Romanian National Supervisory Authority for Personal Data Processing
27/06/2019
EUR €
130,000
UNICREDIT BANK SA
Art. 25 (1) and Art. 5 (1) (c) GDPR
Banking/Mortgage
The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (internal/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).
Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided.
326
Denmark
Danish Data Protection Authority (Datatilsynet)
03/06/2019
EUR €
200,850
IDdesign A / S
Art. 5 (1) (e) and (2) GDPR
Retail
The fine was imposed as a result of an inspection carried out in atom of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.
327
Belgium
Belgian Data Protection Authority
28/05/2019
EUR €
2,000
Mayor
Art. 5 (1) (b) GDPR, Art. 6 GDPR
Public Authority
The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.
328
France
French Data Protection Authority
28/05/2019
EUR €
400,000
SERGIC, a company specialized in real estate development, purchase, sale, rental and property management
Art. 32 and 5 (1) e) GDPR
Real Estate
The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.
329
Lithuania
Lithuanian Data Protection Authority
16/05/2019
EUR €
61,500
Payment service provider UAB MisterTango
Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR
Financial Services
During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 DSGVO would have been necessary. The controller did not report the Data Breach.
330
Czech Republic
Czech Data Protection Authority
13/05/2019
EUR €
3,105
Not disclosed
Art. 5 (1) a) and b) GDPR, Art. 32 (1) GDPR
Not disclosed
Not disclosed
331
Germany
Data Protection Authority of Baden-Wuerttemberg
09/05/2019
EUR €
1,400
Police Officer
Art. 6 GDPR
Public Authority
The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority.
332
Czech Republic
Czech Data Protection Authority
06/05/2019
EUR €
194
Not disclosed
Art. 15 GDPR
Not disclosed
Not disclosed
333
Poland
Polisch National Personal Data Protection Office
25/04/2019
EUR €
12,950
Sports association
Art. 6 GDPR
Sport/Recreation
One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty. When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges).
334
Italy
Italian Data Protection Authority
17/04/2019
EUR €
50,000
Italian political party Movimento 5 Stelle
Art. 32 GDPR
Government/Military
A number of websites referral partnerd to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures.
335
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
17/04/2019
EUR €
9,400
Not disclosed
Art. 5 (1) a) GDPR, Art. 6 GDPR
Business/Company/Employer
A data controller used a, (in the point of view of NAIH), wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims.
The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical center for the purpose of changing his GP. The medical center used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical center, which subsequently also unlawfully processed the personal data of G.B.
337
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year. The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's web-page. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.
338
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
05/04/2019
EUR €
1,900
Not disclosed
Art. 15 GDPR
Business/Company/Employer
The data controller did not fulfill the data subject's access request.
339
Norway
Norwegian Supervisory Authority
01/03/2019
EUR €
170,000
Bergen Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Public Authority
The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistle-blower, that the data security was inadequate.
340
Poland
Polisch National Personal Data Protection Office
26/03/2019
EUR €
219,538
Private company working with data from publicly available sources
Art. 14 GDPR
Business/Company/Employer
The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified noncompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
341
Bulgaria
Data Protection Commission of Bulgaria
26/03/2019
EUR €
5,100
A.P. EOOD
Art. 5 (1) a) GDPR, Art. 6 GDPR
Real Estate
The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison.
342
Czech Republic
Czech Data Protection Authority
21/03/2019
EUR €
9,704
Not disclosed
Art. 5 (1) (c) and (e) GDPR
Not disclosed
Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation").
343
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasized that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
344
Czech Republic
Czech Data Protection Authority
28/02/2019
EUR €
582
Not disclosed
Art. 5 (1) (f) GDPR
Not disclosed
Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
345
Bulgaria
Bulgarian Commission for Personal Data Protection
26/02/2019
EUR €
27,100
Telecommunication service provider
Art. 6 GDPR, Art. 5 (1) (a) GDPR
Telecommunications
Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one.
An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.
348
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
20/02/2019
EUR €
1,560
Debt collector
Art. 5 (1) a) and (c) GDPR - principles of transparency and data minimisation
Financial Services
A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.
349
Malta
Data Protection Commissioner of Malta
18/02/2019
EUR €
5,000
Lands Authority
Art. 5 GDPR, Art. 32 GDPR
Public Authority
As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists.
350
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
08/02/2019
EUR €
1,560
Bank
Art. 5 (1) (d) GDPR - principle of accuracy
Banking/Mortgage
A bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank.
351
Germany
Data Protection Authority of Sachsen-Anhalt
05/02/2019
EUR €
2,000
Private person
Art. 6 GDPR, Art. 5 GDPR
Private Citizen
The fine was imposed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list.
352
Czech Republic
Czech Data Protection Authority
04/02/2019
EUR €
1,165
Car renting company
Art. 5 (1) (a) GDPR
Automotive
A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine.
353
Czech Republic
Czech Data Protection Authority
04/02/2019
EUR €
1,165
Credit brokerage
Art. 5 (1) (f) GDPR
Financial Services
Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
The fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the DSGVO became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given "specific" and not "unambiguous" (Art. 4 nr. 11 GDPR).
355
Bulgaria
Bulgarian Commission for Personal Data Protection
17/01/2019
EUR €
500
Bank
Art.6 GDPR, Art. 5 (1) (a) GDPR
Banking/Mortgage
A bank gained personal data concerning a student without a legal basis.
356
Czech Republic
Czech Data Protection Auhtority
10/01/2019
EUR €
388
Employer
Art. 6 GDPR
Business/Company/Employer
A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee.
357
Austria
Austrian Data Protection Authority
20/12/2018
EUR €
2,200
Private person
Art. 5 (1) (a) and c GDPR, Art. 6 (1) GDPR, Art. 13 GDPR
Private Citizen
The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated.
358
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.
359
Germany
Data Protection Authority of Hamburg
17/12/2018
EUR €
5,000
Kolibri Image Regina und Dirk Maass GbR
Art. 28 (3) GDPR
Professional Services
Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
360
Austria
Austrian Data Protection Authority
09/12/2018
EUR €
4,800
Betting place
Art. 13 GDPR
Casino/Gambling
Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted.
361
Germany
Data Protection Authority of Baden-Wuerttemberg
21/11/2018
EUR €
20,000
Social media network
Art. 32 (1) (a) GDPR
Internet
After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed.
