DATA BREACH FINES ISSUED
Today’s date is Tuesday, March 2, 2021.
| Country | Authority/Source | Date | Currency | Amount | Against | Legal Basis | Industry | Details |
|---|---|---|---|---|---|---|---|---|
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 27/06/2019 | EUR € | 130,000 | UNICREDIT BANK SA | Art. 25 (1) and Art. 5 (1) (c) GDPR | Banking/Mortgage | The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (internal/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018). |
| France | French Data Protection Authority | 13/06/2019 | EUR € | 20,000 | UNIONTRAD COMPANY | Art. 5 (1) (c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR | Business/Company/Employer | Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. |
| Denmark | Danish Data Protection Authority (Datatilsynet) | 03/06/2019 | EUR € | 200,850 | IDdesign A / S | Art. 5 (1) (e) and (2) GDPR | Retail | The fine was imposed as a result of an inspection carried out in atom of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. |
| Belgium | Belgian Data Protection Authority | 28/05/2019 | EUR € | 2,000 | Mayor | Art. 5 (1) (b) GDPR, Art. 6 GDPR | Public Authority | The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes. |
| France | French Data Protection Authority | 28/05/2019 | EUR € | 400,000 | SERGIC, a company specialized in real estate development, purchase, sale, rental and property management | Art. 32 and 5 (1) e) GDPR | Real Estate | The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing. |
| Lithuania | Lithuanian Data Protection Authority | 16/05/2019 | EUR € | 61,500 | Payment service provider UAB MisterTango | Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR | Financial Services | During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 DSGVO would have been necessary. The controller did not report the Data Breach. |
| Czech Republic | Czech Data Protection Authority | 13/05/2019 | EUR € | 3,105 | Not disclosed | Art. 5 (1) a) and b) GDPR, Art. 32 (1) GDPR | Not disclosed | Not disclosed |
| Germany | Data Protection Authority of Baden-Wuerttemberg | 09/05/2019 | EUR € | 1,400 | Police Officer | Art. 6 GDPR | Public Authority | The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. |
| Czech Republic | Czech Data Protection Authority | 06/05/2019 | EUR € | 194 | Not disclosed | Art. 15 GDPR | Not disclosed | Not disclosed |
| Poland | Polisch National Personal Data Protection Office | 25/04/2019 | EUR € | 12,950 | Sports association | Art. 6 GDPR | Sport/Recreation | One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty. When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). |
| Italy | Italian Data Protection Authority | 17/04/2019 | EUR € | 50,000 | Italian political party Movimento 5 Stelle | Art. 32 GDPR | Government/Military | A number of websites referral partnerd to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 17/04/2019 | EUR € | 9,400 | Not disclosed | Art. 5 (1) a) GDPR, Art. 6 GDPR | Business/Company/Employer | A data controller used a, (in the point of view of NAIH), wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims. |
| Bulgaria | Data Protection Commission of Bulgaria | 08/04/2019 | EUR € | 510 | Medical centers | Art. 5 (1) (a) GDPR; Art. 9 (1) and Art. 9 (2) GDPR; Art. 6 (1) GDPR. | Healthcare | The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical center for the purpose of changing his GP. The medical center used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical center, which subsequently also unlawfully processed the personal data of G.B. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 05/04/2019 | EUR € | 34,375 | Hugarian political party | Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR | Government/Military | NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year. The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's web-page. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 05/04/2019 | EUR € | 1,900 | Not disclosed | Art. 15 GDPR | Business/Company/Employer | The data controller did not fulfill the data subject's access request. |
| Norway | Norwegian Supervisory Authority | 01/03/2019 | EUR € | 170,000 | Bergen Municipality | Art. 5 (1) f) GDPR, Art. 32 GDPR | Public Authority | The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistle-blower, that the data security was inadequate. |
| Poland | Polisch National Personal Data Protection Office | 26/03/2019 | EUR € | 219,538 | Private company working with data from publicly available sources | Art. 14 GDPR | Business/Company/Employer | The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified noncompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient. |
| Bulgaria | Data Protection Commission of Bulgaria | 26/03/2019 | EUR € | 5,100 | A.P. EOOD | Art. 5 (1) a) GDPR, Art. 6 GDPR | Real Estate | The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison. |
| Czech Republic | Czech Data Protection Authority | 21/03/2019 | EUR € | 9,704 | Not disclosed | Art. 5 (1) (c) and (e) GDPR | Not disclosed | Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation"). |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 04/03/2019 | EUR € | 3,200 | Financial Institution | Art. 5 (1) (b) and (c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDPR | Financial Services | The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasized that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue. |
| Czech Republic | Czech Data Protection Authority | 28/02/2019 | EUR € | 582 | Not disclosed | Art. 5 (1) (f) GDPR | Not disclosed | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). |
| Bulgaria | Bulgarian Commission for Personal Data Protection | 26/02/2019 | EUR € | 27,100 | Telecommunication service provider | Art. 6 GDPR, Art. 5 (1) (a) GDPR | Telecommunications | Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one. |
| Czech Republic | Czech Data Protection Authority | 26/02/2019 | EUR € | 776 | Not disclosed | Art. 15 GDPR | Not disclosed | Not disclosed |
| Bulgaria | Bulgarian Commission for Personal Data Protection | 22/03/2019 | EUR € | 500 | Employer | Art 5 (1) (b) (c) GDPR, Art. 12 GDPR, Art. 15 (1) (GDPR), Art. 15 (1) (a), (b), (c), (g) GDPR, Art. 15 (3) GDPR | Business/Company/Employer | An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 20/02/2019 | EUR € | 1,560 | Debt collector | Art. 5 (1) a) and (c) GDPR - principles of transparency and data minimisation | Financial Services | A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller. |
| Malta | Data Protection Commissioner of Malta | 18/02/2019 | EUR € | 5,000 | Lands Authority | Art. 5 GDPR, Art. 32 GDPR | Public Authority | As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 08/02/2019 | EUR € | 1,560 | Bank | Art. 5 (1) (d) GDPR - principle of accuracy | Banking/Mortgage | A bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank. |
| Germany | Data Protection Authority of Sachsen-Anhalt | 05/02/2019 | EUR € | 2,000 | Private person | Art. 6 GDPR, Art. 5 GDPR | Private Citizen | The fine was imposed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list. |
| Czech Republic | Czech Data Protection Authority | 04/02/2019 | EUR € | 1,165 | Car renting company | Art. 5 (1) (a) GDPR | Automotive | A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine. |
| Czech Republic | Czech Data Protection Authority | 04/02/2019 | EUR € | 1,165 | Credit brokerage | Art. 5 (1) (f) GDPR | Financial Services | Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). |
| France | French Data Protection Authority | 21/01/2019 | EUR € | 50,000,000 | Google Inc. | Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPR | Internet | The fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the DSGVO became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given "specific" and not "unambiguous" (Art. 4 nr. 11 GDPR). |
| Bulgaria | Bulgarian Commission for Personal Data Protection | 17/01/2019 | EUR € | 500 | Bank | Art.6 GDPR, Art. 5 (1) (a) GDPR | Banking/Mortgage | A bank gained personal data concerning a student without a legal basis. |
| Czech Republic | Czech Data Protection Auhtority | 10/01/2019 | EUR € | 388 | Employer | Art. 6 GDPR | Business/Company/Employer | A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee. |
| Austria | Austrian Data Protection Authority | 20/12/2018 | EUR € | 2,200 | Private person | Art. 5 (1) (a) and c GDPR, Art. 6 (1) GDPR, Art. 13 GDPR | Private Citizen | The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information | 18/12/2018 | EUR € | 3,200 | Not disclosed | Art. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPR | Not disclosed | The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority. |
| Germany | Data Protection Authority of Hamburg | 17/12/2018 | EUR € | 5,000 | Kolibri Image Regina und Dirk Maass GbR | Art. 28 (3) GDPR | Professional Services | Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor. |
| Austria | Austrian Data Protection Authority | 09/12/2018 | EUR € | 4,800 | Betting place | Art. 13 GDPR | Casino/Gambling | Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted. |
