notify the data subjects about the incident. | link |
| 2469 | IRELAND | Data Protection Authority of Ireland | 2024-10-24 | 310,000,000 | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 (1) a), e), f) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR | Insufficient legal basis for data processing | The Irish DPA (DPC) has fined LinkedIn EUR 310 million. This decision is related to an investigation following a complaint in 2018 from the French NGO ‘La Quadrature Du Net’. In July 2024, the DPC issued a draft decision under the GDPR cooperation mechanism under Art. 60 GDPR, to which no objections were raised. During its investigation, the DPC found that LinkedIn had no valid legal basis for processing user data for the purposes of behavioral analysis and targeted advertising. The DPC found that LinkedIn could not rely on Art. 6 (1) a) GDPR, as the consent of the users did not appear to be freely given, informed and unambiguous. Furthermore, according to the DPC, LinkedIn could not rely on Art. 6 (1) f) GDPR, as the interests, fundamental rights and freedoms of the users outweighed the interests of LinkedIn. The DPC also ruled that LinkedIn could not rely on Article 6 (1) b) GDPR as a legal basis. Finally, the DPC also found that LinkedIn had not provided users with sufficient information about the data processing in accordance with Art. 13 (1) c) GDPR and Art. 14 (1) c) GDPR. |
link | |
| 2470 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-10-16 | 3,000 | Your Consulting SRL | Not assigned | Art. 25 (1) GDPR, Art. 32 (1) a). b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 3,000 on Your Consulting SRL. The controller had suffered a data breach involving the unauthorized disclosure of personal data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to avoid such incidents. | link |
| 2471 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-10-23 | 10,000 | Profi Rom Food SRL | Employment | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Romanian DPA has imposed a fine of EUR 10,000 on Profi Rom Food SRL. During its investigation, the DPA found that the controller had forwarded copies of several employees’ ID cards to a company providing services to the controller, without a valid legal basis. | link |
| 2472 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-10-28 | 5,000 | Vodafone Romania S.A. | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA fined Vodafone Romania S.A. EUR 5,000 for sending emails to different recipients without including them in the blind carbon copy (BCC) list. This resulted in the unauthorized disclosure of email addresses to other recipients. | link |
| 2473 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-22 | 180,000 | IBERCAJA BANCO, S.A. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has fined IBERCAJA BANCO, S.A. for unlawfully accessing a customer’s credit file after the termination of their contractual relationship. The DPA concluded that without an existing contractual relationship, the bank had no valid legal basis for the access. The original fine of EUR 300,000 was reduced to EUR 180,000 due to immediate payment and admission of responsibility. | link |
| 2474 | ITALY | Italian Data Protection Authority (Garante) | 2024-07-04 | 900,000 | Postel S.p.A | Not assigned | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 900,000 on Postel S.p.A. The company suffered a ransomware attack that resulted in the loss of access to files containing personal data of approximately 25,000 individuals. Data subjects included employees, former employees, and job applicants. The compromised data included contact details, identification details, payment details, and criminal records (special category data) of the data subjects. Although the company had been aware of the security vulnerability (following a report from the software manufacturer), it had not updated its systems. For this reason, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. Furthermore, the company failed to provide the DPA with sufficient information on the incident. | link link |
| 2475 | ITALY | Italian Data Protection Authority (Garante) | 2024-09-12 | 5,000 | Top Quality Corporation s.r.l.s. | Employment | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 5,000 on Top Quality Corporation s.r.l.s. A data subject (former emplyee) had filed a complaint with the DPA due to the controller’s failure to properly comply with a request of access to their personal. | link |
| 2476 | ITALY | Italian Data Protection Authority (Garante) | 2024-09-12 | 400 | Private individual | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 400 on a private individual. The individual had installed video surveillance cameras, which however also recorded parts of neighboring properties. | link |
| 2477 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-08-20 | 8,000 | Ana Hotels SRL | Accomodation and Hospitalty | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has fined Ana Hotels SRL EUR 8,000. The controller had suffered a data breach which resulted in the unauthorized disclosure of personal data processed and stored in their IT systems. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. | link |
| 2478 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-10-30 | 15,000 | Untold SRL | Not assigned | Art. 12 (3), (4) GDPR, Art. 15 GDPR, Art. 17 GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 15,000 on Untold SRL. During its investigation, the DPA found that the controller had failed to properly comply with a data subject’s request for access to and deletion of their personal data. | link |
| 2479 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2024-11-04 | 1,000 | Blackcab Systems SRL | Transportation and Energy | Art. 12 (3) GDPR, Art. 15 (1), (3) GDPR | Insufficient fulfilment of data subjects rights | The Romanian DPA has imposed a fine of EUR 1,000 on Blackcab Systems SRL. A individual lodged a complaint with the DPA, alleging that the controller had failed to properly respond to their request for access regarding their personal data. During its investigation, the DPA found that the controller had not been able to prove that they had properly addressed the data subject’s request. | link |
| 2480 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-08-06 | 2000 | Private individual | Individuals and Private Associations | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 2,000 on a private individual for installing video surveillance cameras without a valid legal basis. | link |
| 2481 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-09-05 | 3,000 | PLAY FUL KIDS, S.L. | Not assigned | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA imposed a fine of EUR 3,000 on PLAY FUL KIDS, S.L. due to an incident that occurred during a children’s birthday party on the premises of the controller involving guests and employees. Following the event, the guests posted negative reviews on Google. In response, the data controller shared surveillance footage showing minor guests without a valid legal basis via WhatsApp to pressure the guests into withdrawing their reviews. | link |
| 2482 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2024-10-21 | 20,800 | Grue municipality | Public Sector and Education | Art. 24 GDPR, Art. 32 (1) b) GDPR | Insufficient technical and organisational measures to ensure information security | The Norwegian DPA fined Grue municipality EUR 20,800 following the municipality’s notification of a data breach. The municipality reported that personal data of students had been unlawfully published on a public portal. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to ensure the protection of personal data. | link |
| 2483 | ITALY | Italian Data Protection Authority (Garante) | 2024-07-17 | 80,000 | Selectra S.p.A. | Employment | Art. 5 (1) a), c), e) GDPR, Art. 13 GDPR, Art. 88 GDPR, Art. 114 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 80,000 on Selectra S.p.A.. A former employee had lodged a complaint with the DPA on the grounds that the controller was able to access their e-mail inbox even after the termination of the employment relationship. The DPA found that such a long retention period for e-mails (in some cases three years after the termination of the employment relationship) was excessive. The DPA also found that the controller had not provided the data subjects with sufficient information about the data processing (e.g. regarding the retention period for e-mail data). | link link |
| 2484 | IRELAND | Data Protection Authority of Ireland | 2024-12-17 | 251,000,000 | Meta Platforms Ireland Limited | Media, Telecoms and Broadcasting | Art. 33 (3), (5) GDPR, Art. 25 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children’s data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Meta had violated Art. 33 GDPR (EUR 11 million), as information was missing from the data breach notification, for example. The DPC also found violations of Art. 25 GDPR (EUR 240 million), concluding that Meta had failed to ensure that data protection principles were protected in the design of processing systems and had failed in its obligations as a controller to ensure that, by default, only personal data that are necessary for specific purposes are processed. | link |
| 2485 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-10-18 | 5,800 | Unknown | Not assigned | Art. 37 (1) a) GDPR, Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Polish DPA has imposed a fine of EUR 5,800 on a data controller. The controller failed to appoint a data protection officer and to provide the DPA with the contact details in a timely manner. | link |
| 2486 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-09-11 | 600 | KVIKU SPAIN, S.L | Finance, Insurance and Consulting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined KVIKU SPAIN, S.L. EUR 600 for failing to provide information requested by the DPA. | link |
| 2487 | GERMANY | Data Protection Authority of Hamburg | 2024-11-12 | 900,000 | Debt collection service provider | Finance, Insurance and Consulting | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The DPA of Hamburg has imposed a fine of EUR 900,000 on a debt collection service provider. The company had unlawfully stored personal data (amounting to a six-digit number of data records) for up to five years after the erasure deadlines. The company admitted the violation, cooperated with the authorities and accepted the fine. | link |
| 2488 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-04 | 600 | VOLTIUM CONSULTORES 2020 | Not assigned | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined VOLTIUM CONSULTORES 2020 EUR 600 for failing to provide information requested by the DPA. | link |
| 2489 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-18 | 200,000 | VODAFONE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. An individual had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account. | link |
| 2490 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-19 | 200,000 | VODAFONE ESPAÑA, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. An individua had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account. | link |
| 2491 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-11-20 | 358,000 | Unknown | Not assigned | Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 25 (1) GDPR, Art. 28 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 358,000 on a company. The company had inadvertently published customer data (first name, last name, email address, home address, encrypted passwords) in the process of redesigning its website. The incident affected approximately 20,000 data subjects. The DPA found that the controller had not sufficiently ensured the security of personal data during the process, for example, by conducting regular tests and risk assessments. Instead, it relied on information provided by the hired subcontractor without proper oversight. | link |
| 2492 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-11-20 | 4,700 | Unknown | Not assigned | Art. 28 (3) c), f) GDPR, Art. 32 (1) , (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has imposed a fine of EUR 4,700 on a subcontractor that was contracted to redesign the website of another company. This fine is linked to ETid-2491. Due to an error by an employee of the subcontractor, customer data (including first name, last name, email address, address, and encrypted passwords) was accidentally published on the website during the redesign process. The incident affected approximately 20,000 data subjects. During its investigation, the DPA found that the subcontractor had failed to implement and verify appropriate technical and organizational measures to protect personal data, which could have prevented such an incident. | link |
| 2493 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-11-26 | 6,900 | Hospital | Health Care | Art. 33 (1) GDPR, Art. 34 (1), (2) GDPR | Insufficient fulfilment of data breach notification obligations | The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual’s medical records and was able to access their personal data. | link |