362
Czech Republic
Czech Data Protection Authority
25/10/2018
EUR €
388
Not disclosed
Art. 15 GDPR
Not disclosed
Not disclosed
363
Portugal
Portuguese Data Protection Authority
17/07/2018
EUR €
400,000
Hospital
Art. 5 (1) f) GDPR, Art. 32 GDPR
Healthcare
Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.
364
Bulgaria
Bulgarian Commission for Personal Data Protection
12/04/2018
EUR €
500
Bank
Art. 5 (1) b) GDPR, Art. 6 GDPR
Banking/Mortgage
A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.
365
Austria
Austrian Data Protection Authority
31/12/2018
EUR €
1,800
Kebab restaurant
Not disclosed
Restaurant/Food Service
CCTV was unlawfully used. No further information available.
366
Austria
Austrian Data Protection Authority
31/12/2018
EUR €
5,280
Restaurant
Not disclosed
Restaurant/Food Service
CCTV was unlawfully used. No further information available.
367
Austria
Austrian Data Protection Authority
31/12/2018
EUR €
300
Private car owner
Not disclosed
Private Citizen
CCTV was unlawfully used. No further information available.
368
Cyprus
Cyprian Data Protection Commissioner
05/07/2019
EUR €
5,000
State Hospital
Art. 15 GDPR
Healthcare
A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.
369
Cyprus
Cyprian Data Protection Commissioner
05/07/2019
EUR €
10,000
Newspaper
Art. 6 GDPR
News/Media
The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.
370
Denmark
Danish Data Protection Authority
05/07/2019
EUR €
160,000
Taxa 4x35
Art. 5(1) e) GDPR
Transportation/Logistics
The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.
371
Germany
Data Protection Authority of Baden-Wuerttemberg
05/07/2019
EUR €
80,000
Not disclosed
Not disclosed
Not disclosed
There is no further information available. This fine should not be mixed up with the one fine dealing with health data and which was also issued by the same authority, since the one dealing with health data was issued under the old German Data Protection Act. The existences of a second fine worth the same amount of money is only known due to a tweet of the Data Protection Commissioner of Baden-Wuerttemberg.
Late notification of a data breach and failure to notify the data subjects.
373
Germany
Data Protection Authority of Saarland
31/12/2018
EUR €
118
Not disclosed
Art. 6 GDPR
Not disclosed
Illegal disclosure of personal data relating to a third party.
374
Germany
Data Protection Authority of Berlin
31/12/2018
EUR €
50,000
German Bank
Art. 6 GDPR
Banking/Mortgage
The fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had "not yet been legally concluded".
376
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
5,000
VODAFONE ESPANA, S.A.U.
Art. 5 (1) (d) GDPR
Telecommunications
The Spanish telecommunications and information agency (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behavior violated the principle of accuracy.
377
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
250,000
Professional Football League (LaLiga)
Art. 5 (1) a), 7 (3) GDPR
Sport/Recreation
The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
378
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
60,000
Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Art. 5 (1) (f) GDPR
Professional Services
After the claimant did allegedly not pay back a micro-credit to an online credit agency, the claim was assigned to the debt collecting agency. Subsequently, the latter started sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.
379
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
27,000
VODAFONE ESPANA, S.A.U.
Art. 5 (1) (d) GDPR
Telecommunications
Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k.
380
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
60,000
ENDESA
Art. 5 (1) (f) GDPR
Energy/Utilities
Not disclosed
381
Greece
Hellenic Data Protection Authority (HDPA)
17/04/2019
EUR €
30,000
Hellenic Petroleum
Not disclosed
Oil/Gas/Petroleum
Greece’s Hellenic Data Protection Authority fined Hellenic Petroleum €20,000 for unlawful processing of personal data and €10,000 for failing to adopt appropriate data security measures totaling €30,000 for Data Protection violations.Hellenic Petroleum S.A. had engaged a vendor to conduct a study on its behalf. The study was exposed online and its results, which included sensitive data such as political opinions, trade union membership and participation in associations were publicly accessible on the Internet in violation of GDPR stipulations.
382
United Kingdom
Information Commissioners Office UK
08/07/2019
GBP £
183,000,000
British Airways
Not disclosed
Aerospace/Aviation
British Airways is facing a record fine of £183m for last year's breach of its security systems.The airline, owned by IAG, says it was "surprised and disappointed" by the penalty from the Information Commissioner's Office (ICO).At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website.The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules.The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said.
383
United States
Federal Trade Commission
12/07/2019
USD $
5,000,000,000
Facebook
Failing to give users very clear notifications when their data was being shared with third parties.
Technology
The Federal Trade Commission approved an approximately $5 billion settlement with Facebook over the company’s 2018 Cambridge Analytica scandal, a person familiar with the matter told The Wall Street Journal. The fine represents the largest ever imposed by the FTC against a tech company. Previously, the agency’s largest fine against a tech company came in 2012 when Google agreed to pay a $22.5 million penalty due to its privacy practices. The fine would represent approximately 9% of Facebook’s 2018 revenues. Facebook took a one-time charge of $3 billion in anticipation of the FTC fine in April during the company’s first-quarter results.
457
United Kingdom
ICO
19/07/2019
GBP £
80,000
estate agency
The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.
Real Estate
The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years. The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017. The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
459
Greece
Hellenic Data Protection Authority (HDPA)
01/07/2019
EUR €
150,000
PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA
Article 5(1)(a)
Business/Company/Employer
The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data.
460
Greece
Hellenic Data Protection Authority (HDPA)
07/10/2019
EUR €
200,000
Telecommunication Service Provider
Articles 21(3) and 25 GDPR
Telecommunications
Non-compliance with general data processing principles.
Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.
575
Greece
Hellenic Data Protection Authority (HDPA)
07/10/2019
EUR €
200,000
Telecommunication Service Provider
Articles 5(1)(c), 25 GDPR
Telecommunications
Non-compliance with general data processing principles.
A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.
576
Austria
Austrian Data Protection Authority (dsb)
01/07/2019
EUR €
11,000
Private person (soccer coach)
Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing.
The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years.
577
Germany
Data Protection Authority of Berlin
01/08/2019
EUR €
195,407
Delivery Hero
Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR
Customer Service
Insufficient fulfilment of data subjects rights.
According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.
578
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.
579
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
01/01/2019
EUR €
92,146
Organizer of SZIGET festival and VOLT festival
Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR
Other
The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.
580
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
01/01/2019
EUR €
15,150
Unknown
Art. 33 GDPR
Not disclosed
The data controller did not fulfil its data breach obligations when a flash memory with personal data was lost.