| Germany | Data Protection Authority of Baden-Wuerttemberg | 21/11/2018 | EUR € | 20,000 | Social media network | Art. 32 (1) (a) GDPR | Internet | After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed. |
| Czech Republic | Czech Data Protection Authority | 25/10/2018 | EUR € | 388 | Not disclosed | Art. 15 GDPR | Not disclosed | Not disclosed |
| Portugal | Portuguese Data Protection Authority | 17/07/2018 | EUR € | 400,000 | Hospital | Art. 5 (1) f) GDPR, Art. 32 GDPR | Healthcare | Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty. |
| Bulgaria | Bulgarian Commission for Personal Data Protection | 12/04/2018 | EUR € | 500 | Bank | Art. 5 (1) b) GDPR, Art. 6 GDPR | Banking/Mortgage | A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client. |
| Austria | Austrian Data Protection Authority | 31/12/2018 | EUR € | 1,800 | Kebab restaurant | Not disclosed | Restaurant/Food Service | CCTV was unlawfully used. No further information available. |
| Austria | Austrian Data Protection Authority | 31/12/2018 | EUR € | 5,280 | Restaurant | Not disclosed | Restaurant/Food Service | CCTV was unlawfully used. No further information available. |
| Austria | Austrian Data Protection Authority | 31/12/2018 | EUR € | 300 | Private car owner | Not disclosed | Private Citizen | CCTV was unlawfully used. No further information available. |
| Cyprus | Cyprian Data Protection Commissioner | 05/07/2019 | EUR € | 5,000 | State Hospital | Art. 15 GDPR | Healthcare | A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital. |
| Cyprus | Cyprian Data Protection Commissioner | 05/07/2019 | EUR € | 10,000 | Newspaper | Art. 6 GDPR | News/Media | The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case. |
| Denmark | Danish Data Protection Authority | 05/07/2019 | EUR € | 160,000 | Taxa 4x35 | Art. 5(1) e) GDPR | Transportation/Logistics | The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts. |
| Germany | Data Protection Authority of Baden-Wuerttemberg | 05/07/2019 | EUR € | 80,000 | Not disclosed | Not disclosed | Not disclosed | There is no further information available. This fine should not be mixed up with the one fine dealing with health data and which was also issued by the same authority, since the one dealing with health data was issued under the old German Data Protection Act. The existences of a second fine worth the same amount of money is only known due to a tweet of the Data Protection Commissioner of Baden-Wuerttemberg. |
| Germany | Data Protection Authority of Hamburg | 31/12/2018 | EUR € | 20,000 | Not disclosed | Art. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR | Not disclosed | Late notification of a data breach and failure to notify the data subjects. |
| Germany | Data Protection Authority of Saarland | 31/12/2018 | EUR € | 118 | Not disclosed | Art. 6 GDPR | Not disclosed | Illegal disclosure of personal data relating to a third party. |
| Germany | Data Protection Authority of Berlin | 31/12/2018 | EUR € | 50,000 | German Bank | Art. 6 GDPR | Banking/Mortgage | The fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had "not yet been legally concluded". |
| Spain | Spanish Data Protection Authority | 31/12/2018 | EUR € | 5,000 | VODAFONE ESPANA, S.A.U. | Art. 5 (1) (d) GDPR | Telecommunications | The Spanish telecommunications and information agency (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behavior violated the principle of accuracy. |
| Spain | Spanish Data Protection Authority | 31/12/2018 | EUR € | 250,000 | Professional Football League (LaLiga) | Art. 5 (1) a), 7 (3) GDPR | Sport/Recreation | The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent. |
| Spain | Spanish Data Protection Authority | 31/12/2018 | EUR € | 60,000 | Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL) | Art. 5 (1) (f) GDPR | Professional Services | After the claimant did allegedly not pay back a micro-credit to an online credit agency, the claim was assigned to the debt collecting agency. Subsequently, the latter started sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant. |
| Spain | Spanish Data Protection Authority | 31/12/2018 | EUR € | 27,000 | VODAFONE ESPANA, S.A.U. | Art. 5 (1) (d) GDPR | Telecommunications | Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k. |
| Spain | Spanish Data Protection Authority | 31/12/2018 | EUR € | 60,000 | ENDESA | Art. 5 (1) (f) GDPR | Energy/Utilities | Not disclosed |
| Greece | Hellenic Data Protection Authority | 17/04/2019 | EUR € | 30,000 | Hellenic Petroleum | Not disclosed | Oil/Gas/Petroleum | Greece’s Hellenic Data Protection Authority fined Hellenic Petroleum €20,000 for unlawful processing of personal data and €10,000 for failing to adopt appropriate data security measures totaling €30,000 for Data Protection violations.Hellenic Petroleum S.A. had engaged a vendor to conduct a study on its behalf. The study was exposed online and its results, which included sensitive data such as political opinions, trade union membership and participation in associations were publicly accessible on the Internet in violation of GDPR stipulations. |
| United Kingdom | Information Commissioners Office UK | 08/07/2019 | GBP £ | 183,000,000 | British Airways | Not disclosed | Aerospace/Aviation | British Airways is facing a record fine of £183m for last year's breach of its security systems.The airline, owned by IAG, says it was "surprised and disappointed" by the penalty from the Information Commissioner's Office (ICO).At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website.The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules.The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said. |
| United States | Federal Trade Commission | 12/07/2019 | USD $ | 5,000,000,000 | Failing to give users very clear notifications when their data was being shared with third parties. | Technology | The Federal Trade Commission approved an approximately $5 billion settlement with Facebook over the company’s 2018 Cambridge Analytica scandal, a person familiar with the matter told The Wall Street Journal. The fine represents the largest ever imposed by the FTC against a tech company. Previously, the agency’s largest fine against a tech company came in 2012 when Google agreed to pay a $22.5 million penalty due to its privacy practices. The fine would represent approximately 9% of Facebook’s 2018 revenues. Facebook took a one-time charge of $3 billion in anticipation of the FTC fine in April during the company’s first-quarter results. | |
| United Kingdom | ICO | 19/07/2019 | GBP £ | 80,000 | estate agency | The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017. | Real Estate | The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years. The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017. The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords. |
| Greece | Hellenic Data Protection Authority (HDPA) | 01/07/2019 | EUR € | 150,000 | PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA | The DPA considered that PWC BS as the controller: i. has unlawfully processed the personal data of its employees contrary to the provisions of Article 5(1)(a) indent (a) of the GDPR since it used an inappropriate legal basis..... | Business/Company/Employer | The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data. |
| Greece | Hellenic Data Protection Authority (HDPA) | 07/10/2019 | EUR € | 200,000 | Telecommunication Service Provider | Articles 21(3) and 25 GDPR | Telecommunications | Non-compliance with general data processing principles. Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request. |
| Greece | Hellenic Data Protection Authority (HDPA) | 07/10/2019 | EUR € | 200,000 | Telecommunication Service Provider | Articles 5(1)(c), 25 GDPR | Telecommunications | Non-compliance with general data processing principles. A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors. |
| Austria | Austrian Data Protection Authority (dsb) | 01/07/2019 | EUR € | 11,000 | Private person (soccer coach) | Art. 6 GDPR | Sport/Recreation | Insufficient legal basis for data processing. The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years. |
| Germany | Data Protection Authority of Berlin | 01/08/2019 | EUR € | 195,407 | Delivery Hero | Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR | Customer Service | Insufficient fulfilment of data subjects rights. According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 18/12/2018 | EUR € | 3,200 | Unknown | Art. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPR | Not disclosed | The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 01/01/2019 | EUR € | 92,146 | Organizer of SZIGET festival and VOLT festival | Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR | Other | The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 01/01/2019 | EUR € | 15,150 | Unknown | Art. 33 GDPR | Not disclosed | The data controller did not fulfil its data breach obligations when a flash memory with personal data was lost. |
| Belgium | Belgian Data Protection Authority (APD) | 19/09/2019 | EUR € | 10,000 | Merchant | Art. 5 (1) c) GDPR | Other | The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. |