| 2494 | CROATIA | Croatian Data Protection Authority (azop) | 2024-09-13 | 190,000 | Hospital | Health Care | Art. 5 (1) e) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c) GDPR, Art. 13 (2) a), b) GDPR, Art. 32 (1) b), Art. 33 (1) GDPR, Art. 38 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR). Moreover, the hospital did not report the incident within the required 72 hours after becoming aware of it (violation of Art. 33 (1) GDPR). The hospital had also failed to enter into a data processing agreement with the service provider responsible for implementing and maintaining the system (violation of Art. 28 (3) GDPR). Further violations included the unclear definition of retention periods for personal data from recorded telephone conversations (violation of Art. 5 (1) e) GDPR) and the unlawful recording of conversations lacking a legal basis (violation of Art. 6 (1) GDPR). Additionally, the clinic did not inform patients in clear and plain language about the processing of their personal data when they called the call center, nor did it provide all the necessary information about the collection of personal data through the recording of these conversations (violation of Art. 12 (1) GDPR, Art. 13 (1) c) GDPR and Art. 13 (2) a), b) GDPR. Finally, AZOP found that the data protection officer was not involved in the development or adaptation of data protection guidelines and in questions regarding the recording and storage of telephone conversations (Art. 38 (1) GDPR). |
link |
| 2495 | CROATIA | Croatian Data Protection Authority (azop) | 2024-09-13 | 35,700 | Company | Not assigned | Unknown | Unknown | The Croatian DPA (AZOP) has imposed fines totaling EUR 35,700 on nine companies for failing to adequately indicate their video surveillance areas and for failing to provide all the necessary information on data processing related to video processing. | link |
| 2496 | CROATIA | Croatian Data Protection Authority (azop) | 2024-09-13 | 45,000 | Hotel | Accomodation and Hospitalty | Unknown | Unknown | The Croatian DPA (AZOP) has imposed a fine of EUR 45,000 on two hotels for unlawfully processing personal data through the use of cookies. | link |
| 2497 | ITALY | Italian Data Protection Authority (Garante) | 2024-11-02 | 15,000,000 | OpenAI OpCo LLC | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 15 million on OpenAI in connection with the operation of the generative AI chatbot “ChatGPT”. The DPA found that OpenAI had violated provisions of the GDPR, inter alia, by failing to notify the DPA of a data breach that occurred in 2023, by using users’ personal data to train ChatGPT without providing a valid legal basis for such processing, and by violating the principle of transparency. Additionally, OpenAI did not implement age verification, potentially risking exposure of children under 13 to inappropriate content. Furthermore the DPA ordered OpenAI to carry out a six-month public information campaign to educate users on how ChatGPT processes data and how they can exercise their GDPR rights. |
link link |
| 2498 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-07 | 2000 | KAFFA KOFFEE ORGANISATION, S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA fined KAFFA KOFFEE ORGANISATION, S.L. EUR 2,000 for sending emails to different recipients without including them in the blind carbon copy (BCC) list. This resulted in the unauthorized disclosure of email addresses to the other recipients. | link |
| 2499 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-03 | 300 | Private individual | Individuals and Private Associations | Art. 13 GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 300 on a data controller. The controller had installed a video surveillance system without adequately providing information for data subjects. | link |
| 2500 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-31 | 12,000 | NEGOCIOS R&R 2020 S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined NEGOCIOS R&R 2020 S.L. EUR 12,000 for failing to provide information requested by the DPA. | link |
| 2501 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-31 | 4,000 | GESTIÓN DE VENTAS IBERIA S.L. | Industry and Commerce | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has fined GESTIÓN DE VENTAS IBERIA S.L. EUR 4000 for failing to provide information requested by the DPA. | link |
| 2502 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-04 | 900 | Private individual | Individuals and Private Associations | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 900 on a private individual for failing to prove compliance with an order issued by the DPA. | link |
| 2503 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2025-01-20 | 15,000 | Vodafone Romania S.A. | Media, Telecoms and Broadcasting | Art. 32 (1) b) GDPR, Art. 32 (4) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 15,000 on Vodafone Romania S.A. Personal data such as names, email addresses and customer numbers were repeatedly disclosed due to inadequate security measures, e.g. the unauthorized sending of invoice details or incorrect use of the “BCC” function. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2504 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2025-01-17 | 2000 | DELIVERY SOLUTIONS S.A. | Industry and Commerce | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 2,000 on DELIVERY SOLUTIONS S.A. A security incident led to the unauthorized disclosure of personal data (name, address, telephone number, email address) caused by the misuse of valid access data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2505 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2025-01-23 | 5,000 | Softehnica S.R.L. | Industry and Commerce | Art. 32 (1) b) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA has imposed a fine of EUR 5,000 on Softehnica S.R.L. The controller had suffered a ransomware attack, which allowed unauthorized third parties to gain access to the IT systems and thereby access personal data such as the name, place of residence, email address, etc. of the data subjects. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. | link |
| 2506 | FINLAND | Deputy Data Protection Ombudsman | 2024-12-17 | 950,000 | Sambla Group Oy | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 25 (1), (2) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Finnish DPA has imposed a fine of EUR 950,000 on Sambla Group Oy. Security vulnerabilities in two of its comparison portals allowed unauthorized persons to access personal data, such as income, housing costs, and marital status of credit applicants, via unsecured links. | link link |
| 2507 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-11-26 | 4,750,000 | Netflix International B.V. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 12 (1) GDPR, Art. 13 (1) c), e), f) GDPR, Art. 13 (2) GDPR, Art. 15 (1) a), c), d) GDPR | Insufficient fulfilment of information obligations | The Dutch DPA has imposed a fine of EUR 4.75 million on Netflix. This fine is based on a complaint filed by the Austrian organization ‘noyb’. During its investigation, the DPA found that between 2018 and 2020, Netflix did not sufficiently inform customers about the processing of their personal data. The privacy policy was partly unclear and, did not provide sufficient information on the purpose and legal basis of the data collection and use, for example. In addition, requests from data subjects regarding retained data were not answered adequately. Netflix has since revised the privacy policy. | link link |
| 2508 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-09-26 | 1,300,000 | TELEFÓNICA DE ESPAÑA SAU | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1.3 million on TELEFÓNICA DE ESPAÑA SAU. The controller had reported a security incident to the DPA, stating that they had suffered a cyber attack that allowed unauthorised third parties to access personal customer data via an employee’s account. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organisational measures to protect personal data that could have prevented such an incident. The fine is composed as follows: EUR 500,000 for the violation of Art. 5 (1) f) GDPR and EUR 800,000 for the violation of Art. 32 GDPR. | link |
| 2509 | THE NETHERLANDS | Dutch Supervisory Authority for Data Protection (AP) | 2024-12-23 | 40,000 | Coolblue B.V | Industry and Commerce | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Dutch DPA has imposed a fine of €40,000 on Coolblue. The company collected personal data via cookies without users’ explicit consent, relying on pre-ticked consent boxes. | link link |
| 2510 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-22 | 220,000 | CARTONAJES BAÑERES, S.A | Employment | Art. 15 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has fined CARTONAJES BAÑERES, S.A. EUR 220,000. During its investigation, the DPA found that the controller had failed to grant a former employee access to their personal data. The DPA also found that the controller had failed to carry out a data protection impact assessment regarding the operation of a biometric facial recognition system installed to track working hours. | link |
| 2511 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-06 | 1,000 | MINAS DE VALDECASTILLO, S.A.. | Industry and Commerce | Art. 5 (1) c) GDPR, Art. 13 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 1,000 on MINAS DE VALDECASTILLO, S.A.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly provided information about the data processing by the cameras and thus violated its duty to inform. | link |
| 2512 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-31 | 900 | RIVENDELL TECHNOLOGY, S.L. | Not assigned | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 900 on RIVENDELL TECHNOLOGY, S.L. for failing to prove compliance with an order issued by the DPA. | link |
| 2513 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-13 | 500 | 4T OCIO Y CAFÉ 2009 | Accomodation and Hospitalty | Art. 6 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 500 on 4T OCIO Y CAFÉ 2009, S.L. for installing a video surveillance system without the express consent of the owners’ association of the building in question. | link link |
| 2514 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-10 | 4,000,000 | GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine on GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS. The controller had suffered a data breach where unknown third parties gained access to the customer data management system using credentials of a broker which allowed them to access customer data such as name, IBAN, personal identification number. The incident affected approximately 1.5 million individuals. During its investigation, the DPA found, in particular, that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. The DPA also found that the controller had failed to carry out a risk assessment, although this was deemed necessary given the significant number of customers and the fact that the controller was consequently processing personal data of those data subjects on a large scale. The original fine of EUR 5 million was reduced to EUR 4 million due to immediate payment. | link |
| 2515 | CYPRUS | Cypriot Data Protection Commissioner | 2024-09-04 | 3,000 | Senira Limited | Finance, Insurance and Consulting | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The Cypriot DPA fined Senira Limited EUR 3,000 for failing to sufficiently cooperate with the DPA. | link link |
| 2516 | ITALY | Italian Data Protection Authority (Garante) | 2024-11-13 | 678,897 | Illumia Spa | Transportation and Energy | Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GPDR, Art. 24 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA has imposed a fine of EUR 678,897 on the energy company Illumia Spa for unlawfully processing personal data for marketing purposes. The fine follows complaints from users who received unwanted advertising calls from call centers working on behalf of Illumia. The DPA found that the company had not carried out sufficient controls along the entire telemarketing supply chain. Among other things, advertising calls were made without a legal basis, and necessary technical and organizational measures were only implemented after a delay. |
link link |
| 2517 | FRANCE | French Data Protection Authority (CNIL) | 2025-02-04 | 40,000 | Real estate company | Employment | Art. 5 (1) c) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR, Art. 35 GDPR | Non-compliance with general data processing principles | The French DPA imposed a fine of EUR 40,000 on a real estate company for inappropriately monitoring its employees. A software program recorded “periods of inactivity” and regularly took screenshots of the computers of employees working from home. The program automatically detected when an employee made no keyboard or mouse movements for a period of 3 to 15 minutes. In addition, the employees in the offices were continuously filmed. These measures were deemed disproportionate and were considered problematic and violated data security requirements. The company had also failed to adequately inform employees about the surveillance and to carry out a data protection impact assessment. | link link |