581
Belgium
Belgian Data Protection Authority (APD)
19/09/2019
EUR €
10,000
Merchant
Art. 5 (1) c) GDPR
Other
The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number.
582
Poland
Polish National Personal Data Protection Office (UODO)
10/09/2019
EUR €
644,780
Morele.net
Art. 32 GDPR
Telecommunications
The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.
583
Austria
Austrian Data Protection Authority (dsb)
01/08/2019
EUR €
50,000
Company in the medical sector
Art. 13 GDPR, Art. 37 GDPR
Pharmaceutical/Biotech
The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.
584
France
French Data Protection Authority (CNIL)
25/07/2019
EUR €
180,000
ACTIVE ASSURANCES (car insurer)
Art. 32 GDPR
Insurance
Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).
585
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
28/08/2019
EUR €
511,000
DSK Bank
Art. 32 GDPR
Banking/Mortgage
Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.
586
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
28/08/2019
EUR €
2,600,000
National Revenue Agency
Art. 32 GDPR
Other
Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible.
587
Latvia
Data State Inspectorate (DSI)
26/08/2019
EUR €
7,000
Online Services
Art. 17 GDPR
Customer Service
A merchant who provides services in an online store has infringed the "right to be forgotten" pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number.
A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.
589
Spain
Spanish Data Protection Authority (aepd)
01/01/2018
EUR €
12,000
Restaurant
Art. 5 (1) a), Art. 6 GDPR
Restaurant/Food Service
A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes
590
Spain
Spanish Data Protection Authority (aepd)
16/08/2019
EUR €
60,000
AVON COSMETICS
Art. 6 GDPR
Pharmaceutical/Biotech
A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.
592
United Kingdom
Information Commissioner (ICO)
09/07/2019
EUR €
110,390,200
Marriott International, Inc
Art. 32 GDPR
Hospitality/Travel
Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc which relates to a cyber incident which was notified to the ICO by Marriott in November 2018.GDPR infringements are likely to involve a breach of Art. 32 GDPR. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
593
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
02/07/2019
EUR €
15,056
WORLD TRADE CENTER BUCHAREST SA
Art. 32 GDPR
Business/Company/Employer
The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.
594
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
05/07/2019
EUR €
3,000
LEGAL COMPANY & TAX HUB SRL
Art. 32 GDPR
Accounting/Finance
The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019. The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.
595
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.
596
Portugal
Portuguese Data Protection Authority (CNPD)
05/02/2019
EUR €
20,000
Unknown
Art. 15 GDPR
Not disclosed
Insufficient fulfilment of data subjects rights
597
Portugal
Portuguese Data Protection Authority (CNPD)
25/03/2019
EUR €
2,000
Unknown
Art. 15 GDPR
Not disclosed
Insufficient fulfilment of data subjects rights
598
Norway
Norwegian Supervisory Authority (Datatilsynet)
29/04/2019
EUR €
203,000
Oslo Municipal Education Department
Art. 32 GDPR
Education/Training
Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees.
599
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
18/06/2019
EUR €
460,000
Haga Hospital
Art. 32 GDPR
Healthcare
The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures.
600
Austria
Austrian Data Protection Authority
23/10/2019
EUR €
18,000,000
Austrian Post
Art. 5 (1) a) GDPR, Art. 6 GDPR
Public Authority
The Austrian Post had sold detailed personal profiles of approximately three million Austrians to various companies and political parties. The profiles contained names, addresses, political predilections, and even intimate details.
675
Germany
Data Protection Authority of Rheinland-Pfalz
03/12/2019
EUR €
105,000
Rheinland-Pfalz Hospital
Art. 5 GDPR
Healthcare
The Data Protection Authority of Rheinland-Pfalz issued a fine of €105,000 after a hospital after a mixup of patients. As a consequence of this, wrong invoices were issues to the patients that released sensitive personal data.
676
Spain
Spanish Data Protection Authority
02/12/2019
EUR €
10,000
Ikea Ibérica
Art. 6 GDPR
Consumer Goods
Ikea Ibérica was found to have installed cookies on a customer’s device without asking for permission.
677
Romania
Romanian National Supervisory Authority for Personal Data Processing
29/11/2019
EUR €
2,500
Royal President S.R.L.
Art. 12 GDPR, Art. 15 GDPR
Other
The pension Royal President near Bucharest was fined €2,500 after it refused to process a request for the exercise of the right of access. The Romanian Data Processing Authority also determined that customers’ personal data was not processed in accordance with GDPR principles.
678
Romania
Romanian National Supervisory Authority for Personal Data Processing
29/11/2019
EUR €
80,000
ING Bank N.V. Amsterdam
Art. 25 GDPR
Banking/Mortgage
The Romanian branch of ING Bank N.V. Amsterdam was fined with €80,000 due to not respecting data protection principles (privacy by design și privacy by default) by not implementing adequate technical measures to ensure the protection of personal data. As a consequence of this, a total of 225,525 had their transactions doubled on debit card payments during the period of 8-10 October 2018. This is one of the bigger fines in Romania, but it’s interesting to note that for similar offenses in other countries fines of over several millions of Euros are usually awarded. This denotes again the fact that different countries have different approaches to GDPR enforcement.
679
Romania
Romanian National Supervisory Authority for Personal Data Processing
29/11/2019
EUR €
20,000
SC CNTAR TAROM SA
Art. 32 GDPR
Aerospace/Aviation
A fine of €20,000 was issued to the Romanian national airline Tarom because it failed to implement the necessary technical measures to ensure the security of personal information. As a consequence of these inadequate measures, a Tarom employee was able to access the flight booking application without authorization and see the personal data of 22 passengers, after which the employee took a photo of the list and made it public online.
680
Romania
Romanian National Supervisory Authority for Personal Data Processing
22/11/2019
CNY ¥
2,000
BNP Paribas SA
Art. 12 GDPR, Art. 17 GDPR
Other
BNP Paribas Personal Finance was requested to erase personal data of a client and it did not do so during the timeframe required by GDPR legislation.
Futura Internationale was fined because after several individuals have complained that they were cold-called by the company even after they have expressly requested not to be called again. The reason why the fine was so high relative to similar cases and fines was that the CNIL determined that the company had received a large number of letters requesting to be taken off from the call lists but decided to ignore them. More so, Futura Internationale was found to store excessive information about customers and their health data. The company did also not inform their customers about the processing of their personal data and that all telephone conversations were recorded.