| Poland | Polish National Personal Data Protection Office (UODO) | 10/09/2019 | EUR € | 644,780 | Morele.net | Art. 32 GDPR | Telecommunications | The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people. |
| Austria | Austrian Data Protection Authority (dsb) | 01/08/2019 | EUR € | 50,000 | Company in the medical sector | Art. 13 GDPR, Art. 37 GDPR | Pharmaceutical/Biotech | The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer. |
| France | French Data Protection Authority (CNIL) | 25/07/2019 | EUR € | 180,000 | ACTIVE ASSURANCES (car insurer) | Art. 32 GDPR | Insurance | Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication). |
| Bulgaria | Data Protection Commision of Bulgaria (KZLD) | 28/08/2019 | EUR € | 511,000 | DSK Bank | Art. 32 GDPR | Banking/Mortgage | Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data. |
| Bulgaria | Data Protection Commision of Bulgaria (KZLD) | 28/08/2019 | EUR € | 2,600,000 | National Revenue Agency | Art. 32 GDPR | Other | Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible. |
| Latvia | Data State Inspectorate (DSI) | 26/08/2019 | EUR € | 7,000 | Online Services | Art. 17 GDPR | Customer Service | A merchant who provides services in an online store has infringed the "right to be forgotten" pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number. |
| Sweden | Data Protection Authority of Sweden | 20/08/2019 | EUR € | 18,630 | School in Skellefteå | Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR | Education/Training | A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR. |
| Spain | Spanish Data Protection Authority (aepd) | 01/01/2018 | EUR € | 12,000 | Restaurant | Art. 5 (1) a), Art. 6 GDPR | Restaurant/Food Service | A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes |
| Spain | Spanish Data Protection Authority (aepd) | 16/08/2019 | EUR € | 60,000 | AVON COSMETICS | Art. 6 GDPR | Pharmaceutical/Biotech | A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data. |
| United Kingdom | Information Commissioner (ICO) | 09/07/2019 | EUR € | 110,390,200 | Marriott International, Inc | Art. 32 GDPR | Hospitality/Travel | Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc which relates to a cyber incident which was notified to the ICO by Marriott in November 2018.GDPR infringements are likely to involve a breach of Art. 32 GDPR. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 02/07/2019 | EUR € | 15,056 | WORLD TRADE CENTER BUCHAREST SA | Art. 32 GDPR | Business/Company/Employer | The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 05/07/2019 | EUR € | 3,000 | LEGAL COMPANY & TAX HUB SRL | Art. 32 GDPR | Accounting/Finance | The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019. The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 01/07/2019 | EUR € | 2,500 | UTTIS INDUSTRIES SRL | Art. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPR | Other | The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR. |
| Portugal | Portuguese Data Protection Authority (CNPD) | 05/02/2019 | EUR € | 20,000 | Unknown | Art. 15 GDPR | Not disclosed | Insufficient fulfilment of data subjects rights |
| Portugal | Portuguese Data Protection Authority (CNPD) | 25/03/2019 | EUR € | 2,000 | Unknown | Art. 15 GDPR | Not disclosed | Insufficient fulfilment of data subjects rights |
| Norway | Norwegian Supervisory Authority (Datatilsynet) | 29/04/2019 | EUR € | 203,000 | Oslo Municipal Education Department | Art. 32 GDPR | Education/Training | Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees. |
| Netherlands | Dutch Supervisory Authority for Data Protection (AP) | 18/06/2019 | EUR € | 460,000 | Haga Hospital | Art. 32 GDPR | Healthcare | The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures. |
| Austria | Austrian Data Protection Authority | 23/10/2019 | EUR € | 18,000,000 | Austrian Post | Art. 5 (1) a) GDPR, Art. 6 GDPR | Public Authority | The Austrian Post had sold detailed personal profiles of approximately three million Austrians to various companies and political parties. The profiles contained names, addresses, political predilections, and even intimate details. |
| Germany | Data Protection Authority of Rheinland-Pfalz | 03/12/2019 | EUR € | 105,000 | Rheinland-Pfalz Hospital | Art. 5 GDPR | Healthcare | The Data Protection Authority of Rheinland-Pfalz issued a fine of €105,000 after a hospital after a mixup of patients. As a consequence of this, wrong invoices were issues to the patients that released sensitive personal data. |
| Spain | Spanish Data Protection Authority | 02/12/2019 | EUR € | 10,000 | Ikea Ibérica | Art. 6 GDPR | Consumer Goods | Ikea Ibérica was found to have installed cookies on a customer’s device without asking for permission. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 29/11/2019 | EUR € | 2,500 | Royal President S.R.L. | Art. 12 GDPR, Art. 15 GDPR | Other | The pension Royal President near Bucharest was fined €2,500 after it refused to process a request for the exercise of the right of access. The Romanian Data Processing Authority also determined that customers’ personal data was not processed in accordance with GDPR principles. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 29/11/2019 | EUR € | 80,000 | ING Bank N.V. Amsterdam | Art. 25 GDPR | Banking/Mortgage | The Romanian branch of ING Bank N.V. Amsterdam was fined with €80,000 due to not respecting data protection principles (privacy by design și privacy by default) by not implementing adequate technical measures to ensure the protection of personal data. As a consequence of this, a total of 225,525 had their transactions doubled on debit card payments during the period of 8-10 October 2018. This is one of the bigger fines in Romania, but it’s interesting to note that for similar offenses in other countries fines of over several millions of Euros are usually awarded. This denotes again the fact that different countries have different approaches to GDPR enforcement. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 29/11/2019 | EUR € | 20,000 | SC CNTAR TAROM SA | Art. 32 GDPR | Aerospace/Aviation | A fine of €20,000 was issued to the Romanian national airline Tarom because it failed to implement the necessary technical measures to ensure the security of personal information. As a consequence of these inadequate measures, a Tarom employee was able to access the flight booking application without authorization and see the personal data of 22 passengers, after which the employee took a photo of the list and made it public online. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 22/11/2019 | CNY ¥ | 2,000 | BNP Paribas SA | Art. 12 GDPR, Art. 17 GDPR | Other | BNP Paribas Personal Finance was requested to erase personal data of a client and it did not do so during the timeframe required by GDPR legislation. |
| France | French Data Protection Authority | 21/11/2019 | EUR € | 500,000 | Futura Internationale | Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR | Other | Futura Internationale was fined because after several individuals have complained that they were cold-called by the company even after they have expressly requested not to be called again. The reason why the fine was so high relative to similar cases and fines was that the CNIL determined that the company had received a large number of letters requesting to be taken off from the call lists but decided to ignore them. More so, Futura Internationale was found to store excessive information about customers and their health data. The company did also not inform their customers about the processing of their personal data and that all telephone conversations were recorded. |
| Spain | Spanish Data Protection Authority | 21/11/2019 | EUR € | 60,000 | Viaqua Xestión SA | Art. 6 GDPR | Other | A third party had access to and modified the personal data of a customer that was included in a contract. The third party had no legal basis to access the data. |
| Spain | Spanish Data Protection Authority | 19/11/2019 | EUR € | 60,000 | Xfera Moviles S.A. | Art. 32 GDPR | Other | A private individual received an SMS from Xfera Móviles which was actually addressed to a different person and which included personal details of that third party person. The information included personal details as well as login details to the Xfera Móviles website for the third party person. |
| Spain | Spanish Data Protection Authority | 19/11/2019 | EUR € | 60,000 | Corporacion RTVE | Art. 32 GDPR | Other | Corporacion de Radio y Television Espanola lost 6 USB sticks with unencrypted personal information and data. |
| Spain | Spanish Data Protection Authority | 14/11/2019 | EUR € | 30,000 | Telefónica SA | Art. 5 GDPR | Telecommunications | A person was charged by the phone operator Telefónica for a telephone service that they never requested and owned. This happened because the bank account of the affected person was linked to the Telefónica profile of another person and as such the fees for the service were deduced from the affected person’s account. The AEDP ruled that this was against the principles described by article 5 of GDPR. |