| 2518 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-01-17 | 273,000 | Centrum Medyczne Ujastek Sp. z o.o. | Health Care | Art. 5 (1) a), f) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR, Art. 13 (1), (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1), (2) GDPR | Non-compliance with general data processing principles | The Polish DPA has imposed two fines on the medical facility “Centrum Medyczne Ujastek” totaling approximately EUR 273,000. The first fine of approximately EUR 163,000 was imposed for the unlawful installation of surveillance equipment in two neonatal rooms. These devices recorded images of newborns and their mothers during intimate acts such as breastfeeding or care without informing patients or staff, which constitutes a violation of data protection regulations. The second fine, of around EUR 110,000, was imposed due to the loss or theft of memory cards on which these recordings were stored. The cards were not encrypted and the devices were not configured in accordance with the required security standards. It was also found that the risk analysis of the center did not take into account the dangers that led to this incident. |
link link |
| 2519 | ITALY | Italian Data Protection Authority (Garante) | 2024-11-27 | 892,783 | E.ON Energia spa | Transportation and Energy | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 22 GDPR, Art. 24 GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | he Italian DPA has imposed a fine of EUR 892,738 on E.ON Energia spa for unlawfully processing personal data for telemarketing. The investigation was triggered by complaints from two individuals who received unsolicited calls and did not receive responses to their requests to exercise their rights under the GDPR. It was found that when the electricity and gas supplies were activated, consents of data subjects were recorded incorrectly. E.ON failed to take appropriate measures to verify the accuracy of the consent given by customers and the corresponding data stored in the systems, which resulted in telemarketing being carried out without a lawful basis. Furthermore, the DPA found that there was a lack of sufficient control and training of the employees responsible for these activities. In another case, E.ON stated that the calls were made in response to a request from the data subject to be contacted, submitted in the context of a Facebook advertising campaign. However, the data subject stated that they were never registered on Facebook. Along with the fine, E.ON was ordered to implement measures to ensure future compliance with data protection regulations. |
link link |
| 2520 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-17 | 1,000 | KUR KLINIKUM, S.L. | Health Care | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 1000 on KUR KLINIKUM, S.L. for failing to prove compliance with an order issued by the DPA. | link |
| 2521 | BELGIUM | Belgian Data Protection Authority (APD) | 2024-12-17 | 200,000 | Hospital | Health Care | Art. 5 (1) f) GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 35 (3) GDPR | Insufficient technical and organisational measures to ensure information security | The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident, such as employee training and the implementation of a process for security updates of IT equipment. | link |
| 2522 | ITALY | Italian Data Protection Authority (Garante) | 2024-12-12 | 20,000 | Physician | Health Care | Art. 5 GDPR, Art. 9 GDPR, Art. 2-septies (8) Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has imposed a fine of EUR 20,000 on a physician who had published images of a patient who had undergone cosmetic surgery on a social network without their consent. | link |
| 2523 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-13 | 2,500 | COYARE SLU | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA fined COYARE SLU EUR 2,500 for sending emails to different recipients without including them in the blind carbon copy (BCC) list. This resulted in the unauthorized disclosure of email addresses to the other recipients. | link |
| 2524 | ITALY | Italian Data Protection Authority (Garante) | 2024-12-14 | 2000 | Maddaloni municipality | Public Sector and Education | Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 2,000 on Maddaloni municipality for failing to provide the DPA with the contact details of their data protection officer in good time. | link |
| 2525 | ITALY | Italian Data Protection Authority (Garante) | 2024-12-14 | 2000 | Torre Annunziata municipality | Public Sector and Education | Art. 37 (7) GDPR | Insufficient involvement of data protection officer | The Italian DPA has imposed a fine of EUR 2,000 on Torre Annunziata municipality for failing to provide the DPA with the contact details of their data protection officer in good time. | link |
| 2526 | ITALY | Italian Data Protection Authority (Garante) | 2024-09-12 | 842,062 | Sky Italia S.r.l. | Media, Telecoms and Broadcasting | Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, Art. 130 Codice della privacy | Insufficient legal basis for data processing | The Italian DPA has fined Sky Italia EUR 842,062 for unlawful telemarketing. The investigation revealed that Sky contacted individuals without proper consent, including those registered in advertising opt-out lists and those who had given consent before the GDPR came into force—without reassesing its validity under the updated legal framework. Additionally, the documentation of consents obtained from data providers was deemed inadequate, as Sky stored consent details in modifiable Excel files, failing to ensure clear and verifiable proof of user consent. | link |
| 2527 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-18 | 100,000 | ATRIUM LEX SFC | Real Estate | Art. 13 GDPR, Art. 32 (1) GDPR | Insufficient fulfilment of information obligations | The Spanish DPA has imposed a fine of EUR 100,000 on the real estate management company ATRIUM LEX SFC. An investor had filed a complaint with the DPA because the controller had requested a copy of the investor’s ID card to enable them to receive information about a project. The DPA found that the controller had not provided sufficient information about this data processing and that the sending of copies of ID cards by email was not sufficiently secure. The DPA assessed this as a violation of Art. 13 GDPR and Art. 32 (1) GDPR. | link |
| 2528 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-23 | 300,000 | LÍNEA DIRECTA ASEGURADORA, S.A. | Finance, Insurance and Consulting | Art. 6 (1) GDPR, Art. 28 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 300,000 on LÍNEA DIRECTA ASEGURADORA, S.A.. A data subject had filed a complaint with the DPA stating that they had inquired about a car insurance quote with Línea Directa and were subsequently contacted by one of Línea Directa’s processors. Without their consent, the processor had accessed their driving license points via the website of a traffic authority. | link |
| 2529 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-11 | 200,000 | Correo Inteligente Postal, S.L. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA fined Correo Inteligente Postal, S.L. EUR 200,000 after several incidents of undelivered letters containing personal data were reported. These letters, which contained personal data, were found disposed of in unauthorized locations and should have been delivered to the recipients by the responsible employees. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such incidents. The DPA also ordered the controller to implement a system to verify the traceability of the letters sent and provide employees with specific instructions on how to properly deliver the letters. | link |
| 2530 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-11-22 | 220,000 | CARTONAJES BAÑERES, S.A. | Employment | Art. 15 GDPR, Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA imposed a fine of EUR 220,000 on CARTONAJES BAÑERES, S.A. following a complaint filed by a former employee. The employee had submitted a request to the controller for access to their personal data, particularly inquiring about the purpose and categories of data held. However, they did not receive a proper response. The employee also stated that the controller used a biometric facial recognition system that allowed employees to clock in and out, but did not offer an alternative method of recording attendance. During its investigation, the DPA found that the controller had failed to properly comply with the data subject’s request for access to their personal data. Furthermore, the DPA found that the controller had failed to carry out a risk assessment of the biometric system, which would have been necessary considering the risks that the processing of biometric data poses to data subjects. | link |
| 2531 | ITALY | Italian Data Protection Authority (Garante) | 2024-11-13 | 5,000,000 | Foodinho Srl | Employment | Art. 5 (1) a), c), d), e) GDPR, Art. 6 GDPR, Art. 9 (2) b) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 22 (3) GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 35 GDPR, Art. 88 GDPR, Art. 2-septies Codice della privacy, Art. 114 Codice della privacy, Art. 47-quinquies Decreto legislativo 81/2015 | Non-compliance with general data processing principles | The Italian DPA has fined the food delivery service Foodinho Srl EUR 5 million for unlawfully processing the data of approximately 35,000 drivers and for several violations of the GDPR. The DPA’s investigation revealed that the company collected drivers’ location data without their knowledge or consent—not only during working hours but also when the app was running in the background or inactive. Additionally, the DPA found that the company shared driver data with third parties without a valid legal basis. The investigation also uncovered that automated data processing was used for functions such as the evaluation system and task allocation during shifts, but the company had failed to implement necessary GDPR measures, such as allowing human intervention or enabling drivers to contest decisions made through the automated systems. Furthermore, biometric data, including facial recognition, was used without a valid legal basis. The investigation also revealed that drivers whose accounts were blocked received only standardized messages, with no information provided about their rights to appeal. | link link |
| 2532 | SPAIN | Spanish Data Protection Authority (aepd) | 2023-12-27 | 6,500,000 | THE PHONE HOUSE SPAIN, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 6.5 million on THE PHONE HOUSE SPAIN, S.L. The controller had suffered a ransomware attack affecting personal data of 13 million individuals (e.g. customers and employees), which was exfiltrated and published on the deep web. The DPA’s investigation revealed that the controller had failed to implement appropriate technical and organisational measures to protect personal data, in order to prevent such an incident. | link |
| 2533 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-23 | 15,000 | HSSERVICE LIZCON SOLUTIONS, S.L. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 15,000 on HSSERVICE LIZCON SOLUTIONS, S.L. for failing to prove compliance with an order issued by the DPA | link |
| 2534 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-16 | 70,000 | INTERURBANA DE AUTOBUSES, S.A. | Employment | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined INTERURBANA DE AUTOBUSES, S.A. EUR 70,000 after an employee filed a complaint over the publication of personal data on the company’s bulletin boards. According to the data controller, an error in the HR department led to printing a full list of the employees—including sensitive details like addresses—instead of the electoral roll, which is meant to include only the information necessary for union elections. The DPA considered this to be a violation of the principle of data minimization, since, on the one hand, more personal data than necessary for the election was published and, by posting it on the bulletin boards, there was a risk that third parties could see the data from the outside through a window. | link |
| 2535 | ITALY | Italian Data Protection Authority (Garante) | 2024-07-17 | 5,000,000 | Hera Comm S.p.A. | Transportation and Energy | Art. 5 (1) a), b), d), e), f) GDPR, Art. 5 (2) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 24 GDPR, Art. 28 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 5 million on Hera Comm S.p.A. The investigation was launched following numerous complaints. The energy supplier had failed to take adequate protective measures, allowing door-to-door agents to unlawfully conclude electricity and gas contracts in the name of unsuspecting customers. Many data subjects only discovered the activation of new contracts when they received bills or notifications, despite never having given their consent. The door-to-door agents involved had collected customer information, for example by photographing ID documents, and unlawfully used it to conclude contracts with fake signatures. During its investigation, the DPA found that the company had failed to implement adequate technical and organizational measures to prevent the unlawful use of customer data by door-to-door agents. Additionally, the DPA found that the controller failed to respond to data subject rights requests in a timely manner. |
link link |
| 2536 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-06 | 1,000,000 | CA Autobank S.p.A. | Transportation and Energy | Art. 12 (3) GDPR, Art. 15 GDPR | Insufficient fulfilment of data subjects rights | The Italian DPA has imposed a fine of EUR 1 million on CA Autobank S.p.A. A person had filed a complaint with the DPA because a rental car voucher had been refused due to his inclusion in a “blacklist”. They had then submitted a request to CA Autobank S.p.A. asking for information on the data that had caused this decision, but did not receive a sufficient reply. | link |