682
Spain
Spanish Data Protection Authority
21/11/2019
EUR €
60,000
Viaqua Xestión SA
Art. 6 GDPR
Other
A third party had access to and modified the personal data of a customer that was included in a contract. The third party had no legal basis to access the data.
683
Spain
Spanish Data Protection Authority
19/11/2019
EUR €
60,000
Xfera Moviles S.A.
Art. 32 GDPR
Other
A private individual received an SMS from Xfera Móviles which was actually addressed to a different person and which included personal details of that third party person. The information included personal details as well as login details to the Xfera Móviles website for the third party person.
684
Spain
Spanish Data Protection Authority
19/11/2019
EUR €
60,000
Corporacion RTVE
Art. 32 GDPR
Other
Corporacion de Radio y Television Espanola lost 6 USB sticks with unencrypted personal information and data.
685
Spain
Spanish Data Protection Authority
14/11/2019
EUR €
30,000
Telefónica SA
Art. 5 GDPR
Telecommunications
A person was charged by the phone operator Telefónica for a telephone service that they never requested and owned. This happened because the bank account of the affected person was linked to the Telefónica profile of another person and as such the fees for the service were deduced from the affected person’s account. The AEDP ruled that this was against the principles described by article 5 of GDPR.
686
Slovakia
Slovak Data Protection
13/11/2019
EUR €
50,000
Social Insurance Agency
Art. 32 GDPR
Not disclosed
Applications that were received from Slovak citizens requesting social benefits were sent to foreign authorities by post. These were lost, which resulted in all the personal details of the affected people to become public, including their physical addresses.
687
Spain
Spanish Data Protection Authority
13/11/2019
EUR €
3,000
General Confederation of Labour
Art. 6 GDPR
Other
The General Confederation of Labour emailed personal data of a complainant with the aim of organizing a meeting. This included the name, home address, relationship status, pregnancy status and the date of an ongoing harassment case. The email was sent to around 400 members of the organization with the affected individual’s consent.
688
Spain
Spanish Data Protection Authority
07/11/2019
EUR €
900
TODOTECNICOS24H S.L.
Art. 13 GDPR
Other
The company TODOTECNICOS24H collected personal data without accurate information regarding the collection of this data.
689
Spain
Spanish Data Protection Authority
06/11/2019
EUR €
1,500
Cerrajero Online
Art. 13 GDPR
Other
The company collected personal data without accurate information regarding the collection of this data
690
Latvia
Data State Inspectorate
01/11/2019
EUR €
150,000
Unknown
Art. 6 GDPR
Not disclosed
No concrete details have been released at this point other than a fine of €150,000 was imposed in November 2019. We will update this card once further information emerges.
691
Spain
Spanish Data Protection Authority
31/10/2019
EUR €
6,000
Jocker Premium Invex
Art. 6 GDPR
Other
Postal advertisements and commercial offers were sent by Jocker Premium Invex to a registrant to a local census, even though the registrant did not consent to receive such advertisements and offers.
692
Netherlands
Not disclosed
31/10/2019
EUR €
900,000
UWV - Insurance provider
Art. 32 GDPR
Insurance
The Dutch employee insurance service provider – “Uitvoeringsinstituut Werknemersverzekeringen – UWV did not use multi-factor authentication for accessing the employer web portal. Health and safety services, as well as employers, were able to view and collect data from employees, data to which normally they should not have had access to.
693
Germany
Data Protection Authority of Baden-Wuerttemberg
30/10/2019
EUR €
14,500,000
Deutsche Wohnen SE
Art. 5 GDPR, Art. 25 GDPR
Real Estate
The company collected data from multiple tenants without providing the option to remove that data once it was no longer required. This led to the company retaining personal data of tenants for years (salary statements, social security insurances, health insurances, tax insurances, bank statements). The Berlin Data Commissioner issued a fine of €14,500,000.
694
Poland
Polisch National Personal Data Protection Office
18/10/2019
EUR €
9,380
Polish Mayor
Art. 28 GDPR
Public Authority
No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.
695
Poland
Polisch National Personal Data Protection Office
16/10/2019
EUR €
47,000
ClickQuickNow
Art. 5 GDPR
Other
The Company did not have the appropriate organizational measures in place that would allow data subjects to withdraw their consent to the processing of personal data. Moreover, the data subjects also couldn’t easily request the deletion of their personal data.
696
Spain
Spanish Data Protection Authority
16/10/2019
EUR €
8,000
Iberdrola Clientes
Art. 31 GDPR
Transportation/Logistics
Iberdrola Clientes violated Article 13 of the GDPR when it showed a complete lack of cooperation with the AEPD. The latter had requested Iberdrola Clientes to provide the necessary information needed to add a person to the solvency list.
697
Spain
Spanish Data Protection Authority
16/10/2019
EUR €
60,000
Xfera Moviles S.A.
Art. 5 GDPR, Art. 6 GDPR
Other
The company had unlawfully processed the personal data despite the subject’s request to stop doing so.
698
Romania
Romanian National Supervisory Authority for Personal Data Processing
09/10/2019
EUR €
20,000
Vreau Credit SRL
Art. 32 GDPR Art. 33 GDPR
Other
The Company sent personal information through the WhatsApp platform to Raiffeisen Bank in order to facilitate the assessment of personal scores. The results were returned on the same platform.
699
Romania
Romanian National Supervisory Authority for Personal Data Processing
09/10/2019
EUR €
150,000
Raiffeisen Bank SA
Art. 32 GDPR
Banking/Mortgage
Raiffeisen Bank Romania did not observe the necessary security measures required by the GDPR when it assessed the scores of individuals on the WhatsApp platform. The personal data was exchanged via WhatsApp.
700
Slovakia
Slovak Data Protection
27/09/2019
EUR €
40,000
Slovak Telekom
Art. 32 GDPR
Telecommunications
The data controller did not take the necessary technical measures to prevent a data breach. No further details have been disclosed.
701
Spain
Spanish Data Protection Authority
01/10/2019
EUR €
30,000
Vueling Airlines
Art. 5 GDPR, Art. 6 GDPR
Hospitality/Travel
Vueling Airlines made it impossible for users to access their website without accepting the cookies. Therefore, one couldn’t browse the website unless they accepted the cookies. The AEPD sanctioned the company with 30.000 euros
702
Germany
German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
01/12/2019
EUR €
9,550,000
1&1 Telecom
Not disclosed
Telecommunications
Personal information was available to anyone who provided the name and data of birth of a customer. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue.