| Slovakia | Slovak Data Protection | 13/11/2019 | EUR € | 50,000 | Social Insurance Agency | Art. 32 GDPR | Not disclosed | Applications that were received from Slovak citizens requesting social benefits were sent to foreign authorities by post. These were lost, which resulted in all the personal details of the affected people to become public, including their physical addresses. |
| Spain | Spanish Data Protection Authority | 13/11/2019 | EUR € | 3,000 | General Confederation of Labour | Art. 6 GDPR | Other | The General Confederation of Labour emailed personal data of a complainant with the aim of organizing a meeting. This included the name, home address, relationship status, pregnancy status and the date of an ongoing harassment case. The email was sent to around 400 members of the organization with the affected individual’s consent. |
| Spain | Spanish Data Protection Authority | 07/11/2019 | EUR € | 900 | TODOTECNICOS24H S.L. | Art. 13 GDPR | Other | The company TODOTECNICOS24H collected personal data without accurate information regarding the collection of this data. |
| Spain | Spanish Data Protection Authority | 06/11/2019 | EUR € | 1,500 | Cerrajero Online | Art. 13 GDPR | Other | The company collected personal data without accurate information regarding the collection of this data |
| Latvia | Data State Inspectorate | 01/11/2019 | EUR € | 150,000 | Unknown | Art. 6 GDPR | Not disclosed | No concrete details have been released at this point other than a fine of €150,000 was imposed in November 2019. We will update this card once further information emerges. |
| Spain | Spanish Data Protection Authority | 31/10/2019 | EUR € | 6,000 | Jocker Premium Invex | Art. 6 GDPR | Other | Postal advertisements and commercial offers were sent by Jocker Premium Invex to a registrant to a local census, even though the registrant did not consent to receive such advertisements and offers. |
| Netherlands | Not disclosed | 31/10/2019 | EUR € | 900,000 | UWV - Insurance provider | Art. 32 GDPR | Insurance | The Dutch employee insurance service provider – “Uitvoeringsinstituut Werknemersverzekeringen – UWV did not use multi-factor authentication for accessing the employer web portal. Health and safety services, as well as employers, were able to view and collect data from employees, data to which normally they should not have had access to. |
| Germany | Data Protection Authority of Baden-Wuerttemberg | 30/10/2019 | EUR € | 14,500,000 | Deutsche Wohnen SE | Art. 5 GDPR, Art. 25 GDPR | Real Estate | The company collected data from multiple tenants without providing the option to remove that data once it was no longer required. This led to the company retaining personal data of tenants for years (salary statements, social security insurances, health insurances, tax insurances, bank statements). The Berlin Data Commissioner issued a fine of €14,500,000. |
| Poland | Polisch National Personal Data Protection Office | 18/10/2019 | EUR € | 9,380 | Polish Mayor | Art. 28 GDPR | Public Authority | No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city. |
| Poland | Polisch National Personal Data Protection Office | 16/10/2019 | EUR € | 47,000 | ClickQuickNow | Art. 5 GDPR | Other | The Company did not have the appropriate organizational measures in place that would allow data subjects to withdraw their consent to the processing of personal data. Moreover, the data subjects also couldn’t easily request the deletion of their personal data. |
| Spain | Spanish Data Protection Authority | 16/10/2019 | EUR € | 8,000 | Iberdrola Clientes | Art. 31 GDPR | Transportation/Logistics | Iberdrola Clientes violated Article 13 of the GDPR when it showed a complete lack of cooperation with the AEPD. The latter had requested Iberdrola Clientes to provide the necessary information needed to add a person to the solvency list. |
| Spain | Spanish Data Protection Authority | 16/10/2019 | EUR € | 60,000 | Xfera Moviles S.A. | Art. 5 GDPR, Art. 6 GDPR | Other | The company had unlawfully processed the personal data despite the subject’s request to stop doing so. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 09/10/2019 | EUR € | 20,000 | Vreau Credit SRL | Art. 32 GDPR Art. 33 GDPR | Other | The Company sent personal information through the WhatsApp platform to Raiffeisen Bank in order to facilitate the assessment of personal scores. The results were returned on the same platform. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing | 09/10/2019 | EUR € | 150,000 | Raiffeisen Bank SA | Art. 32 GDPR | Banking/Mortgage | Raiffeisen Bank Romania did not observe the necessary security measures required by the GDPR when it assessed the scores of individuals on the WhatsApp platform. The personal data was exchanged via WhatsApp. |
| Slovakia | Slovak Data Protection | 27/09/2019 | EUR € | 40,000 | Slovak Telekom | Art. 32 GDPR | Telecommunications | The data controller did not take the necessary technical measures to prevent a data breach. No further details have been disclosed. |
| Spain | Spanish Data Protection Authority | 01/10/2019 | EUR € | 30,000 | Vueling Airlines | Art. 5 GDPR, Art. 6 GDPR | Hospitality/Travel | Vueling Airlines made it impossible for users to access their website without accepting the cookies. Therefore, one couldn’t browse the website unless they accepted the cookies. The AEPD sanctioned the company with 30.000 euros |
| Germany | German Federal Commissioner for Data Protection and Freedom of Information (BfDI) | 01/12/2019 | EUR € | 9,550,000 | 1&1 Telecom | Not disclosed | Telecommunications | Personal information was available to anyone who provided the name and data of birth of a customer. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue. |
| Netherlands | Dutch Data Protection Authority (Dutch DPA) | 01/11/2019 | EUR € | 600,000 | Uber | Not disclosed | Customer Service | The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. In 2016 a data breach occurred at the Uber concern in the form of unauthorised access to personal data of customers and drivers. The Uber concern is fined because it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach. |
| Germany | Labour Court (ArbG) of Lübeck | 14/01/2020 | EUR € | 1,000 | Not disclosed | Art. 6 GDPR | Not disclosed | Lübeck Labour Court estimates a fine of €1,000 for the illegal use of an employee photo on Facebook |
| United Kingdom | Information Commissioner’s Office (ICO) | 09/01/2019 | GBP £ | 500,000 | DSG Retail Limited (DSG) | Not disclosed | Retail | Not disclosedThe Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected. |
| United Kingdom | Information Commissioner (ICO) | 20/12/2019 | EUR € | 320,000 | Doorstep Dispensaree | Art. 32 GDPR | Pharmaceutical/Biotech | The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents. The company stored around 500,000 documents that contained the names, addresses, birth fates, and NHS identification numbers as well as medical information and prescriptions in unsealed containers at the back of a building. As a result of this, the documents were exposed to the elements which resulted in water damage and potentially to the loss of some data. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 18/12/2019 | EUR € | 2,000 | Telekom Romania | Art. 32 GDPR | Telecommunications | The company did not ensure the accuracy of the processing of personal data. This resulted in the disclosure of a client’s personal data to a different client. |
| Belgium | Belgian Data Protection Authority (APD) | 17/12/2019 | EUR € | 15,000 | Legal information wesbite | Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR | Not disclosed | A website that provided legal information and news only had its privacy policy page available in English, even though it was also addressing the French and Dutch-speaking markets. Also, the privacy policy page was not easily accessible and did not mention the legal basis for the processing of data, as required by the GDPR. The website also used Google Analytics without effective consent. |
| Sweden | Data Protection Authority of Sweden | 16/12/2019 | EUR € | 35,000 | Nusvar AB | Art. 6 GDPR | Not disclosed | Nusvar AB, which operates the website Mrkoll.se, a site that provides information on all Swedes over the age of 16, published information on people with overdue payments. |
| Belgium | Belgian Data Protection Authority (APD) | 16/12/2019 | EUR € | 2,000 | Nursing Care Organization | Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR | Not disclosed | A nursing care organization failed to act on a request by a data subject to receive access to their data with the scope of erasing it. |
| Spain | Spanish Data Protection Authority (AEPD) | 10/12/2019 | EUR € | 5,000 | Shop Macoyn, S.L. | Art. 32 GDPR | Not disclosed | The company sent advertising emails to multiple recipients where every one of the recipients was able to see the email address of all other recipients. This was because the sender sent all the email addresses as CC instead of BCC. |