| 2537 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 16,000 | CAJA RURAL DEL SUR, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DEL SUR, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment. |
link |
| 2538 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 12,000 | CAJA RURAL DE ARAGÓN, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE ARAGÓN, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 15,000 was reduced to EUR 12,000 due to voluntary payment. | link |
| 2539 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 88,000 | CAJA RURAL DE EXTREMADURA S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE EXTREMADURA S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 110,000 was reduced to EUR 88,000 due to voluntary payment. |
link |
| 2540 | ITALY | Italian Data Protection Authority (Garante) | 2024-06-20 | 1,000,000 | Fastweb S.p.A. | Media, Telecoms and Broadcasting | Art. 5 (1) a), c), e) GDPR, Art. 5 (2) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 12 (1), (3) GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 16 GDPR, Art. 17 GDPR, Art. 18 GDPR, Art. 19 GDPR, Art. 20 GDPR, Art. 21 GDPR, Art. 22 GDPR, Art. 24 (1) GDPR, Art. 25 GDPR, Art. 130 Codice della privacy | Non-compliance with general data processing principles | The Italian DPA has imposed a fine of EUR 1 million on Fastweb S.p.A. due to unauthorized telemarketing, the unlawful storage of customer data after contract termination, and inadequate responses to data deletion requests. Fastweb made marketing calls to individuals listed in the public objection register and used customer data for advertising purposes for up to 24 months after contract termination—without a legal basis. Additionally, affected customers often received delayed responses to their data protection inquiries. | link |
| 2541 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-05 | 1,200,000 | ORANGE ESPAGNE, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 25 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 1,200,000 on ORANGE ESPAGNE, S.A.U.. An individual had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account. | link |
| 2542 | FRANCE | French Data Protection Authority (CNIL) | 2024-09-12 | 800,000 | CEGEDIM SANTÉ | Health Care | Art. 5 (1) a) GDPR, Art. 66 Loi n° 78-17 du 6 janvier 1978 | Non-compliance with general data processing principles | The French DPA has imposed a fine of EUR 800,000 on CEGEDIM SANTÉ. The company, which provides software for medical practices, had transferred customer data for research purposes. However, the DPA found that this data was not anonymous but only pseudonymized, making re-identification possible. | link link |
| 2543 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-06 | 5,000,000 | ENERGYA VM GESTIÓN DE ENERGÍA, S.L. | Transportation and Energy | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | The Spanish DPA (AEPD) has fined ENERGYA VM GESTIÓN DE ENERGÍA, S.L. EUR 5 million following an investigation into unlawful personal data processing by Nivalco, a company contracted by Energya VM to make sales calls to customers. During these calls, customers were misled into providing additional personal data to conclude a new energy supply contract. The AEPD determined that Energya VM acted as the ‘data controller’ for the processing of this personal data, as it provided Nivalco with a sales script, thereby influencing the data processing. However, Energya VM failed to comply with GDPR requirements, particularly by not conducting a risk assessment for Nivalco’s data processing activities | link |
| 2544 | FINLAND | Deputy Data Protection Ombudsman | 2024-11-13 | 2,400,000 | Posti Jakelu Oy | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Finnish DPA imposed a fine of EUR 2.4 million on Posti Jakelu Oy following an investigation. It was found that Posti had automatically set up an electronic mailbox for customers without their explicit consent. This mailbox was connected to other services, and customers were unable to choose whether to use it, as the services were bundled together in a single contract. Canceling the mailbox would also have resulted in the termination of the other services. The DPA determined that the requested service could have been offered without the automatic creation of the electronic mailbox. Furthermore, Posti failed to properly inform customers about the activation of the mailbox. | link link |
| 2545 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-05-31 | 600,000 | GSMA Limited | Individuals and Private Associations | Art. 6 (1), Art. 9 (2) GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 600,000 on GSMA Limited. In 2022, GSMA Limited required employees of its suppliers to register on an online platform and upload proof of vaccination against COVID-19. One of the data subjects filed a complaint with the DPA as they considered the data processing to be unlawful. GSMA referred to a legal obligation and public interest, but could not provide a specific legal basis. The DPA found that less invasive safeguards would have been possible and that the affected workers were not sufficiently informed about the data processing. |
link |
| 2546 | ROMANIA | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 2025-02-20 | 2000 | Medstar S.R.L. | Health Care | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Romanian DPA imposed a fine of EUR 2,000 on Medstar S.R.L. The controller had mistakenly sent a patient’s health data via unsecured email to another patient. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data and prevent such an incident. | link |
| 2547 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-23 | 9,000 | CRIDOLMA BARCELONA S.L. | Not assigned | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 9,000 on CRIDOLMA BARCELONA S.L. for failing to prove compliance with an order issued by the DPA | link |
| 2548 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-23 | 600 | ENERGY WINNER, S.L. | Transportation and Energy | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | Fine of EUR 600 for failure to provide information to the Spanish DPA within the required timeframe | link |
| 2549 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-23 | 2000 | AUTOMOCIÓN 1972, S.L. | Industry and Commerce | Art. 58 (2) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 2,000 on AUTOMOCIÓN 1972, S.L. for failing to prove compliance with an order issued by the DPA | link |
| 2550 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-16 | 400,000 | CAJA RURAL DE JAEN, BARCELONA Y MADRID, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE JAEN, BARCELONA Y MADRID, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 500,000 was reduced to EUR 400,000 due to voluntary payment. | link |
| 2551 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 8,000 | CAJA RURAL NTRA. SRA. DEL ROSARIO | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL NTRA. SRA. DEL ROSARIO. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 10,000 was reduced to EUR 8,000 due to voluntary payment. | link |
| 2552 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 80,000 | CAJA RURAL DE ALBACETE, CIUDAD REAL Y CUENCA, S.C.T | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE ALBACETE, CIUDAD REAL Y CUENCA, S.C.T. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 100,000 was reduced to EUR 80,000 due to voluntary payment. | link |
| 2553 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 200,000 | CAJA RURAL DE SALAMANCA, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE SALAMANCA, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 250,000 was reduced to EUR 200,000 due to voluntary payment. | link |
| 2554 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 76,000 | CAJA RURAL DE GIJÓN, S.C.A.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE GIJÓN, S.C.A.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 95,000 was reduced to EUR 76,000 due to voluntary payment. | link |
| 2555 | UNITED KINGDOM | Information Commissioner (ICO) | 2024-09-26 | 904,000 | Police Service of Northern Ireland | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The ICO fined the Police Service of Northern Ireland £750,000 (EUR 904,000) after accidentally publishing personal data of 9,483 police officers and staff on the internet. The breach caused significant distress for PSNI officers and staff, as their personal information, including names, ranks, roles, and location of post, was exposed. Many feared for their safety, with concerns that dissident groups could use the data to intimidate or target them, creating fear and uncertainty. | link link |
| 2556 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-05-27 | 400,000 | Ministry of Interior (Greece) | Public Sector and Education | Art. 5 (1) f) GDPR, 32 GDPR, 25 (1) GDPR, 33 (3), (4), (5) GDPR | Insufficient technical and organisational measures to ensure information security | The Hellenic DPA imposed a fine of EUR 400,000 on the Ministry of Interior for leaking email addresses from the voter registry of Greek expatriates. These personal data, which were intended for electoral purposes, were subsequently misused by a Member of the European Parliament (MEP) to send unsolicited political communications. | link |
| 2557 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-07 | 3,000,000 | IBERDROLA, S.A. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has fined IBERDROLA, S.A. EUR 3 million following a cyberattack on I-DE Redes, which led to the compromise of customer data from millions of individuals. Although the cyberattack targeted the GEA web application of I-DE Redes, Iberdrola, as the entity responsible for managing the group’s IT systems and security infrastructure, was found to have failed in implementing sufficient security measures to prevent the incident. | link |
| 2558 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-02-05 | 3,500,000 | I-DE REDES ELÉCTRICAS INTELIGENTES, S.A.U. | Transportation and Energy | Art. 5 (1) f) GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 3.5 million on I-DE REDES ELÉCTRICAS INTELIGENTES, S.A.U. The controller had suffered a cyber attack on its GEA web application resulting in the compromise of personal data of millions of customers. During its investigation, the DPA found that Iberdrola had not taken sufficient security measures to prevent the attack. | link |
| 2559 | GREECE | Hellenic Data Protection Authority (HDPA) | 2024-05-27 | 40,000 | Member of the European Parliament | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | The Hellenic DPA has imposed a fine of EUR 40,000 on a Member of the European Parliament. The fine was imposed due to their misuse of email addresses, leaked from the voter registry of Greek expatriates by the Ministry of the Interior, to send unsolicited political communications. | link |
| 2560 | FRANCE | French Data Protection Authority (CNIL) | 2024-04-04 | 525,000 | HUBSIDE.STORE | Industry and Commerce | Art. 6 GDPR, Art. 14 GDPR, Art. L.34-5 CPCE | Insufficient legal basis for data processing | The French DPA has imposed a fine of EUR 525,000 on HUBSIDE.STORE. The company had used data from data brokers for commercial acquisition campaigns without ensuring that the data subjects had given their valid consent. The investigations revealed that the data brokers’ forms were designed in a misleading way, which prevented valid consent. Furthermore, HUBSIDE.STORE did not provide the contacted individuals with sufficient information about the use of their data. | link link |
| 2561 | UNITED KINGDOM | Information Commissioner (ICO) | 2025-03-26 | 3,500,000 | Advanced Computer Software Group Ltd | Health Care | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The UK DPA (ICO) has fined Advanced Computer Software Group Ltd £3.07 million (EUR 3.5 million) for insufficient IT security (infringiment of Art. 32 (1) UK GDPR). The controller failed to implement appropriate technical and organisational measures to protect personal data. A ransomware attack in August 2022 allowed hackers to access systems of a health subsidiary via a customer account that lacked multi-factor authentication. As a result, the personal data of 79,404 individuals was put at risk. | link link |
| 2562 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-12 | 3,500,000 | CAIXABANK, S.A. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 25 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 3.5 million on CAIXABANK, S.A. Following a complaint from customers, it was found that the mother of an account holder had access to a joint account via the bank’s online platform, even though she was neither the account holder nor an authorized user. The DPA found that CaixaBank had not taken adequate technical and organizational measures to protect personal data. In addition, the principle of data protection by design and by default had been violated. | link |
| 2563 | POLAND | Polish National Personal Data Protection Office (UODO) | 2025-03-17 | 6,300,000 | Poczta Polska SA (Polish Post) | Transportation and Energy | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Polish DPA has imposed a fine of EUR 6.3 million on Poczta Polska SA (Polish Post) for the unlawful disclosure of personal data of over 30 million citizens from the PESEL database, in connection with the planned postal vote during the Covid-19 pandemic.