760
Netherlands
Dutch Data Protection Authority (Dutch DPA)
01/11/2019
EUR €
600,000
Uber
Not disclosed
Customer Service
The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. In 2016 a data breach occurred at the Uber concern in the form of unauthorised access to personal data of customers and drivers. The Uber concern is fined because it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach.
762
Germany
Labour Court (ArbG) of Lübeck
14/01/2020
EUR €
1,000
Not disclosed
Art. 6 GDPR
Not disclosed
Lübeck Labour Court estimates a fine of €1,000 for the illegal use of an employee photo on Facebook
763
United Kingdom
Information Commissioner’s Office (ICO)
09/01/2019
GBP £
500,000
DSG Retail Limited (DSG)
Not disclosed
Retail
Not disclosedThe Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.
764
United Kingdom
Information Commissioner (ICO)
20/12/2019
EUR €
320,000
Doorstep Dispensaree
Art. 32 GDPR
Pharmaceutical/Biotech
The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.
The company stored around 500,000 documents that contained the names, addresses, birth fates, and NHS identification numbers as well as medical information and prescriptions in unsealed containers at the back of a building. As a result of this, the documents were exposed to the elements which resulted in water damage and potentially to the loss of some data.
765
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
18/12/2019
EUR €
2,000
Telekom Romania
Art. 32 GDPR
Telecommunications
The company did not ensure the accuracy of the processing of personal data. This resulted in the disclosure of a client’s personal data to a different client.
766
Belgium
Belgian Data Protection Authority (APD)
17/12/2019
EUR €
15,000
Legal information wesbite
Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR
Not disclosed
A website that provided legal information and news only had its privacy policy page available in English, even though it was also addressing the French and Dutch-speaking markets. Also, the privacy policy page was not easily accessible and did not mention the legal basis for the processing of data, as required by the GDPR. The website also used Google Analytics without effective consent.
767
Sweden
Data Protection Authority of Sweden
16/12/2019
EUR €
35,000
Nusvar AB
Art. 6 GDPR
Not disclosed
Nusvar AB, which operates the website Mrkoll.se, a site that provides information on all Swedes over the age of 16, published information on people with overdue payments.
768
Belgium
Belgian Data Protection Authority (APD)
16/12/2019
EUR €
2,000
Nursing Care Organization
Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR
Not disclosed
A nursing care organization failed to act on a request by a data subject to receive access to their data with the scope of erasing it.
769
Spain
Spanish Data Protection Authority (AEPD)
10/12/2019
EUR €
5,000
Shop Macoyn, S.L.
Art. 32 GDPR
Not disclosed
The company sent advertising emails to multiple recipients where every one of the recipients was able to see the email address of all other recipients. This was because the sender sent all the email addresses as CC instead of BCC.
770
Spain
Spanish Data Protection Authority (AEPD)
10/12/2019
EUR €
1,600
Megastar SL
Art. 5 (1) c) GDPR, Art. 13 GDPR
Not disclosed
The company was fined because it operated a video surveillance system that had an observation angle that extended too far into the public traffic area. The video surveillance system was also not accompanied by any data protection notices.
771
Germany
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
09/12/2019
EUR €
10,000
Rapidata GmbH
Art. 37 GDPR
Not disclosed
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) ha repeatedly requested the company to appoint a data protection officer in accordance with Article 37 GDPR but even so, Rapidata GmbH refused to do so. The company was fined with €10,000.
772
Spain
Spanish Data Protection Authority (AEPD)
03/12/2019
EUR €
5,000
Linea Directa Aseguradora
Art. 6 GDPR
Not disclosed
An insurance company sent advertising emails to clients without the necessary consent.
773
Germany
Data Protection Authority of Niedersachsen
02/12/2019
EUR €
294,000
Unknown
Art. 5 GDPR
Not disclosed
A company was fined with €294,000 because of the “unnecessarily long” storage and retention of personal data in the selection of personnel. During the selection process, even health data was requested, which was excessive according to the DPA.
774
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
02/12/2019
EUR €
2,000
Nicola Medical Team 17 SRL
Art. 58 GDPR
Not disclosed
The company did not comply with measures imposed by the Data Protection Authority.
775
United Kingdom
Information Commissioners Office UK
15/01/2019
GBP £
895
Leo Kirk
Breach of s55 of the Data Protection Act 1998
Social Care
A former social worker has been prosecuted for passing the personal information of service users to a third party provider for Local Authority young person placements.
Leo Kirk unlawfully disclosed referrals for residential or foster placements of vulnerable young people aged 16-18 years old. The referrals contained sensitive personal data including potential identifier information and vulnerability risks of the service user.
Mr Kirk of Audenshaw, Manchester appeared before Stockport Magistrates’ Court and admitted two offences of unlawfully disclosing personal data, in breach of s55 of the Data Protection Act 1998. He was fined £483 for the first offence with no separate penalty for offence two, he was ordered to pay costs of £364.08 and a victim surcharge of £48.
2386
United Kingdom
Information Commissioners Office UK
05/12/2019
GBP £
859
Dannyelle Shaw
Breach of s55 of the Data Protection Act 1998
Government/Military
A former Reablement Officer at Walsall Metropolitan Borough Council has been prosecuted for accessing social care records without authorisation.
An internal investigation by the Council found that Ms Shaw had inappropriately accessed the social care records of 7 adults and 9 children without any business need to do so.
Dannyelle Shaw of Bloxwich, Walsall, appeared before Wolverhampton Magistrates’ Court and admitted one offence of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was sentenced to a fine of £450, ordered to pay costs of £364 and a victim surcharge of £45.
2387
United Kingdom
Information Commissioners Office UK
02/12/2019
GBP £
720
Michelle Shipsey
Breach of s170 of the Data Protection Act 2018
Government/Military
A former Social Services Support Officer at Dorset County Council has been prosecuted for accessing Social Care records without authorisation.
An internal investigation found that Ms Shipsey had inappropriately accessed the Social Care records without any business need to do so. The records related to four individuals known to Ms Shipsey.
Michelle Shipsey of Verwood, Dorset, appeared before Poole Magistrates’ Court and admitted one offence of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. She was sentenced to a 6 month conditional discharge, ordered to pay costs of £700 and a victim surcharge of £20.
2388
United Kingdom
Information Commissioners Office UK
17/09/2019
GBP £
150,000
Superior Style Home Improvements Ltd
Not disclosed
Marketing
Superior Style Home Improvements Ltd issued with monetary penalty notice after making unsolicited marketing calls to individuals registered with the TPS to try and generate UPVC installation leads.
