Filter by country:
Filter by violation (Art.):
GDPR Enforcement Tracker
The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties. Please note that we do not list any fines imposed under national / non-European laws (with the exception of fines under the UK GDPR), under non-data protection laws (e.g. competition laws / electronic communication laws) and under “old” pre-GDPR-laws. We have, however, included a limited number of essential ePrivacy fines under national member state laws.
| ETid | Country | Authority | Date | Fine | Controller/ Processor | Sector | Quoted Article | Type | Summary | Link |
|---|---|---|---|---|---|---|---|---|---|---|
| ETid-1 | Austria | Austrian Data Protection Authority (dsb) | 2018-12-09 | 4,800 | Betting place | Industry and Commerce | Art. 13 GDPR | Insufficient fulfilment of information obligations | Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted. | |
| ETid-2 | Austria | Austrian Data Protection Authority (dsb) | 2018 | 1,800 | Kebab restaurant | Accomodation and Hospitalty | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Insufficient legal basis for data processing | CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link | |
| ETid-3 | Austria | Austrian Data Protection Authority (dsb) | 2018-09-27 | 300 | Private car owner | Individuals and Private Associations | Art. 5 (1) a) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A Dashcam was unlawfully used. | |
| ETid-4 | Belgium | Belgian Data Protection Authority (APD) | 2019-05-28 | 2,000 | Mayor | Public Sector and Education | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. | |
| ETid-5 | Belgium | Belgian Data Protection Authority (APD) | 2019-05-28 | 2,000 | Mayor | Public Sector and Education | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. | |
| ETid-6 | Bulgaria | Bulgarian Commission for Personal Data Protection (KZLD) | 2018-12-04 | 500 | Bank | Finance, Insurance and Consulting | Art. 5 (1) b) GDPR, Art. 6 GDPR | Insufficient legal basis for data processing | A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD.
The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client. |
|
| ETid-7 | Bulgaria | Bulgarian Commission for Personal Data Protection (KZLD) | 2019-02-26 | 27,100 | Telecommunication service provider | Media, Telecoms and Broadcasting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | Repeated registration of prepaid services without the knowledge and consent of the data subject
Employees of the telecommunications provider have used personal data and registered the complainant with the company’s prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. |
|
| ETid-8 | Bulgaria | Bulgarian Commission for Personal Data Protection (KZLD) | 2019-01-17 | 500 | Bank | Finance, Insurance and Consulting | Art. 6 GDPR, Art. 5 (1) a) GDPR | Insufficient legal basis for data processing | A bank gained personal data concernign a student wihtout a legal basis. | |
| ETid-9 | Bulgaria | Bulgarian Commission for Personal Data Protection (KZLD) | 2019-02-22 | 500 | Employer | Employment | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way. | |
| ETid-10 | Cyprus | Cypriot Data Protection Commissioner | 2019 | 5,000 | State Hospital | Health Care | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital. | |
| ETid-11 | Cyprus | Cypriot Data Protection Commissioner | 2019 | 10,000 | Newspaper | Media, Telecoms and Broadcasting | Art. 6 GDPR | Insufficient legal basis for data processing | The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator.
The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case. |
|
| ETid-12 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-01-10 | 388 | Employer | Employment | Art. 6 GDPR | Insufficient legal basis for data processing | A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee. | |
| ETid-13 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-02-04 | 1,165 | Car renting company | Industry and Commerce | Art. 5 (1) a) GDPR | Insufficient fulfilment of information obligations | A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine. | |
| ETid-14 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-02-28 | 582 | Unknown | Not assigned | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). | |
| ETid-15 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-02-04 | 1,165 | Credit brokerage | Finance, Insurance and Consulting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). | |
| ETid-16 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2018-10-25 | 388 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | |
| ETid-17 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-02-26 | 776 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | |
| ETid-18 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-03-21 | 10,000 | Unknown | Not assigned | Art. 5 (1) GDPR | Non-compliance with general data processing principles | Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’). | |
| ETid-19 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-03-21 | 3,140 | UniCredit Bank Czech Republic and Slovakia, a.s. | Finance, Insurance and Consulting | Art. 6 GDPR | Insufficient legal basis for data processing | The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject. | |
| ETid-20 | Czech Republic | Czech Data Protection Auhtority (UOOU) | 2019-05-06 | 194 | Unknown | Not assigned | Art. 15 GDPR | Insufficient fulfilment of data subjects rights | Information was not provided. | |
| ETid-21 | Denmark | Danish Data Protection Authority (Datatilsynet) | 2019 | 160,000 | Taxa 4×35 | Transportation and Energy | Art. 5 (1) e) GDPR | Non-compliance with general data processing principles | The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual’s phone numbers.
Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. |
|
| ETid-22 | Denmark | Danish Data Protection Authority (Datatilsynet) | 2021-02-12 | 13,450 | IDdesign A / S | Industry and Commerce | Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles | Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures.
Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. Update: On February 12, 2021 the Aarhus District Court decided to impose a fine against IDdesign in the amount of EUR 13,450. With regard to the calculation of the fine, the court disagreed with the proposed amount of the fine. It concluded that the amount should be calculated on the basis of the company’s own turnover and not that of the entire group. In addition, the court considered that the mitigating circumstances under Art. 83 (2) GDPR should be taken into account when calculating the fine. Such as that the company had not previously breached the GDPR, as well as that the breach concerned only general personal data. In addition, no data subject suffered damages as a result of the breach. Finally, the court considers that the negligent nature of the breach should be taken into account. |
|
| ETid-23 | France | French Data Protection Authority (CNIL) | 2019-01-21 | 50,000,000 | Google LLC | Media, Telecoms and Broadcasting | Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR | Insufficient legal basis for data processing | The fine was imposed on the basis of complaints from the Austrian organisation ‘None Of Your Business’ and the French NGO ‘La Quadrature du Net’. The complaints were filed on 25th and 28th of May 2018 – immediately after the GDPR became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given ‘specific’ and not ‘unambigous’ (Art. 4 nr. 11 GDPR). | |
| ETid-24 | France | French Data Protection Authority (CNIL) | 2019-05-28 | 400,000 | SERGIC (Real Estate) | Real Estate | Art. 5 (1) e) GDPR | Insufficient technical and organisational measures to ensure information security | The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users’ lives), the size of the company and its financial standing. | |
| ETid-25 | Germany | Data Protection Authority of Baden-Wuerttemberg | 2018-11-21 | 20,000 | Knuddels.de | Media, Telecoms and Broadcasting | Art. 32 GDPR | Insufficient technical and organisational measures to ensure information security | After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed. | |
| ETid | Country | Authority | Date | Fine | Controller/ Processor | Sector | Quoted Article | Type | Summary | Link |