Although the law amending the electoral regulations had not yet come into effect, the Ministry of Digital Affairs transferred sensitive data such as names, addresses, and PESEL numbers to the postal company. The data was only deleted weeks later—too late, according to the DPA, and in violation of data protection regulations. |
link link |
| 2564 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-25 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 2565 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-14 | 200,000 | Vodafone España, S.A.U. | Media, Telecoms and Broadcasting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine of EUR 200,000 on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject’s consent to share their data. This allowed the fraudsters to gain access to the data subject’s bank account and make unauthorized transactions. | link |
| 2566 | UNITED KINGDOM | Information Commissioner (ICO) | 2025-04-14 | 70,300 | DPP Law Ltd. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR, Art. 33 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The UK DPA (ICO) has imposed a fine of £ 60,000 (EUR 70,300) on the law firm DPP Law Ltd. The controller had suffered a cyber attack during which personal data of 791 clients and expert witnesses were exfiltrated and published on the dark web.
The DPA found that the controller failed to implement adequate technical and organisational measures to prevent such an attack, including the failure to regularly audit administrative accounts on its network, thereby infringing Art. 5 (1) f), 32 (1), and 32 (2) UK GDPR. The controller also breached Art. 33 (1) UK GDPR by failing to notify the DPA within 72 hours, reporting the incident only 43 days later. |
link |
| 2567 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-04 | 120,000 | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA has imposed a fine on BANCO BILBAO VIZCAYA ARGENTARIA, S.A. A customer of the bank had lodged a complaint with the DPA because the controller had signed a data protection form for them and their spouse without their consent. The original fine of EUR 200,000 was reduced to EUR 120,000 due to voluntary payment and admission of responsibility. | link |
| 2568 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-05 | 500,000 | MARINA SALUD, S.A. | Health Care | Art. 28 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 500,000 on MARINA SALUD, S.A. Marina Salud, acting as a processor for a health authority, engaged sub-processors without obtaining the health authority’s prior consent. | link |
| 2569 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-03-28 | 120,000 | SERVICIOS ESPECIALES, S.A. | Employment | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA imposed a fine on SERVICIOS ESPECIALES, S.A. The case concerned a GDPR breach during an internal workplace conflict investigation: the company shared a report via email that included the full names, roles, and complaint details of the individuals involved, to the Works Committee and 15 additional employees. The DPA found this disclosure violated Article 5 (1) f) GDPR, as it failed to ensure the confidentiality of personal data. The original fine of EUR 200,000 was reduced to EUR 120,000 due to voluntary payment and acknowledgment of responsibility. | link |
| 2570 | GERMANY | Data Protection Authority of Saxony | 2024 | 120,000 | Company | Not assigned | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The DPA from Saxony has fined a company EUR 120,000 for failing to provide information requested by the DPA during an investigation. | link |
| 2571 | GERMANY | Data Protection Authority of Saxony | 2024 | 22,080 | Company | Not assigned | Art. 31 GDPR | Insufficient cooperation with supervisory authority | The DPA from Saxony has fined a company EUR 22,080 for failing to sufficiently cooperate with the DPA during an investigation. | link |
| 2572 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-11 | 120,000 | BEEDIGITAL AI, S.A. | Industry and Commerce | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine against BEEDIGITAL AI, S.A.. A individual had lodged a complaint with the DPA against the controller because they had received advertising from the controller even though they were registered in the advertising objection register. In the course of its investigation, the DPA found that the controller had violated the principle of confidentiality. The original fine of EUR 150,000 was reduced to EUR 120,000 due to voluntary payment. | link |
| 2573 | NORWAY | Norwegian Supervisory Authority (Datatilsynet) | 2025-03-10 | 338,000 | Telenor ASA. | Media, Telecoms and Broadcasting | Art. 24 (1), (2) GDPR, Art. 37 (7) GDPR, Art. 38 (2), (3) GDPR | Non-compliance with general data processing principles | The Norwegian DPA has imposed a fine of EUR 333,800 on Telenor ASA. During its investigation, the DPA found that the company had not conducted sufficient assessments and documentation regarding the role of the Data Protection Officer (DPO). Additionally, no direct and documented reporting line from the DPO to the highest management level had been established. The company also lacked adequate internal controls. The DPA further criticized the absence of appropriate organizational measures and guidelines for the DPO’s role. | link link |
| 2574 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-25 | 600,000 | IBERMUTUA, MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL NUM.274. | Individuals and Private Associations | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on IBERMUTUA, MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL NUM.274. Due to a technical error in its online platform, personal data, including health information, of 3,395 individuals was unlawfully transferred to 354 recipients. The DPA found that the controller had failed to implement appropriate technical and organisational measures to protect personal data that could have prevented such an incident. The original fine of EUR 1 million was reduced to EUR 600,000 due to voluntary payment and admission of responsibility. | link |
| 2575 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-12-20 | 1,000,000 | LIGA NACIONAL DE FÚTBOL PROFESIONAL | Individuals and Private Associations | Art. 35 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA has imposed a fine of EUR 1 million on LIGA NACIONAL DE FÚTBOL PROFESIONAL. The controller had introduced access controls for visitors to football stadiums using biometric systems without first carrying out the necessary data protection impact assessment. | link |
| 2576 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 12,000 | CAJA RURAL DE ARAGÓN, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE ARAGÓN, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 15,000 was reduced to EUR 12,000 due to voluntary payment. | link |
| 2577 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 10,000 | CAJA RURAL NTRA. SRA. DEL ROSARIO |
Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL NTRA. SRA. DEL ROSARIO. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 12,000 was reduced to EUR 10,000 due to voluntary payment. |
link |
| 2578 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 8,000 | CAJA RURAL NTRA MADRE DEL SOL S.C.A.C. |
Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL NTRA MADRE DEL SOL S.C.A.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 10,000 was reduced to EUR 8,000 due to voluntary payment. |
link |
| 2579 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 12,000 | CAJA RURAL DE ONDA, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE ONDA, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 15,000 was reduced to EUR 12,000 due to voluntary payment. | link |
| 2580 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 12,000 | CAJA RURAL GRANADA, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL GRANADA, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 15,000 was reduced to EUR 12,000 due to voluntary payment. |
link |
| 2581 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 8,000 | CAJA RURAL DE BAENA NTRA. SRA. DE GUADALUPE, S.C.C.A. |
Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE BAENA NTRA. SRA. DE GUADALUPE, S.C.C.A.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 10,000 was reduced to EUR 8,000 due to voluntary payment. |
link |
| 2582 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-16 | 72,000 | CAJA RURAL CENTRAL, S.C.C. | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL CENTRAL, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 90,000 was reduced to EUR 72,000 due to voluntary payment. | link |
| 2583 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-01-17 | 12,000 | CAJA RURAL DE ASTURIAS, S.C.C. |
Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on CAJA RURAL DE ASTURIAS, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 15,000 was reduced to EUR 12,000 due to voluntary payment. |
link |
| 2584 | IRELAND | Data Protection Authority of Ireland | 2025-05-02 | 530,000,000 | TikTok Technology Limited | Media, Telecoms and Broadcasting | Art. 13 (1) f) GDPR, Art. 46 (1) GDPR | Insufficient legal basis for data processing | The Irish DPA (DPC) has fined TikTok EUR 530 million. In its decision, the DPC found, that TikTok infringed Art. 13 (1) f) GDPR and Art. 46 (1) GDPR due to the unlawful transfer and storage of personal data from users in the EEA on Chinese servers. TikTok was unable to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses were effective to guarantee that the data afforded a level of protection, which is equivalent of the level of protection guaranteed in the EU. TikTok also failed to inform the data subjects, that their personal data is transferred to a third country. The fine consists of a fine of EUR 45 million for the failure to inform the data subjects and a fine of EUR 485 million for the infringement of Art. 46 (1) GDPR. The DPC also ordered TikTok to bring their processes into compliance with the GDPR within 6 months after the period allowed for an appeal against the DPCs final decision. | link |
| 2585 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-02-14 | 200,000 | ORANGE BANK, S.A. SUCURSAL EN ESPAÑA | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine of EUR 200,000 on ORANGE BANK, S.A. SUCURSAL EN ESPAÑA. The AEPD reacted to multiple complaints of private individuals regarding a data leak. ORANGE BANK (the controller) used a data processor for the processing of personal data. ORANGE BANK was unable to ensure that necessary technical and organizational measures had been taken, resulting in the infringement of Art. 5 (1) f) GDPR. Additionally, the AEPD decided that the present infringement is particularly serious, due to the fact, that ORANGE BANK processes large amounts of data resulting in an increased demand towards the internal processes regarding data protection and security. Lastly the AEPD ordered ORANGE BANK to bring their processes into compliance with the GDPR within 6 months after the decision becomes final and enforceable. | link |
| 2586 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-03-14 | 1,600,000 | ING BANK N.V., SUCURSAL EN ESPAÑA | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish data protection authority (AEPD) has imposed a fine on ING BANK N.V., SUCURSAL EN ESPAÑA. As part of the verification process for new banking customers, ING carries out measures to identify the person. This process involves the processing of personal data and therefore requires a legal basis. The AEPD decided that there was no sufficient legal basis for a particular data matching. The original fine of EUR 2 million was reduced to EUR 1.6 million due to immediate payment. | link |
| 2587 | POLAND | Polish National Personal Data Protection Office (UODO) | 2025-03-17 | 23,500 | Minister of Digital Affairs | Public Sector and Education | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Polish DPA has imposed a fine of EUR 23,500 on the Polish Minister for Digital Affairs. The Minister unlawfully processed personal data of Polish citizens in the PESEL database and disclosed those to Poczta Polska SA (Polish Post), in connection with the planned postal vote during the 2020 presidential election in Poland. | link link |