The Information Commissioner’s Office (ICO) has fined a Swansea double-glazing company £150,000 for making nuisance calls.
Superior Style Home Improvements Ltd called people over an 11 month period whose numbers were registered with the Telephone Preference Service (TPS) and who had not given their consent to receive them. The ICO has also issued an Enforcement Notice warning them to stop making the calls.
Dave Clancy, of the ICO’s investigations team said: ”Companies engaged in this illegal activity should take note, we will take action against those that continue to disregard the law around electronic marketing via phone calls, emails and text messages. These cause a real nuisance - and often distress - to people who don’t want to receive them. Company directors should also be aware that they can now be made personally liable for fines that we issue.”
2389
United Kingdom
Information Commissioners Office UK
12/08/2019
GBP £
Hudson Bay Finance Ltd
Section 4(4) of the DPA Subject to Section 27(1)
Financial Services
Hudson Bay Finance Ltd issued with an enforcement notice for failing to respond to a subject access request.
2390
Greece
Hellenic Data Protection Authority (HDPA)
19/12/2019
EUR €
150,000
Aegean Marine Petroleum Network Inc.
Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR
Oil/Gas/Petroleum
Insufficient technical and organisational measures to ensure information security
2423
Spain
Spanish Data Protection Authority (aepd)
07/01/2020
EUR €
10,000
Asociación de Médicos Demócratas
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.
2424
Spain
Spanish Data Protection Authority (aepd)
07/01/2020
EUR €
75,000
EDP Comercializadora, S.A.U.
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier.
2425
Spain
Spanish Data Protection Authority
07/01/2020
EUR €
75,000
EDP España S.A.U.
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject
2426
Spain
Spanish Data Protection Authority (aepd)
09/01/2020
EUR €
44,000
Vodafone España, S.A.U.
Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
Failure to provide information to the AEPD within the required timeframe in violation of Article 58
2427
Greece
Hellenic Data Protection Authority (HDPA)
13/01/2020
EUR €
15,000
Allseas Marine S.A.
Art. 5 (1) a), (2) GDPR
Not disclosed
Non-compliance with general data processing principles.
The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it.
2428
Cyprus
Cyprian Data Protection Commissioner
13/01/2020
EUR €
1,000
eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD)
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.
2429
Cyprus
Cyprian Data Protection Commissioner
13/01/2020
EUR €
9,000
Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance
Art. 32 GDPR
Not disclosed
Insufficient technical and organisational measures to ensure information security
Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.
2430
Spain
Spanish Data Protection Authority (aepd)
14/01/2020
EUR €
3,600
Zhang Bordeta 2006, S.L. (Store and Restaurant)
Art. 5 GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization.
2431
Italy
Italian Data Protection Authority (Garante)
15/01/2020
EUR €
50,000
Community of Francavilla Fontana
Art. 5 GDPR, Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The community published on its website information about a court trial, including personal data such as health data about a data subject.
Insufficient legal basis for data processing
Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres.
2433
Italy
Italian Data Protection Authority (Garante)
23/01/2020
EUR €
30,000
Sapienza Università di Roma
Art. 5 (1) f) GDPR, Art. 32 GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
The fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only.
2434
Italy
Italian Data Protection Authority (Garante)
23/01/2020
EUR €
30,000
Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)
Art. 5 (1) f) GDPR, Art. 32 GDPR
Healthcare
Insufficient technical and organisational measures to ensure information security
The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.
2435
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
800
Automoción
Art. 5 GDPR, Art. 6 GDPR
Automotive
Insufficient legal basis for data processing
An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800.
2436
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
5,000
Queseria Artesenal Ameco S.L.
Art. 5 GDPR, Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The company processed personal data of customers without required consent.
2437
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
6,670
Banco Bilbao Vizcaya Argentaria S.L.
Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR
Banking/Mortgage
Insufficient legal basis for data processing
The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.
2438
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
75,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error.
2439
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
20,000
Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal
Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR
Not disclosed
Insufficient legal basis for data processing
Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him.
2440
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
50,000
Vodafone España, S.A.U.
Art. 5 GDPR
Telecommunications
Non-compliance with general data processing principles
The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour.
2441
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
60,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment.
2442
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
75,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.
2443
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
60,000
Xfera Moviles S.A.
Art. 5 GDPR, Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects.
2444
Spain
Spanish Data Protection Authority (aepd)
04/02/2020
EUR €
1,500
Cafetería Nagasaki
Art. 5 GDPR, Art. 6 GDPR
Restaurant/Food Service
Insufficient legal basis for data processing
The AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.
2445
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
30,000
Xfera Moviles S.A.
Art. 5 (1) f) GDPR, Art. 32 GDPR
Not disclosed
Insufficient technical and organisational measures to ensure information security
The AEPD found that a third party had access to the name, telephone number and address of another customer.
2446
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
42,000
Vodafone España, S.A.U.
Art. 5 (1) f) GDPR, Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The complainant had access to third party data in his personal Vodafone profile.
2447
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
50,000
Iberdrola Clientes
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis.
2448
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
3,000
Colegio Arenales Carabanchel (School)
Art. 6 GDPR
Education/Training
Insufficient legal basis for data processing
The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis.
2449
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
2,500
Grupo Valsor Y Losan, S.L.
Art. 5 (1) f) GDPR
Not disclosed
Insufficient technical and organisational measures to ensure information security
The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data)
2450
Spain
Spanish Data Protection Authority (aepd)
18/02/2020
EUR €
1,500
Mymoviles Europa 2000, S.L.
Art. 13 GDPR
Not disclosed
Insufficient fulfilment of information obligations.
The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself.
2451
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
20/02/2020
EUR €
2,560
L.E. EOOD
Art. 25 (1) GDPR, Art. 32 GDPR, Art. 6 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (“KZLD”) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law.
5619
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
20/02/2020
EUR €
2,560
T.K. EOOD
Art. 25 (1) GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject.
5620
Greece
Hellenic Data Protection Authority (HDPA)
21/02/2020
EUR €
5,000
Public Power Corporation S.A.
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request.
5621
Spain
Spanish Data Protection Authority (aepd)
25/02/2020
EUR €
6,000
Casa Gracio Operation
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
The company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation.
5622
Spain
Spanish Data Protection Authority (aepd)
25/02/2020
EUR €
48,000
HM Hospitales
Art. 5 GDPR, Art. 6 GDPR
Healthcare
Insufficient legal basis for data processing
The data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject.