| Spain | Spanish Data Protection Authority (AEPD) | 10/12/2019 | EUR € | 1,600 | Megastar SL | Art. 5 (1) c) GDPR, Art. 13 GDPR | Not disclosed | The company was fined because it operated a video surveillance system that had an observation angle that extended too far into the public traffic area. The video surveillance system was also not accompanied by any data protection notices. |
| Germany | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) | 09/12/2019 | EUR € | 10,000 | Rapidata GmbH | Art. 37 GDPR | Not disclosed | The Federal Commissioner for Data Protection and Freedom of Information (BfDI) ha repeatedly requested the company to appoint a data protection officer in accordance with Article 37 GDPR but even so, Rapidata GmbH refused to do so. The company was fined with €10,000. |
| Spain | Spanish Data Protection Authority (AEPD) | 03/12/2019 | EUR € | 5,000 | Linea Directa Aseguradora | Art. 6 GDPR | Not disclosed | An insurance company sent advertising emails to clients without the necessary consent. |
| Germany | Data Protection Authority of Niedersachsen | 02/12/2019 | EUR € | 294,000 | Unknown | Art. 5 GDPR | Not disclosed | A company was fined with €294,000 because of the “unnecessarily long” storage and retention of personal data in the selection of personnel. During the selection process, even health data was requested, which was excessive according to the DPA. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 02/12/2019 | EUR € | 2,000 | Nicola Medical Team 17 SRL | Art. 58 GDPR | Not disclosed | The company did not comply with measures imposed by the Data Protection Authority. |
| United Kingdom | Information Commissioners Office UK | 15/01/2019 | GBP £ | 895 | Leo Kirk | Breach of s55 of the Data Protection Act 1998 | Social Care | A former social worker has been prosecuted for passing the personal information of service users to a third party provider for Local Authority young person placements. Leo Kirk unlawfully disclosed referrals for residential or foster placements of vulnerable young people aged 16-18 years old. The referrals contained sensitive personal data including potential identifier information and vulnerability risks of the service user. Mr Kirk of Audenshaw, Manchester appeared before Stockport Magistrates’ Court and admitted two offences of unlawfully disclosing personal data, in breach of s55 of the Data Protection Act 1998. He was fined £483 for the first offence with no separate penalty for offence two, he was ordered to pay costs of £364.08 and a victim surcharge of £48. |
| United Kingdom | Information Commissioners Office UK | 05/12/2019 | GBP £ | 859 | Dannyelle Shaw | Breach of s55 of the Data Protection Act 1998 | Government/Military | A former Reablement Officer at Walsall Metropolitan Borough Council has been prosecuted for accessing social care records without authorisation. An internal investigation by the Council found that Ms Shaw had inappropriately accessed the social care records of 7 adults and 9 children without any business need to do so. Dannyelle Shaw of Bloxwich, Walsall, appeared before Wolverhampton Magistrates’ Court and admitted one offence of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was sentenced to a fine of £450, ordered to pay costs of £364 and a victim surcharge of £45. |
| United Kingdom | Information Commissioners Office UK | 02/12/2019 | GBP £ | 720 | Michelle Shipsey | Breach of s170 of the Data Protection Act 2018 | Government/Military | A former Social Services Support Officer at Dorset County Council has been prosecuted for accessing Social Care records without authorisation. An internal investigation found that Ms Shipsey had inappropriately accessed the Social Care records without any business need to do so. The records related to four individuals known to Ms Shipsey. Michelle Shipsey of Verwood, Dorset, appeared before Poole Magistrates’ Court and admitted one offence of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. She was sentenced to a 6 month conditional discharge, ordered to pay costs of £700 and a victim surcharge of £20. |
| United Kingdom | Information Commissioners Office UK | 17/09/2019 | GBP £ | 150,000 | Superior Style Home Improvements Ltd | Not disclosed | Marketing | Superior Style Home Improvements Ltd issued with monetary penalty notice after making unsolicited marketing calls to individuals registered with the TPS to try and generate UPVC installation leads. The Information Commissioner’s Office (ICO) has fined a Swansea double-glazing company £150,000 for making nuisance calls. Superior Style Home Improvements Ltd called people over an 11 month period whose numbers were registered with the Telephone Preference Service (TPS) and who had not given their consent to receive them. The ICO has also issued an Enforcement Notice warning them to stop making the calls. Dave Clancy, of the ICO’s investigations team said: ”Companies engaged in this illegal activity should take note, we will take action against those that continue to disregard the law around electronic marketing via phone calls, emails and text messages. These cause a real nuisance - and often distress - to people who don’t want to receive them. Company directors should also be aware that they can now be made personally liable for fines that we issue.” |
| United Kingdom | Information Commissioners Office UK | 12/08/2019 | GBP £ | Hudson Bay Finance Ltd | Section 4(4) of the DPA Subject to Section 27(1) | Financial Services | Hudson Bay Finance Ltd issued with an enforcement notice for failing to respond to a subject access request. | |
| Greece | Hellenic Data Protection Authority (HDPA) | 19/12/2019 | EUR € | 150,000 | Aegean Marine Petroleum Network Inc. | Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR | Oil/Gas/Petroleum | Insufficient technical and organisational measures to ensure information security |
| Spain | Spanish Data Protection Authority (aepd) | 07/01/2020 | EUR € | 10,000 | Asociación de Médicos Demócratas | Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing The Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects. |
| Spain | Spanish Data Protection Authority (aepd) | 07/01/2020 | EUR € | 75,000 | EDP Comercializadora, S.A.U. | Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier. |
| Spain | Spanish Data Protection Authority | 07/01/2020 | EUR € | 75,000 | EDP España S.A.U. | Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject |
| Spain | Spanish Data Protection Authority (aepd) | 09/01/2020 | EUR € | 44,000 | Vodafone España, S.A.U. | Art. 58 GDPR | Telecommunications | Insufficient cooperation with supervisory authority Failure to provide information to the AEPD within the required timeframe in violation of Article 58 |
| Greece | Hellenic Data Protection Authority (HDPA) | 13/01/2020 | EUR € | 15,000 | Allseas Marine S.A. | Art. 5 (1) a), (2) GDPR | Not disclosed | Non-compliance with general data processing principles. The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it. |
| Cyprus | Cyprian Data Protection Commissioner | 13/01/2020 | EUR € | 1,000 | eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD) | Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages. |
| Cyprus | Cyprian Data Protection Commissioner | 13/01/2020 | EUR € | 9,000 | Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance | Art. 32 GDPR | Not disclosed | Insufficient technical and organisational measures to ensure information security Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR. |
| Spain | Spanish Data Protection Authority (aepd) | 14/01/2020 | EUR € | 3,600 | Zhang Bordeta 2006, S.L. (Store and Restaurant) | Art. 5 GDPR | Restaurant/Food Service | Non-compliance with general data processing principles The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization. |
| Italy | Italian Data Protection Authority (Garante) | 15/01/2020 | EUR € | 50,000 | Community of Francavilla Fontana | Art. 5 GDPR, Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing The community published on its website information about a court trial, including personal data such as health data about a data subject. |
| Italy | Italian Data Protection Authority (Garante) | 15/01/2020 | EUR € | 27,800,000 | TIM (telecommunications operator) | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPR | Telecommunications | Insufficient legal basis for data processing Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres. |
| Italy | Italian Data Protection Authority (Garante) | 23/01/2020 | EUR € | 30,000 | Sapienza Università di Roma | Art. 5 (1) f) GDPR, Art. 32 GDPR | Education/Training | Insufficient technical and organisational measures to ensure information security The fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only. |