| 2588 | POLAND | Polish National Personal Data Protection Office (UODO) | 2025-03-24 | 17,600 | Chief Commander of the Police | Public Sector and Education | Art. 6 (1) GDPR, Art. 9 (1) GDPR | Insufficient legal basis for data processing | The Polish DPA has fined the Chief Commander of the Polish Police EUR 17,600. During a press conference, the Chief Commander of the Police disclosed the personal and medical data of an individual who had had an abortion which had been the subject of an investigation by the Polish police. The disclosure was specific enough to allow a third party to identify the person. This resulted in the specific danger of discrimination, loss of reputation and loss of control over their own data. Therefore, the Polish DPA decided to classify the violation as one of significant importance and serious nature. | link link |
| 2589 | POLAND | Polish National Personal Data Protection Office (UODO) | 2025-04-15 | 7,800 | Funeral Home | Health Care | Art. 5 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA has fined a funeral home EUR 7,800. The funeral home failed to implement sufficient technical and organisational measures to prevent a data breach. The funeral home had stored documents containing personal data in unlocked boxes. The company also transported those boxes in an open truck, which resulted in 10 boxes falling out of the truck and landing on the side of a road, where the boxes were found by the police. The driver did not notice the loss, due to the fact that that the boxes had not been counted. This resulted in the funeral home not reporting the incident to the DPA. During the investigation, the DPA found that the controller had failed to carry out a sufficient risk analysis and had failed to demonstrate sufficient supervision over the data processing. | link |
| 2590 | POLAND | Polish National Personal Data Protection Office (UODO) | 2025-03-11 | 13,400 | Polskie Radio Szczecin | Media, Telecoms and Broadcasting | Art. 24 (1) GDPR, Art. 32 (1), (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA fined Polskie Radio Szczecin (Polish Radio Szczecin) EUR 13,400. Due to the lack of sufficient technical measures, Polskie Radio Szczecin failed to protect the rights of individuals featured in its publications. As a result, there was a risk that information concerning the private life of individuals would be published without their consent. As an example, the DPA cited a case in which a journalist from Polskie Radio Szczecin disclosed that the minor child of a MP (who does not participate in public life) was a victim of sexual abuse. The report was specific enough to allow third parties to identify the victim, which led to the victim’s suicide. During an inspection, the DPA found several shortcomings in data processing and that the deficiencies were systemic. The DPA ordered Polskie Radio Szczecin to rectify the organisational and technical shortcomings within 60 days. | link link |
| 2591 | POLAND | Polish National Personal Data Protection Office (UODO) | 2024-12-18 | 135,600 | Company | Finance, Insurance and Consulting | Art. 38 (3) GDPR, Art. 30 (1) GDPR, Art. 35 (1), (7) GDPR | Insufficient technical and organisational measures to ensure information security | The Polish DPA fined a company in the banking sector EUR 135,600. The DPA inspected the fined company and found several violations of the GDPR. First, the company failed to ensure that the DPO could report directly to top management and that the DPO did not receive instructions on the performance of the tasks given to the DPO. Second, the company failed to include profiling in the list of data processing operations. Third, the company failed to conduct a privacy impact assessment regarding the use of profiling. The violation regarding the DPO resulted in a fine of EUR 61,600. The violation regarding the unlawful use of profiling resulted in a fine of EUR 74,000. | link |
| 2592 | CZECH REPUBLIC | Czech Data Protection Auhtority (UOOU) | 2023-08-02 | Multiple fines totaling EUR 178,000 | Multiple website operators | Not assigned | Unknown | Unknown | In the period from January 2023 to July 2023, the Czech DPA imposed fines totaling EUR 178,000, with the highest fine being EUR 36,000. These fines were imposed due to unlawful processing of personal data in relation to cookies. The types of violations vary. Given examples are: Insufficient legal basis, insufficient compliance with information obligations or design issues. The DPA emphasizes that it will not publish individual fines due to the non-public nature of administrative proceedings. | link |
| 2593 | ESTONIA | Estonian Data Protection Authority (AKI) | 2024-07-15 | 30,000 | Pere Sihtkapital SA | Not assigned | Unknown | Insufficient technical and organisational measures to ensure information security | The Estonian DPA imposed a fine of EUR 30,000 on Pere Sihtkapital SA. The controller conducted a survey on childless families. In the process, the controller failed to take all the necessary technical and organizational measures to ensure the required level of data protection. Pere Sihtkapital SA appealed against the decision. The outcome and status of the appeal are unknown. | link |
| 2594 | ESTONIA | Estonian Data Protection Authority (AKI) | 2025-01-10 | 85,000 | Asper Biogene OÜ | Health Care | Unknown | Insufficient technical and organisational measures to ensure information security | The Estonian DPA imposed a fine of EUR 85,000 on Asper Biogene OÜ. Asper Biogene OÜ suffered a data leak due to a lack of adequate security measures. The leak affected approximately 100,000 files containing personal, health and genetic data. Asper Biogene OÜ also appointed a member of the board of directors as DPO, resulting in a conflict of interest. A fine of EUR 80,000 was imposed for the inadequate security measures. The unlawful appointment of the DPO was fined EUR 5,000. | link |
| 2595 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2025-01-21 | 9,000 | Employment Service under the Ministry of Social Security and Labor of the Republic of Lithuania | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 24 (1) GDPR, Art. 32 (1) b), d) GDPR | Insufficient technical and organisational measures to ensure information security | The Lithuanian DPA has imposed a fine of EUR 9,000 against the Employment Service under the Ministry of Social Security and Labor of the Republic of Lithuania. Following a data leak involving the data of 292 clients, the DPA found that the controller had failed to implement sufficient technical and organizational measures to prevent such incidents. | link |
| 2596 | LITHUANIA | Lithuanian Data Protection Authority (VDAI) | 2024-10-18 | 9,000 | Vilnius District Municipality Administration | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 (1) b), c), d) GDPR, Art. 34 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Lithuanian DPA has imposed a fine of EUR 1,000 on the Vilnius District Municipality Administration. The Municipality Administration had been hacked. The attack resulted in issues and delays regarding public services, and personal data was affected. In addition, the notification to data subjects lacked information on how to protect personal data. | link |
| 2597 | SPAIN | Spanish Data Protection Authority (aepd) | 2024-10-04 | 5,000 | ROCA & ASOCIADOS ABOGADOS Y ECONOMISTAS, S.L.P. | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on ROCA & ASOCIADOS ABOGADOS Y ECONOMISTAS, S.L.P. The controller, a law firm, published the names and photos of its employees on its website without a sufficient legal basis. | link |
| 2598 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2025-04-23 | 9,200 | Diskrimineringsombudsmannen | Public Sector and Education | Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Swedish DPA has imposed a fine of EUR 9,200 on the Swedish Disrimination Ombudsman. The controller was unable to implement sufficient data security measures, resulting in the unauthorized disclosure of sensitive data. | link |
| 2599 | SWEDEN | Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) | 2024-12-11 | 18,400 | Granit Bostad Beritsholm AB | Industry and Commerce | Art. 6 (1) GDPR, Art. 13 GDPR | Insufficient legal basis for data processing | The Swedish DPA has imposed a fine of EUR 18,400 on the Granit Bostad Beritsholm AB. The controller, a property management company, installed CCTV cameras in an apartment complex without sufficient legal basis. Additionally, the controller failed to inform data subjects about the video surveillance. | link |
| 2600 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2024-11-12 | 6,700 | Uptime-IT ApS | Health Care | Unknown | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine of EUR 9,700 on Uptime-IT ApS. Uptime-IT ApS, the data processor for a chiropractic clinic, failed to install sufficient security measures, resulting in a data breach. | link |
| 2601 | DENMARK | Danish Data Protection Authority (Datatilsynet) | 2024-11-27 | Fine amount between 46,900 and 53,600 | Lyngby-Taarbæk Municipality | Public Sector and Education | Unknown | Insufficient technical and organisational measures to ensure information security | The Danish DPA has imposed a fine between EUR 46,900 and EUR 53,600 on the Lyngby-Taarbæk Municipality. The controller failled to implement sufficient security measures resulting in a data breach. | link |
| 2602 | ICELAND | Icelandic data protection authority (‘Persónuvernd’) | 2025-02-17 | 34,300 | Primary Health Care in the Capital Area | Health Care | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 9 (2) GDPR | Insufficient legal basis for data processing | The Icelandic DPA has imposed a fine of EUR 34,300 on the Primary Health Care in the Capital Area. The controller processed personal and health data in shared medical record systems by merging its medical records with those of other parties and granting them access to its patients’ records. | link |
| 2603 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 80,000 | Company | Transportation and Energy | Art. 5 (1) b) GDPR , Art. 6 (1) GDPR, Art. 32 (2), (4) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior’s (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, the actual use went beyond the scope of this concession. In addition, a data processing agreement with the hospital was missing, the system was operated without appropriate technical and organizational protective measures, and there was no legal basis for processing the data. Thus, the company was fined for breaching Art. 5 (1) (b), Art. 6 (1), and Art.32 (2) and (4) GDPR. | link |
| 2604 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 40,000 | Company | Media, Telecoms and Broadcasting | Art. 5 (1) a), e) GDPR, Art. 6 (1) f) GDPR, Art. 12 GDPR, Art. 14 GDPR, Art. 30 GDPR, Art. 38 (3), (6) GDPR | Insufficient legal basis for data processing | The Croatian DPA (AZOP) has imposed a fine of EUR 40,000 on a company that published personal data of sole traders on its website. The data originated from public sources and from the financial agency FINA. Although publicly accessible, the authority found that there was no valid legal basis for the publication. Furthermore, the company did not inform the data subjects about the processing of their data and did not properly document its processing activities. Another point of concern was that the data protection officer was also the managing director of the company, which constitutes a conflict of interest under the GDPR. Therefore, the company was fined for breaching Art. 5 (1) (a) and (e), Art. 6 (1) (f), Art. 12, Art. 14, Art. 30, and Art. 38 (3) and (6) GDPR. | link |
| 2605 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 20,000 | Hospital | Health Care | Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR | Insufficient technical and organisational measures to ensure information security | The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system, and obtained domain administrator rights. In addition to the data breach, numerous servers were locked, backups were deleted, and unauthorized executable files were launched. AZOP found that key security measures such as access restrictions, monitoring, incident response, and corrective actions were either missing or insufficient, which significantly contributed to the success of the attack. | link |
| 2606 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 4,000 | Hospital | Health Care | Art. 13 GDPR, Art. 14 (2) f) GDPR, Art. 25 (1) GDPR, Art. 28 (3) GDPR | Non-compliance with general data processing principles | The Croation DPA (AZOP) has imposed a fine of EUR 4,000 on a hospital. The AZOP found that the hospital used a company which automatically retrieved personal data of vehicle owners via the Ministry of the Interior’s web service without a legal basis, to issue parking fines for vehicle owners. Additionally, the hospital failed to inform parking users transparently and in accordance with legal requirements about the processing of their personal data related to parking fees. Furthermore, the hospital did not implement appropriate organizational measures to protect the data and lacked a contractual agreement with the external commercial company processing the data. The hospital was fined for breaching Art. 13, Art. 14 (2)(f), Art. 25 (1) and Art. 28(3) GDPR. | link |