5623
Norway
Norwegian Supervisory Authority (Datatilsynet
26/02/2020
EUR €
73,600
Rælingen Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Health information on 15 children with physical and mental disabilities was processed in the Showbie digital learning platform, for the transfer of health-related personal information between schools and their homes. Datatilsynet found that no necessary risk assessments, privacy impact assessments or tests had been carried out before using the application and that a lack of security when logging into the application allowed access to the information of other students in the group.
5624
Spain
Spanish Data Protection Authority (aepd)
27/02/2020
EUR €
120,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone España also unlawfully disclosed the personal data of the data subject to various credit agencies.
5625
Norway
Norwegian Supervisory Authority (Datatilsynet)
28/02/2020
EUR €
36,800
Coop Finnmark SA
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company had distributed video surveillance footage of children under 16 who had allegedly stolen from a store. There was no sufficient legal basis for this data processing.
5626
Spain
Spanish Data Protection Authority (aepd)
28/02/2020
EUR €
3,600
AEMA Hispánica
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
The company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party.
5627
Spain
Spanish Data Protection Authority (aepd)
28/02/2020
EUR €
48,000
Vodafone ONO, S.A.U.
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The decision was taken due to several deficiencies in information security. For example, two people were given the same security access key.
5628
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
24,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
5629
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
40,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
5630
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
42,000
Vodafone España, S.A.U.
Art. 5 (1) f) GDPR, Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client.
5631
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
1,800
Solo Embrague
Art. 13 GDPR
Other
Insufficient fulfilment of information obligations
The corporate website did not present a privacy policy or a cookie banner on its main page.
5632
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
03/03/2020
EUR €
525,000
Royal Dutch Tennis Association ("KNLTB")
Art. 5 GDPR, Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing
The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ("KNLTB") with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors.
5633
Spain
Spanish Data Protection Authority (aepd)
04/03/2020
EUR €
60,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.
5635
Poland
Polish National Personal Data Protection Office (UODO)
03/04/2020
EUR €
4,600
School in Gdansk (Danzig) (fine imposed against town of Gdansk)
Art. 5 GDPR, Art. 9 GDPR
Education/Training
Insufficient legal basis for data processing
A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily.
5636
Italy
Italian Data Protection Authority (Garante)
05/03/2020
EUR €
3,000
San Giorgio Jonico
Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR
Other
Insufficient legal basis for data processing
Publication of a citizen's personal data on a website and failure to comply with requests for deletion.
5637
Spain
Spanish Data Protection Authority (aepd)
06/03/2020
EUR €
3,200
Retailer
Art. 13 GDPR, Art. 14 GDPR
Retail
Insufficient fulfilment of information obligations
Insufficient declaration of video surveillance.
5638
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
Insufficient legal basis for data processing
A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information.
5639
Spain
Spanish Data Protection Authority (aepd)
06/03/2020
EUR €
4,000
Private person
Art. 5 GDPR
Private Citizen
Non-compliance with general data processing principles
Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization).
5640
Italy
Italian Data Protection Authority (Garante)
06/03/2020
EUR €
4,000
Liceo Scientifico Nobel di Torre del Greco
Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
The AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.
5641
Italy
Italian Data Protection Authority (Garante)
06/03/2020
EUR €
4,000
Liceo Artistico Statale di Napoli
Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
The AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.
5642
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
09/03/2020
EUR €
870
Creditor
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Sending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid.
5643
Poland
Polish National Personal Data Protection Office (UODO)
09/03/2020
EUR €
4,400
Vis Consulting Sp. z o.o.
Art. 31 GDPR, Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR.
5644
Spain
Spanish Data Protection Authority (aepd)
09/03/2020
EUR €
15,000
Gesthotel Activos Balagares
Art. 5 (1) f) GDPR
Hospitality/Travel
Non-compliance with general data processing principles
The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees.
5645
Iceland
Icelandic data protection authority ('Persónuvernd')
10/03/2020
EUR €
9,000
Breiðholt Upper Secondary School
Art. 5 (1) f) GDPR, Art. 32 GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.
5646
Iceland
Icelandic data protection authority ('Persónuvernd')
10/03/2020
EUR €
20,600
National Center of Addiction Medicine ('SAA')
Art. 5 (1) f) GDPR, Art. 32 GDPR
Healthcare
Insufficient technical and organisational measures to ensure information security
Persónuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.
5647
Denmark
Danish Data Protection Authority (Datatilsynet)
10/03/2020
EUR €
14,000
Gladsaxe Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.
5648
Denmark
Danish Data Protection Authority (Datatilsynet)
10/03/2020
EUR €
7,000
Hørsholm Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.
5649
Sweden
Data Protection Authority of Sweden
11/03/2020
EUR €
7,000,000
Google LLC
Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR
Technology
Insufficient fulfilment of data subjects rights
The Swedish data protection authority has fined Google LLC €7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Datainspektionen had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Datainspektionen had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google's practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Datainspektionen also objected to Google's current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis.
5650
Spain
Spanish Data Protection Authority (aepd)
12/03/2020
EUR €
2,000
Homeowners Association
Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR
Real Estate
Non-compliance with general data processing principles
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
5651
Spain
Spanish Data Protection Authority (aepd)
16/03/2020
EUR €
6,000
Amalfi Servicios de Restauracion S.L.
Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
5652
Spain
Spanish Data Protection Authority (aepd)
16/03/2020
EUR €
4,000
Private Person
Art. 5 GDPR, Art. 6 GDPR
Private Citizen
Insufficient legal basis for data processing
On a beach, a private person secretly photographed female bathers. The incident was reported to the AEPD by the local police.
5653
Spain
Spanish Data Protection Authority (aepd)
16/03/2020
EUR €
5,000
Centro De Estudio Dirigidos Delta, S.L.
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
Centro De Estudio Dirigidos Delta sent a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects. This constitutes a violation of the principles of integrity and confidentiality under Article 5(1)(f) GDPR.
5654
Spain
Spanish Data Protection Authority (aepd)
18/03/2020
EUR €
30,000
Telefónica
Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
Telefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects' request for right of access and erasure of data.
5655
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
19/03/2020
EUR €
5,800
Unknown Company
Art. 6 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.
5656
Spain
Spanish Data Protection Authority (aepd)
19/03/2020
EUR €
6,000
Oliveros Ustrell, S.L.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis.