| Italy | Italian Data Protection Authority (Garante) | 23/01/2020 | EUR € | 30,000 | Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) | Art. 5 (1) f) GDPR, Art. 32 GDPR | Healthcare | Insufficient technical and organisational measures to ensure information security The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 800 | Automoción | Art. 5 GDPR, Art. 6 GDPR | Automotive | Insufficient legal basis for data processing An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 5,000 | Queseria Artesenal Ameco S.L. | Art. 5 GDPR, Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing The company processed personal data of customers without required consent. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 6,670 | Banco Bilbao Vizcaya Argentaria S.L. | Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR | Banking/Mortgage | Insufficient legal basis for data processing The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 75,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 20,000 | Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal | Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR | Not disclosed | Insufficient legal basis for data processing Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 50,000 | Vodafone España, S.A.U. | Art. 5 GDPR | Telecommunications | Non-compliance with general data processing principles The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 60,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 75,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him. |
| Spain | Spanish Data Protection Authority (aepd) | 03/02/2020 | EUR € | 60,000 | Xfera Moviles S.A. | Art. 5 GDPR, Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects. |
| Spain | Spanish Data Protection Authority (aepd) | 04/02/2020 | EUR € | 1,500 | Cafetería Nagasaki | Art. 5 GDPR, Art. 6 GDPR | Restaurant/Food Service | Insufficient legal basis for data processing The AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians. |
| Spain | Spanish Data Protection Authority (aepd) | 14/02/2020 | EUR € | 30,000 | Xfera Moviles S.A. | Art. 5 (1) f) GDPR, Art. 32 GDPR | Not disclosed | Insufficient technical and organisational measures to ensure information security The AEPD found that a third party had access to the name, telephone number and address of another customer. |
| Spain | Spanish Data Protection Authority (aepd) | 14/02/2020 | EUR € | 42,000 | Vodafone España, S.A.U. | Art. 5 (1) f) GDPR, Art. 32 GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security The complainant had access to third party data in his personal Vodafone profile. |
| Spain | Spanish Data Protection Authority (aepd) | 14/02/2020 | EUR € | 50,000 | Iberdrola Clientes | Art. 6 GDPR | Not disclosed | Insufficient legal basis for data processing Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis. |
| Spain | Spanish Data Protection Authority (aepd) | 14/02/2020 | EUR € | 3,000 | Colegio Arenales Carabanchel (School) | Art. 6 GDPR | Education/Training | Insufficient legal basis for data processing The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis. |
| Spain | Spanish Data Protection Authority (aepd) | 14/02/2020 | EUR € | 2,500 | Grupo Valsor Y Losan, S.L. | Art. 5 (1) f) GDPR | Not disclosed | Insufficient technical and organisational measures to ensure information security The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data) |
| Spain | Spanish Data Protection Authority (aepd) | 18/02/2020 | EUR € | 1,500 | Mymoviles Europa 2000, S.L. | Art. 13 GDPR | Not disclosed | Insufficient fulfilment of information obligations. The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself. |
| Bulgaria | Data Protection Commision of Bulgaria (KZLD) | 20/02/2020 | EUR € | 2,560 | L.E. EOOD | Art. 25 (1) GDPR, Art. 32 GDPR, Art. 6 GDPR | Other | Insufficient technical and organisational measures to ensure information security The fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (“KZLD”) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law. |
| Bulgaria | Data Protection Commision of Bulgaria (KZLD) | 20/02/2020 | EUR € | 2,560 | T.K. EOOD | Art. 25 (1) GDPR, Art. 32 GDPR | Other | Insufficient technical and organisational measures to ensure information security The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject. |
| Greece | Hellenic Data Protection Authority (HDPA) | 21/02/2020 | EUR € | 5,000 | Public Power Corporation S.A. | Art. 15 GDPR | Other | Insufficient fulfilment of data subjects rights The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request. |
| Spain | Spanish Data Protection Authority (aepd) | 25/02/2020 | EUR € | 6,000 | Casa Gracio Operation | Art. 5 (1) c) GDPR | Other | Non-compliance with general data processing principles The company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation. |
| Spain | Spanish Data Protection Authority (aepd) | 25/02/2020 | EUR € | 48,000 | HM Hospitales | Art. 5 GDPR, Art. 6 GDPR | Healthcare | Insufficient legal basis for data processing The data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject. |
| Norway | Norwegian Supervisory Authority (Datatilsynet | 26/02/2020 | EUR € | 73,600 | Rælingen Municipality | Art. 5 (1) f) GDPR, Art. 32 GDPR | Other | Insufficient technical and organisational measures to ensure information security Health information on 15 children with physical and mental disabilities was processed in the Showbie digital learning platform, for the transfer of health-related personal information between schools and their homes. Datatilsynet found that no necessary risk assessments, privacy impact assessments or tests had been carried out before using the application and that a lack of security when logging into the application allowed access to the information of other students in the group. |
| Spain | Spanish Data Protection Authority (aepd) | 27/02/2020 | EUR € | 120,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone España also unlawfully disclosed the personal data of the data subject to various credit agencies. |
| Norway | Norwegian Supervisory Authority (Datatilsynet) | 28/02/2020 | EUR € | 36,800 | Coop Finnmark SA | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing The company had distributed video surveillance footage of children under 16 who had allegedly stolen from a store. There was no sufficient legal basis for this data processing. |
| Spain | Spanish Data Protection Authority (aepd) | 28/02/2020 | EUR € | 3,600 | AEMA Hispánica | Art. 5 (1) f) GDPR | Other | Non-compliance with general data processing principles The company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party. |
| Spain | Spanish Data Protection Authority (aepd) | 28/02/2020 | EUR € | 48,000 | Vodafone ONO, S.A.U. | Art. 32 GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security The decision was taken due to several deficiencies in information security. For example, two people were given the same security access key. |
| Spain | Spanish Data Protection Authority (aepd) | 03/03/2020 | EUR € | 24,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company. |
| Spain | Spanish Data Protection Authority (aepd) | 03/03/2020 | EUR € | 40,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company. |
| Spain | Spanish Data Protection Authority (aepd) | 03/03/2020 | EUR € | 42,000 | Vodafone España, S.A.U. | Art. 5 (1) f) GDPR, Art. 32 GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client. |
| Spain | Spanish Data Protection Authority (aepd) | 03/03/2020 | EUR € | 1,800 | Solo Embrague | Art. 13 GDPR | Other | Insufficient fulfilment of information obligations The corporate website did not present a privacy policy or a cookie banner on its main page. |
| Netherlands | Dutch Supervisory Authority for Data Protection (AP) | 03/03/2020 | EUR € | 525,000 | Royal Dutch Tennis Association ("KNLTB") | Art. 5 GDPR, Art. 6 GDPR | Sport/Recreation | Insufficient legal basis for data processing The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ("KNLTB") with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors. |
| Spain | Spanish Data Protection Authority (aepd) | 04/03/2020 | EUR € | 60,000 | Vodafone España, S.A.U. | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 09/03/2020 | EUR € | 870 | Creditor | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Sending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid. |
| Poland | Polish National Personal Data Protection Office (UODO) | 09/03/2020 | EUR € | 4,400 | Vis Consulting Sp. z o.o. | Art. 31 GDPR, Art. 58 GDPR | Other | Insufficient cooperation with supervisory authority The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR. |
| Spain | Spanish Data Protection Authority (aepd) | 09/03/2020 | EUR € | 15,000 | Gesthotel Activos Balagares | Art. 5 (1) f) GDPR | Hospitality/Travel | Non-compliance with general data processing principles The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees. |
| Sweden | Data Protection Authority of Sweden | 11/03/2020 | EUR € | 7,000,000 | Google LLC | Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR | Technology | Insufficient fulfilment of data subjects rights The Swedish data protection authority has fined Google LLC €7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Datainspektionen had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Datainspektionen had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google's practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Datainspektionen also objected to Google's current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis. |