| 2607 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 3,000 | Hospital | Health Care | Art. 13 GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 34 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Croation DPA (AZOP) has imposed a fine of EUR 3,000 on a hospital. Despite the extensive and high-risk processing of health data, the hospital had not implemented sufficient organizational measures to ensure the security of data processing. Specifically, measures to ensure the confidentiality of health information were lacking, which undermined trust in medical services and patient privacy. The hospital was fined for breaching Art. 13, Art.32, Art. 33, and Art. 34(1) GDPR. | link |
| 2608 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 12,000 | Casino | Industry and Commerce | Art. 37 GDPR | Lack of appointment of data protection officer | The Croatian DPA (AZOP) has imposed a fine of EUR 12,000 on a casino for for failing to appoint and designate a data protection officer. | link |
| 2609 | CROATIA | Croatian Data Protection Authority (azop) | 2025-03-24 | 10,000 | Oil and fat manufacturer | Industry and Commerce | Art. 37 GDPR | Lack of appointment of data protection officer | The Croatian DPA (AZOP) has imposed a fine of EUR 10,000 on an oil and fat manufacturer for for failing to appoint and designate a data protection officer. | link |
| 2610 | FRANCE | French Data Protection Authority (CNIL) | 2025-05-15 | 900,000 | SOLOCAL MARKETING SERVICES | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | The French DPA imposed a fine of EUR 900,000 on SOLOCAL MARKETING SERVICES. The controller, a company that also engages in direct marketing activities for its clients, ist using direct messages to contact potential customers for its clients. The company also transfers data of potential customers to their clients. The controller obtained the data through data brokers and was unable to prove that the potential customers (data subjects) had given consent for the described use of their data. In addition to the fine, the French DPA orderd the controller to cease its electronic commercial prospecting activities in the absence of valid consent by the data subjects and to pay EUR 10,000 for every day of delay in regards to proving the compliance after the end of a grace period of nine months. | link link |
| 2611 | ITALY | Italian Data Protection Authority (Garante) | 2025-04-10 | 5,000,000 | Luka Inc. | Media, Telecoms and Broadcasting | Art. 5 (1) a), c) GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 (1) GDPR | Non-compliance with general data processing principles | The Italian DPA imposed a fine of EUR 5,000,000 on Luka Inc. The developer created a chatbot called Replika with a written and voice interface. It is based on a generative AI system, specifically an LLM model that is constantly fed and improved by user interactions. Replika is intended to be a ‘virtual companion’ that improves users’ moods and emotional well-being by helping them understand their own psyche. Replika can be set up as a friend, therapist, romantic partner, or mentor. The controller failed to demonstrate a valid legal basis for its data processing and failed to provide sufficient information on data processing in its privacy policy. Additionally, the controller failed to adopt appropriate measures to protect personal data collected from children and implement an age verification mechanism. The total sum of the fine can be reduced by 50% if paid within sixty days. |
link |
| 2612 | ITALY | Italian Data Protection Authority (Garante) | 2025-03-13 | 50,000 | Azienda regionale per lo sviluppo e per i servizi in agricoltura (ARSAC) | Public Sector and Education | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 35 GDPR, Art. 88 GDPR | Non-compliance with general data processing principles | The Italian DPA imposed a fine of EUR 50,000 on the Regional agency for development and services in agriculture (ARSAC). The controller processed geographic data of its employees without sufficient legal basis. The controller also failed to provide sufficient informations in its internal documents regarding the data procession, breached the basic principles of lawfullness, fairness, transparency and purpose limitation and failed to conduct a data protection impact assesement. The total sum of the fine can be reduced by 50% if paid within sixty days. |
link |
| 2613 | BELGIUM | Belgian Data Protection Authority (APD) | 2025-04-22 | 20,000 | Company | Industry and Commerce | Art. 5 (1) a), (2) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 14 (1), (2) GDPR, Art. 15 (1) c), d), g), Art. 24 (1) GDPR, Art. 25 (1) GDPR | Non-compliance with general data processing principles | The Belgian DPA imposed a fine of EUR 20,000 on a company. The controller is a company engaging in direct marketing activities. During those activies the company failed to comply with multiple data processing principle. In particular the company had no sufficient legal basis for the data processing, failed to inform the data subjects and failed to provide data subjects with lawfully requested informations. | link |
| 2614 | BELGIUM | Belgian Data Protection Authority (APD) | 2025-04-24 | 6,000 | Real Estate Agency | Real Estate | Art. 5 (1) a), c), f) GDPR, Art. 6 (1) GDPR, Art. 17 (1) GDPR, Art. 21 (2) GDPR | Insufficient cooperation with supervisory authority | The Belgian DPA imposed a fine of EUR 6,000 on a real estate agency. The Belgian DPA had previously issued a remedy to the controller in an earlier case due to the controller processing data without a sufficient legal basis and failing to comply with the data subject’s right to erasure. The Belgian DPA determined that the controller had failed to comply with the issued remedy, resulting in the fine being issued. | link |
| 2615 | LUXEMBOURG | National Commission for Data Protection (CNPD) | 2025-01-06 | 175,000 | Credit Institution | Finance, Insurance and Consulting | Art. 12 (3), (4) GDPR | Insufficient fulfilment of data subjects rights | The DPA of Luxembourg has issued a fine of EUR 175,000 on a Credit Institution. The controller failed to respond to information requests within the timeframe specified in Art. 12 (3) of the GDPR. | link |
| 2616 | FRANCE | French Data Protection Authority (CNIL) | 2024-09-26 | 250,000 | COSMOSPACE | Media, Telecoms and Broadcasting | Art. 5 (1) c), e) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The French DPA imposed a fine of EUR 250,000 on COSMOSPACE. The controller is a company that offers personalized clairvoyance consultations by telephone. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, a maximum of three years would have been admissible. This resulted in a fine of EUR 200,000. The fine was increased by EUR 50,000 because the processor also infringed the French Post and Electronic Communications Code. | link link |
| 2617 | FRANCE | French Data Protection Authority (CNIL) | 2024-09-26 | 150,000 | TELEMAQUE | Media, Telecoms and Broadcasting | Art. 5 (1) e) GDPR, Art. 9 GDPR | Non-compliance with general data processing principles | The French DPA imposed a fine of EUR 150,000 on TELEMAQUE. The controller is a company that offers digital services in the field of divinatory arts, including fortune telling by SMS, VAS or online chat. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, three years would have been admissible. This resulted in a fine of EUR 100,000. The fine increased by EUR 50,000 because the processor also infringed the French Post and Electronic Communications Code. | link link |
| 2618 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-03-30 | 3,500 | MAD COOL FESTIVAL S.L. | Industry and Commerce | Art. 5 (1) f) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA (AEPD) has imposed a fine of EUR 3,500 on MAD COOL FESTIVAL S.L. The controller suffered a data breach due to insufficient technical and organizational measures. The total fine consists of a fine of EUR 2,000 for infringing on Art. 5(1)(f) GDPR, and EUR 1,500 for the violation of Art. 32 GDPR. The total sum can be reduced by 20% (resulting in a fine of EUR 2,800) with timely payment. | link |
| 2619 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-04 | 360 | SINDICAT CATAC-CTSC | Not assigned | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA imposed a fine of on SINDICAT CATAC-CTSC. The controller failed to react to a communication attempt by the AEPD. The original fine of EUR 600 was reduced to EUR 360 due to immediate payment and admission of responsibility by the controller. | link |
| 2620 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-09 | 600 | FEDERACION DE COLUMBICULTURA DE CASTILLA-LA MANCHA | Individuals and Private Associations | Art. 5 (1) f) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA imposed a fine on FEDERACION DE COLUMBICULTURA DE CASTILLA-LA MANCHA. The controller was unable to ensure the confidentiality of personal data, which resulted in a leak. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility by the controller. | link |
| 2621 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-14 | 3,000 | EDA TV CONSULTING, S.L. | Media, Telecoms and Broadcasting | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA imposed a fine on EDA TV CONSULTING, S.L. The controller had stored copies of personal IDs to verify the identity of data subjects. According to the DPA, the controller infringed the principle of data minimization, because not all informations visibel on the ID were needed for the specific verification process. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of responsibility by the controller. | link |
| 2622 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-14 | 6,000 | LÃSER METALPRINT 3D, S.L. | Industry and Commerce | Art. 28 GDPR | Insufficient data processing agreement | The Spanish DPA imposed a fine on LÃSER METALPRINT 3D, S.L. The controller hired a third company to install and maintain a surveillance system. The controller and the hired company had a data processing agreement. However not the hired company but another company processed the data. The controller and the processing (third) company did not have a data processing agreement, even though one was needed. The original fine of EUR 6,000 was reduced to EUR 10,000 due to immediate payment and admission of responsibility by the controller. | link |
| 2623 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-15 | 600 | Unknown | Not assigned | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA imposed a fine on an unknown data controller. The controller stored full copies of personal IDs for verification purposes. In this case, storing all the information found on an ID was unnecessary and infringed upon the principle of data minimization. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility by the controller. | link |
| 2624 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-05-22 | 1,200 | Attorney | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA imposed a fine on an attorney. The controller processed data of a data subject without sufficient legal basis. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of responsibility by the controller. | link |
| 2625 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-22 | 1,200 | SERVICIOS DE INTEGRACIÓN DE ANDALUCÍA | Employment | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA imposed a fine on SERVICIOS DE INTEGRACIÓN DE ANDALUCÍA. The controller hired an employee and processed the mobile phone number of the new employee without consent or other legal basis. The number was used to add the employee into a WhatsApp group for work purposes which resulted in the employee recivieng excessive numbers of notifications, causing the employee becoming ill. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of responsibility by the controller. | link |
| 2626 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-22 | 12,000 | NOVATES ALIMENTACIÓN MADRID, S.L. | Industry and Commerce | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA imposed a fine on NOVATES ALIMENTACIÓN MADRID, S.L. The controller used surveillance cameras without implementing the necessary technical and organizational measures to ensure data security. The original fine of EUR 20,000 was reduced to EUR 12,000 due to immediate payment and admission of responsibility by the controller. | link |