| Spain | Spanish Data Protection Authority (aepd) | 12/03/2020 | EUR € | 2,000 | Homeowners Association | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Real Estate | Non-compliance with general data processing principles Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance. |
| Spain | Spanish Data Protection Authority (aepd) | 16/03/2020 | EUR € | 6,000 | Amalfi Servicios de Restauracion S.L. | Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR | Restaurant/Food Service | Non-compliance with general data processing principles Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 19/03/2020 | EUR € | 5,800 | Unknown Company | Art. 6 GDPR, Art. 15 GDPR | Other | Insufficient fulfilment of data subjects rights The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws. |
| Spain | Spanish Data Protection Authority (aepd) | 19/03/2020 | EUR € | 6,000 | Oliveros Ustrell, S.L. | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis. |
| Greece | Hellenic Data Protection Authority (HDPA) | 20/03/2020 | EUR € | 8,000 | Speech and Special Education Centre - Mihou Dimitra | Art. 15 GDPR, Art. 58 GDPR | Education/Training | Insufficient fulfilment of data subjects rights The complainant had requested access to his child's data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 25/03/2020 | EUR € | 4,150 | Vodafone Romania | Art. 32 GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security The company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 25/03/2020 | EUR € | 3,000 | Enel Energie | Art. 32 GDPR | Energy/Utilities | Insufficient technical and organisational measures to ensure information security The company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 25/03/2020 | EUR € | 2,000 | SOS Infertility Association | Art. 58 GDPR | Other | Insufficient cooperation with supervisory authority The Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 23/04/2020 | EUR € | 3,000 | Telekom Romania Communications SA | Art. 32 GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 23/04/2020 | EUR € | 3,000 | Estee Lauder Romania | Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR | Other | Insufficient legal basis for data processing Processing of personal data without sufficient legal basis including health data. |
| Belgium | Belgian Data Protection Authority (APD) | 28/04/2020 | EUR € | 50,000 | Proximus SA | Art. 31 GDPR, Art. 58 GDPR, Art. 37 GDPR | Other | Lack of appointment of data protection officer According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently. |
| Belgium | Belgian Data Protection Authority (APD) | 14/05/2020 | EUR € | 50,000 | Social Media Provider | Art. 6 GDPR | Technology | Insufficient legal basis for data processing The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis. |
| Denmark | Danish Data Protection Authority (Datatilsynet) | 15/05/2020 | EUR € | 6,700 | JobTeam A/S DKK | Art. 15 GDPR | Other | Insufficient fulfilment of data subjects rights The company has deleted personal data affected by a request for access without legal reason. |
| Ireland | Data Protection Authority of Ireland | 17/05/2020 | EUR € | 75,000 | Tusla Child and Family Agency | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison. |
| Finland | Deputy Data Protection Ombudsman | 29/05/2020 | EUR € | 72,000 | Taksi Helsinki | Art. 5 GDPR, Art. 6 GDPR, Art. 35 GDPR | Other | Non-compliance with general data processing principles Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization. |
| Belgium | Belgian Data Protection Authority (APD) | 29/05/2020 | EUR € | 1,000 | Non-profit organisation | Art. 6 GDPR, Art. 21 GDPR | Non-Profit/Volunteer | Insufficient fulfilment of data subjects rights The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests. |
| Spain | Spanish Data Protection Authority (aepd) | 04/06/2020 | EUR € | 4,000 | Iberdrola Clientes | Art. 58 GDPR | Other | Insufficient cooperation with supervisory authority The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR. |
| Belgium | Belgian Data Protection Authority (APD) | 08/06/2020 | EUR € | 5,000 | Municipal employee | Art. 5 GDPR, Art. 6 GDPR | Government/Military | Insufficient legal basis for data processing In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access. |
| Spain | Spanish Data Protection Authority (aepd) | 09/06/2020 | EUR € | 2,000 | Attorney | Art. 32 GDPR | Other | Insufficient technical and organisational measures to ensure information security In the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties. |
| Spain | Spanish Data Protection Authority (aepd) | 09/06/2020 | EUR € | 3,000 | Salad Market S.L. (Catering Company) | Art. 13 GDPR, Art. 14 GDPR | Restaurant/Food Service | Insufficient fulfilment of information obligations Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website. |
| Spain | Spanish Data Protection Authority (aepd) | 09/06/2020 | EUR € | 40,000 | TELEFONICA MOVILES ESPAÑA, S.A.U. | Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name. |
| Spain | Spanish Data Protection Authority (aepd) | 09/06/2020 | EUR € | 5,000 | Consulting de Seguridad e Investigacion Mira Dp Madrid S.L. | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing A data subject has received marketing messages without having consented. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 11/06/2020 | EUR € | 3,000 | Telekom Romania | Art. 32 GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR. |
| Hungary | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) | 12/06/2020 | EUR € | 288,000 | Digi Távközlési Szolgáltató Kft. ("Digi") (electronic communication service provider) | Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPR | Other | Insufficient technical and organisational measures to ensure information security The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms. |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 18/06/2020 | EUR € | 4,000 | Enel Energie | Art. 32 GDPR | Energy/Utilities | Insufficient technical and organisational measures to ensure information security Failure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail. |
| Spain | Spanish Data Protection Authority (aepd) | 19/06/2020 | EUR € | 6,000 | National Police Brigade | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Making copies of a company's business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing. |
| Norway | Norwegian Supervisory Authority (Datatilsynet) | 19/06/2020 | EUR € | 28,000 | Aquateknikk AS | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Request for data from a credit agency without legal basis. |
| Isle of Man | Information Commissioner of Isle of Man | 25/06/2020 | EUR € | 13,500 | Department of Home Affairs | Art. 12 GDPR, Art. 15 GDPR | Other | Insufficient fulfilment of data subjects rights Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable. |
| Greece | Hellenic Data Protection Authority (HDPA) | 29/06/2020 | EUR € | 5,000 | New York College S.A. | Art. 5 GDPR | Education/Training | Non-compliance with general data processing principles The College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner. |
| Ireland | Data Protection Authority of Ireland | 30/06/2020 | EUR € | 40,000 | Tusla Child and Family Agency | Art. 33 GDPR | Other | Insufficient fulfilment of data breach notification obligations The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks. |
| Spain | Spanish Data Protection Authority (aepd) | 02/07/2020 | EUR € | 4,000 | De Vere Spain S.L. | Art. 21 GDPR | Other | Insufficient fulfilment of data subjects rights The company did not respond to the data subject's request to stop processing his or her data, and therefore data subject continued to receive commercial calls. |
| Spain | Spanish Data Protection Authority (aepd) | 02/07/2020 | EUR € | 24,000 | Iberdrola Clientes | Art. 5 GDPR | Other | Non-compliance with general data processing principles A third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of €40,000 has been reduced to €24,000 due to voluntary payment. |
| Netherlands | Dutch Supervisory Authority for Data Protection (AP) | 06/07/2020 | EUR € | 830,000 | Bureau Krediet Registration ('BKR') | Art. 12 GDPR, Art. 15 GDPR | Other | Insufficient fulfilment of data subjects rights BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post. |
| Spain | Spanish Data Protection Authority (aepd) | 10/09/2020 | EUR € | 12,000 | Vodafone España, SAU | Art. 5 GDPR | Telecommunications | Non-compliance with general data processing principles Fines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer. |
| Spain | Spanish Data Protection Authority (aepd) | 10/07/2020 | EUR € | 1,000 | Centro Internacional De Crecimiento Laboral Y Profesional S.L. | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Sending commercial messages without consent and without the possibility to object. |
| Spain | Spanish Data Protection Authority (aepd) | 10/07/2020 | EUR € | 1,500 | Auto Desguaces Iglesias S.L. | Art. 5 GDPR | Other | Non-compliance with general data processing principles The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization. |