| 2627 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-22 | 1,200 | FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA | Real Estate | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA imposed a fine on FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA. The controller processed personal data without a sufficient legal basis, resulting in an incorrect bank transaction at the expense of the data subject. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of responsibility by the controller. | link |
| 2628 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-04-03 | 600 | Owner of a Law Firm | Finance, Insurance and Consulting | Art. 5 (1) f) GDPR | Insufficient technical and organisational measures to ensure information security | The Spanish DPA imposed a fine on the owner of a law firm. The controller disclosed personal information in an external email because they did not implement sufficient technical and organizational measures. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility by the controller. | link |
| 2629 | GERMANY | Data Protection Authority of Berlin | 2024 | 60,000 | Company | Health Care | Unknown | Insufficient technical and organisational measures to ensure information security | The DPA of Berlin imposed a fine of EUR 60,000 on a healthcare company. The company offers practice management software that includes a patient communication portal with insufficient technical and organizational measures to ensure data protection. The total amount of the fine was reduced because no data breach was found and the company cooperated with the DPA. | link |
| 2630 | FRANCE | French Data Protection Authority (CNIL) | 2025-05-15 | 80,000 | CALOGA | Media, Telecoms and Broadcasting | Art. 5 (1) e) GDPR, Art. 6 GDPR | Non-compliance with general data processing principles | The French DPA imposed a fine of EUR 80,000 on CALOGA. The controller is a company obtaining data from data brokers to use those for marketing purposes. The DPA found multiple infingements against the GDPR and the French Post and Electronic Communications Code. The controller failed to have sufficient legal basis for transferring data to third parties for advertising purposes. Additionally, the controller retained data longer than necessary. | link link |
| 2631 | GERMANY | Data Protection Authority of Berlin | 2024 | Unknown | Multiple Police Officers | Public Sector and Education | Unknwon | Unknown | The DPA of Berlin imposed fined 23 police officers. The police officers misused their access to the police information system for private purposes. | link |
| 2632 | GERMANY | Data Protection Authority of Hessen | 2024 | 3,700 | Doctor´s Office | Health Care | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR | Insufficient legal basis for data processing | The DPA of Hessen has imposed a fine of EUR 3,700 on a doctor´s office. While responding to negative Google reviews, the controller revealed health data about the reviewers. | link |
| 2633 | GERMANY | Data Protection Authority of Hessen | 2024 | 3,300 | Doctor´s Office | Health Care | Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR | Insufficient legal basis for data processing | The DPA of Hessen has imposed a fine of EUR 3,300 on a doctor´s office. While responding to negative Google reviews, the controller revealed health data about the reviewers. | link |
| 2634 | GERMANY | Data Protection Authority of Hessen | 2024 | 2,500 | Doctor´s Office | Health Care | Art. 5 (1) f) GDPR, Art. 6 (1) GDPR, Art. 9 (1) GDPR, Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | The DPA of Hessen has imposed a fine of EUR 2,500 on a doctor´s office. The controller hired an office manager who worked partly from home. The manager worked with patient files, which he stored at home. However, he did not lock or otherwise secure the files, which resulted in guests and family members having access to them. On one occasion, the manager asked his wife to send him photos of some files via a private messaging service because he had left them in his car, which his wife was using for a long trip. | link |
| 2635 | GERMANY | Data Protection Authority of Hessen | 2024 | 16,000 | Freelancer | Unknown | Art. 13 GDPR, Art. 31 GDPR, Art. 58 (2) d) GDPR | Insufficient cooperation with supervisory authority | The DPA of Hessen has imposed a fine of EUR 16,000 on a freelancer. The controller operates a website without a privacy policy. The DPA contacted the controller, ordering him to include a privacy policy on his website, and announced that he would be fined EUR 2,000 if he did not comply. The controller ignored the order, resulting in the DPA ordering him a second and third time to include a privacy policy on his website. The controller continued to ignore the DPA’s orders. Therefore, the DPA imposed a total fine of EUR 16,000. This fine consists of EUR 10,000 for ignoring the DPA’s orders and EUR 2,000 for each of the three ignored orders to include a privacy policy on the controller’s website. | link |
| 2636 | GERMANY | Data Protection Authority of Hessen | 2024 | 496,000 | Company | Finance, Insurance and Consulting | Art. 5 GDPR, Art. 6 GDPR, Art. 12 (3) GDPR, Art. 15 GDPR | Non-compliance with general data processing principles | The DPA of Hessen has imposed a fine of EUR 496,000 on a company. The DPA identified several GDPR violations, including transmitting customer data to the incorrect recipient and making marketing phone calls without a legal basis. The company was cooperative, a factor that the DPA considered when determining the total fine amount. | link |
| 2637 | GERMANY | Data Protection Authority of Hessen | 2024 | 10,000 | Company | Industry and Commerce | Art. 6 (1) GDPR, Art. 7 GDPR | Insufficient legal basis for data processing | The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company obtained the data through internet research. | link |
| 2638 | GERMANY | Data Protection Authority of Hessen | 2024 | 41 fines totaling EUR 13,486 | Unknown | Unknown | Unknwon | Unknown | The DPA of Hessen has imposed fines totaling EUR 13,486 on 41 data controllers. In its 2024 activity report, the DPA of Hesse reported a total of 47 fines that year. Six of these fines were presented in more detail and can be found in the Enforcement Tracker under ETiD numbers 2636–2641. The remaining 41 fines amount to a total sum of EUR 13,486. According to the report, the issued fines cover a broad range of sectors and types, with a focus on healthcare, marketing activities, and violations of data subjects’ rights. | link |
| 2639 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-05-08 | 6,600 | Owner of a Pharmacy Office | Health Care | Art. 6 (1) GDPR, Art. 14 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on the owner of a pharmacy office. The controller processed data of residents of geriatric centers without a sufficient legal basis. The controller also failed to inform the data subjects about the fact, that the controller processed their data and that they obtained the data from a third party. Lastly, the controller failed to use encrypted email services. Due to acknowledgment and immediate payment, the fine had been reduced to EUR 6,600. The original fine of EUR 11,000 was reduced to EUR 6,600 due to immediate payment and admission of responsibility by the controller. | link |
| 2640 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-05-09 | 6,600 | Owner of a Pharmacy Office | Health Care | Art. 6 (1) GDPR, Art. 14 GDPR, Art. 32 GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine on the owner of a pharmacy office. The controller processed data of residents of two geriatric centers without a sufficient legal basis. The controller also failed to inform the data subjects about the fact, that the controller processed their data and that they obtained the data from a third party. Lastly, the controller failed to use encrypted email services. The original fine of EUR 11,000 was reduced to EUR 6,600 due to immediate payment and admission of responsibility by the controller. | link |
| 2641 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-05-09 | 120,000 | UNIÓN DE CRÉDITO PARA LA FINANCIACIÓN MOBILIARIA E INMOBILIARIA EFC | Finance, Insurance and Consulting | Art. 6 (1) GDPR | Insufficient legal basis for data processing | The Spanish DPA imposed a fine on UNIÓN DE CRÉDITO PARA LA FINANCIACIÓN MOBILIARIA E INMOBILIARIA EFCD. The controller forwarded customerdata to a credit information system without sufficient legal basis. The original fine of EUR 200,000 was reduced to EUR 120,000 due to immediate payment and admission of responsibility by the controller. | link |
| 2642 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-05-19 | 1,000 | Home Owner Association | Individuals and Private Associations | Art. 5 (1) f) GDPR | Non-compliance with general data processing principles | The Spanish DPA imposed a fine of EUR 1,000 on a home owner association. The HOA displayed the personal data of debtors in the entrance hall of a building, which infringed on the duty of confidentiality. The HOA appealed the decision, but the AEPD dismissed it. | link |
| 2643 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-03-20 | 4,800 | TECNOCRÃTICA CENTRO DE DATOS S.L. | Media, Telecoms and Broadcasting | Art. 58 (1) GDPR | Insufficient cooperation with supervisory authority | The Spanish DPA has imposed a fine of EUR 4,800 on TECNOCRÃTICA CENTRO DE DATOS S.L. The controller failed to reply to an information request by the AEPD within the given deadline. The original fine of EUR 6,000 was reduced to EUR 4,800 due to immediate payment and admission of responsibility by the controller. | link |
| 2644 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-03-20 | 500 | GALENICUM HEALTH, S.L.U | Health Care | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 500 on GALENICUM HEALTH, S.L.U. The controller uses video surveillance that partially captures images of a public road, which infringes on the principle of data minimization. | link |
| 2645 | SPAIN | Spanish Data Protection Authority (aepd) | 2025-03-24 | 2000 | INDEPENDENTS DE VALLROMANES | Public Sector and Education | Art. 5 (1) c) GDPR | Non-compliance with general data processing principles | The Spanish DPA has imposed a fine of EUR 2,000 on INDEPENDENTS DE VALLROMANES. The controller, a political party, posted a court decision on its social media, which included personal data which was not necessary for the purpose of this social media post, infringing on the principle of data minimization. | link |
| 2646 | GERMANY | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | 2025 | 45,000,000 | Vodafone GmbH | Media, Telecoms and Broadcasting | Art. 28 (1) GDPR | Non-compliance with general data processing principles | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of EUR 45,000,000 on Vodafone GmbH. The controller failed to properly supervise a third agency, which the controller used as a data processor. This resulted in employees of the third agency defrauding the controller’s customers. The controller also failed to implement sufficient technical and organizational measures during an authentication process, which created the risk of third parties gaining access to customers’ personal data. The BfDI emphasized the good cooperation with the controller throughout the process. | link |
| 2647 | FINLAND | Deputy Data Protection Ombudsman | 2025-05-27 | 1,100,000 | Yliopiston Apteekin | Health Care | Art. 5 (1) c), f) GDPR, Art. 32 (1), (2) GDPR | Non-compliance with general data processing principles | The Finish DPA has imposed a fine of EUR 1,100,000 on Yliopiston Apteekin. The controller, who runs an online pharmacy, used various web analytics and monitoring tools. These tools were implemented in a way that allowed the providers, who are based outside the EU, to access personal data. The controller also failed to ensure that the tools complied with the principle of data minimization. | link link |
| 2648 | ITALY | Italian Data Protection Authority (Garante) | 2025-04-29 | 30,000 | Ordine degli psicologi della Lombardia | Public Sector and Education | Art. 5 (1) f) GDPR, Art. 32 (1) GDPR | Insufficient technical and organisational measures to ensure information security | The Italian DPA imposed a fine of EUR 30,000 on Ordine degli psicologi della Lombardia. The controller suffered a data breach due to insufficient technical and organisational measueres. | link link |
| ETid | Country | Authority | Date | Fine [€] | Controller/ Processor | Sector | Quoted Article | Type | Summary | Link |