| Belgium | Belgian Data Protection Authority (APD) | 14/07/2020 | EUR € | 5,000 | Operator of CCTV of a residential building | Art. 6 GDPR, Art. 7 GDPR | Other | Insufficient legal basis for data processing The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts. |
| Belgium | Belgian Data Protection Authority (APD) | 14/07/2020 | EUR € | 600,000 | Google Belgium SA | Art. 5 GDPR, Art. 6 GDPR, Art. 17 (1) a) GDPR, Art. 12 GDPR | Technology | Insufficient fulfilment of data subjects rights The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google's rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: €500,000). In addition, a further €100,000 was imposed for breach of the principle of transparency, as Google's rejection of the request for deletion was not sufficiently justified |
| Poland | Polish National Personal Data Protection Office (UODO) | 17/07/2020 | EUR € | 22,300 | Office for geodesy and cartography | Art. 31 GDPR, Art. 58 GDPR | Other | Insufficient cooperation with supervisory authority Refusal of access to the premises by the supervisory authority in the course of an audit. |
| Spain | El Real Sporting de Gijón S.A.D. | 23/07/2020 | EUR € | 5,000 | El Real Sporting de Gijón S.A.D. | Art. 6 GDPR, Art. 7 GDPR | Sport/Recreation | Insufficient legal basis for data processing Fines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in). |
| Spain | Spanish Data Protection Authority (aepd) | 23/07/2020 | EUR € | 5,000 | Xfera Moviles S.A. | Art. 58 GDPR | Telecommunications | Insufficient cooperation with supervisory authority Following a complaint, Xfera Móviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit. |
| Spain | Spanish Data Protection Authority (aepd) | 23/07/2020 | EUR € | 75,000 | Telefónica Móviles España, SAU | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing The company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefónica Móviles España in order to change the ownership of the telephone line without sufficient legal basis. |
| Denmark | Danish Data Protection Authority (Datatilsynet) | 28/07/2020 | EUR € | 147,800 | Arp Hansen Hotel Group A/S | Art. 5 (1) e) GDPR | Hospitality/Travel | Non-compliance with general data processing principles During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself. |
| Italy | Italian Data Protection Authority (Garante) | 29/07/2020 | EUR € | 4,000 | Region of Campania | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Publication of an enforcement order in civil proceedings on the Region's website. The document listed the names and place of residence and the amount of the claim. |
| Italy | Italian Data Protection Authority (Garante) | 29/07/2020 | EUR € | 3,000 | Community of San Giorgio Jonico | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Publication of personal data on the municipal website with regard to legal proceedings. |
| Spain | Spanish Data Protection Authority (aepd) | 31/07/2020 | EUR € | 45,000 | Vodafone España SAU | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing Unlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasure |
| Italy | Italian Data Protection Authority (Garante) | 04/08/2020 | EUR € | 1,000 | Supermarket | Art. 5 GDPR, Art. 6 GDPR | Customer Service | Insufficient legal basis for data processing The operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket. |
| Italy | Italian Data Protection Authority (Garante) | 04/08/2020 | EUR € | 5,000 | National Institute for Social Security - Department of the Province of Brescia | Art. 15 GDPR | Other | Insufficient fulfilment of data subjects rights Failure to graint access to personal health data of a data subject according to Art. 15 GDPR. |
| Denmark | Danish Data Protection Authority (Datatilsynet) | 04/08/2020 | EUR € | 20,100 | PrivatBo A.M.B.A. | Art. 5 GDPR, Art. 32 GDPR | Other | Insufficient technical and organisational measures to ensure information security The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data. |
| Italy | Italian Data Protection Authority (Garante) | 05/08/2020 | EUR € | 2,000 | School | Art. 5 GDPR, Art. 6 GDPR | Education/Training | Insufficient legal basis for data processing Placing personal data of pupils on a public notice board. |
| Austria | Austrian Data Protection Authority (dsb) | 05/08/2020 | EUR € | 100 | Bank | Art. 5 GDPR, Art. 6 GDPR | Banking/Mortgage | Insufficient legal basis for data processing A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above. |
| Spain | Spanish Data Protection Authority (aepd) | 06/08/2020 | EUR € | 3,000 | GROW BEATS SL | Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR | Other | Insufficient fulfilment of information obligations The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment. |
| Italy | Italian Data Protection Authority (Garante) | 10/08/2020 | EUR € | 10,000 | Community of Baronissi | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing The community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc. |
| Italy | Italian Data Protection Authority (Garante) | 10/08/2020 | EUR € | 10,000 | Cavauto S.R.L. | Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR | Other | Insufficient legal basis for data processing Access to personal data of a former employee (containing his browser history) on his work computer. |
| Poland | Polish National Personal Data Protection Office (UODO) | 31/08/2020 | EUR € | 22,700 | Surveyor General of Poland ('GKK') | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing Processing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis. |
| Spain | Spanish Data Protection Authority (aepd) | 01/09/2020 | EUR € | 75,000 | Telefónica Móviles España, SAU | Art. 5 GDPR, Art. 6 GDPR | Telecommunications | Insufficient legal basis for data processing According to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages. |
| Spain | Spanish Data Protection Authority (aepd) | 07/09/2020 | EUR € | 3,000 | Barcelona Airport Security Guard Association ('AVSAB') | Art. 5 (1) f) GDPR | Other | Non-compliance with general data processing principles A member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing. |
| Sweden | Swedish Data Protection Authority | 11/12/2020 | EUR € | 54,000 | Umeå University | Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR | Education/Training | Insufficient technical and organisational measures to ensure information security |
| Spain | Spanish Data Protection Authority (aepd) | 11/12/2020 | EUR € | 5,000,000 | Banco Bilbao Vizcaya Argentaria, S.A. | Art. 6 GDPR, Art. 13 GDPR | Banking/Mortgage | Insufficient fulfilment of information obligations |
| Poland | Polish National Personal Data Protection Office (UODO) | 14/01/2021 | EUR € | 443,000 | Virgin Mobile Polska | Art. 5 (1) f), (2) GDPR, Art. 25 (1) GDPR, Art. 32 (1) b), d), (2) GDPR | Telecommunications | Insufficient technical and organisational measures to ensure information security |
| Latvia | Latvia Data Protection Authority | 15/12/2020 | EUR € | 6,250 | Unknown | Art. 5 GDPR, Art. 6 GDPR | Other | Insufficient legal basis for data processing |
| Latvia | Latvia Data Protection Authority | 15/12/2020 | EUR € | 15,000 | HH Invest SIA | Art. 13 GDPR | Other | Insufficient fulfilment of information obligations |
| Sweden | Swedish Data Protection Authority | 15/12/2020 | EUR € | 29,500 | Uppsalahem AB | Art. 5 GDPR, Art. 6 (1) f) GDPR | Other | Insufficient legal basis for data processing |
| Spain | Spanish Data Protection Authority (aepd) | 21/12/2020 | EUR € | 36,000 | Banco Bilbao Vizcaya Argentaria, S.A. | Art. 5 (1) d) GDPR | Banking/Mortgage | Non-compliance with general data processing principles |
| Romania | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) | 22/12/2020 | EUR € | 2,000 | S.C. C&V Water Control S.A. | Art. 58 (1) a), e) GDPR, Art. 58 (2) i) GDPR | Other | Insufficient cooperation with supervisory authority |
| Spain | Spanish Data Protection Authority (aepd) | 22/12/2020 | EUR € | 6,000 | Iberdrola Clientes, SAU | Art. 48 (1) b) LGT, Art. 21 GDPR, Art. 23 (4) LOPDGDD | Other | Insufficient fulfilment of data subjects rights |
| Belgium | Belgian Data Protection Authority (APD) | 23/12/2020 | EUR € | 15,000 | Unknown | Art. 14 (1), (2) GDPR, Art. 12 (3) GDPR, Art. 6 GDPR, Art. 5 (1) c), (2) GDPR, Art. 24 (1), (2) GDPR | Not disclosed | Insufficient fulfilment of data subjects rights |
| Belgium | Belgian Data Protection Authority (APD) | 23/12/2020 | EUR € | 50,000 | Unknown | Art. 14 (1), (2) GDPR, Art. 12 (1), (2), (3) GDPR, Art. 15 (1) GDPR, Art. 5 (1) c), (2) GDPR, Art. 24 (1), (2) GDPR | Not disclosed | Insufficient fulfilment of data subjects rights |
| Spain | Spanish Data Protection Authority (aepd) | 04/01/2021 | EUR € | 54,000 | Vodafone España, S.A.U. | Art. 5 (1) d), f) GDPR | Telecommunications | Non-compliance with general data processing principles |
| France | French Data Protection Authority (CNIL) | 05/01/2021 | EUR € | 20,000 | Nestor SAS | Art. 12 GDPR, Art. 13 GDPR | Other | Insufficient fulfilment of information obligations |
| Country | Authority/Source | Date | Currency | Amount | Against | Legal Basis | Industry | Details |