5657
Greece
Hellenic Data Protection Authority (HDPA)
20/03/2020
EUR €
8,000
Speech and Special Education Centre - Mihou Dimitra
Art. 15 GDPR, Art. 58 GDPR
Education/Training
Insufficient fulfilment of data subjects rights
The complainant had requested access to his child's data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority.
5658
Spain
Spanish Data Protection Authority (aepd)
25/03/2020
EUR €
5,000
Xfera Moviles S.A.
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company did not provide the data protection authority with the requested information in a timely manner. The AEPD's request was preceded by a request from a data subject for access to its personal data.
5659
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
3,000
Dante International
Art. 6 GDPR, Art. 21 GDPR
Other
Insufficient legal basis for data processing
The company has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.
5660
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
4,150
Vodafone Romania
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security.
5661
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
3,000
Enel Energie
Art. 32 GDPR
Energy/Utilities
Insufficient technical and organisational measures to ensure information security
The company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security.
5662
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
2,000
SOS Infertility Association
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis.
5663
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
26/03/2020
EUR €
2,890
Bank
Art. 5 GDPR, Art. 6 GDPR
Banking/Mortgage
Insufficient legal basis for data processing
Due to an administrative error, the personal data of the data subject were registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement.
5664
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
14/04/2020
EUR €
2,000
Political Party
Art. 6 GDPR
Other
Insufficient legal basis for data processing
Forging signatures on a voters' list.
5665
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
23/04/2020
EUR €
3,000
Telekom Romania Communications SA
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects
5666
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
23/04/2020
EUR €
3,000
Estee Lauder Romania
Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
Processing of personal data without sufficient legal basis including health data.
5667
Belgium
Belgian Data Protection Authority (APD)
28/04/2020
EUR €
50,000
Proximus SA
Art. 31 GDPR, Art. 58 GDPR, Art. 37 GDPR
Other
Lack of appointment of data protection officer
According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.
5668
Sweden
Data Protection Authority of Sweden
29/04/2020
EUR €
18,700
National Government Service Centre (NGSC)
Art. 33 GDPR, Art. 34 GDPR
Government/Military
Insufficient fulfilment of data breach notification obligations
The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.
5669
Estonia
Estonian Data Protection Authority (aepd)
30/04/2020
EUR €
500
Housing Association
Art. 6 GDPR
Other
Insufficient legal basis for data processing
Fine of EUR 500 against a housing association for publishing photos showing members of the association without their consent.
5670
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
30/04/2020
EUR €
725,000
Unknown Organisation
Art. 5 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.
5671
Norway
Norwegian Supervisory Authority (Datatilsynet)
03/05/2020
EUR €
134,000
Telenor Norge AS
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Fines for security breaches in a voice mailbox function.
5672
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
05/05/2020
EUR €
5,000
Banca Comercială Română SA
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.
5673
Sweden
Data Protection Authority of Sweden
12/05/2020
EUR €
11,200
Health and Medical Board of the Region of Örebro County
Art. 5 GDPR, Art. 6 GDPR
Healthcare
Insufficient legal basis for data processing
Publication of personal data of a patient without sufficient legal basis.
5674
Belgium
Belgian Data Protection Authority (APD)
14/05/2020
EUR €
50,000
Social Media Provider
Art. 6 GDPR
Technology
Insufficient legal basis for data processing
The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.
5675
Denmark
Danish Data Protection Authority (Datatilsynet)
15/05/2020
EUR €
6,700
JobTeam A/S DKK
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The company has deleted personal data affected by a request for access without legal reason.
5676
Ireland
Data Protection Authority of Ireland
17/05/2020
EUR €
75,000
Tusla Child and Family Agency
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison.
5677
Norway
Norwegian Supervisory Authority (Datatilsynet)
19/05/2020
EUR €
283,000
Bergen Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
Fine due to several security shortcomings and non-compliance with general data processing principles in a module for communication between schools and parents.
5678
Finland
Deputy Data Protection Ombudsman
22/05/2020
EUR €
12,500
Unknown Company
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Processing of employee data without sufficient legal basis.
5679
Finland
Deputy Data Protection Ombudsman
22/05/2020
EUR €
16,000
Kymen Vesi Oy
Art. 35 GDPR
Other
Non-compliance with general data processing principles
Fine for failure to carry out a data protection impact assessment ("DPIA") for the processing of location data of employees with a vehicle information system
5680
Finland
Deputy Data Protection Ombudsman
29/05/2020
EUR €
72,000
Taksi Helsinki
Art. 5 GDPR, Art. 6 GDPR, Art. 35 GDPR
Other
Non-compliance with general data processing principles
Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization.
5681
Belgium
Belgian Data Protection Authority (APD)
29/05/2020
EUR €
1,000
Non-profit organisation
Art. 6 GDPR, Art. 21 GDPR
Non-Profit/Volunteer
Insufficient fulfilment of data subjects rights
The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.
5682
Spain
Spanish Data Protection Authority (aepd)
04/06/2020
EUR €
4,000
Iberdrola Clientes
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR.
5683
Belgium
Belgian Data Protection Authority (APD)
08/06/2020
EUR €
5,000
Municipal employee
Art. 5 GDPR, Art. 6 GDPR
Government/Military
Insufficient legal basis for data processing
In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.
5684
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
2,000
Property Owner
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
5685
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
2,000
Attorney
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
In the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties.
5686
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
3,000
Salad Market S.L. (Catering Company)
Art. 13 GDPR, Art. 14 GDPR
Restaurant/Food Service
Insufficient fulfilment of information obligations
Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.
5687
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
40,000
TELEFONICA MOVILES ESPAÑA, S.A.U.
Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name.
5688
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
25,000
Glovoapp23
Art. 37 GDPR
Technology
Lack of appointment of data protection officer
The company had not appointed a Data Protection Officer ('DPO') to whom requests from data subjects could be addressed, and the company's website did not contain information about an appointed DPO.
5689
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
39,000
Xfera Moviles S.A.
Art. 5 (1) f) GDPR
Telecommunications
Insufficient legal basis for data processing
A customer claimed to have received an SMS from Xfera Móviles informing about the non-payment and the resulting suspension of the service in relation to the account of another data subject.
5690
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
75,000
Equifax Iberica, S.L.
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The Data Subject has requested by e-mail the deletion of his data from the file of the National Association of Financial Credit Institutions ("ASNEF"). Equifax Iberica had replied that the exercise of the complainant's right was excessive due to an earlier request and that therefore the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws.
5691
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
1,000
Property Owner
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
5692
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
540
Chenming Ye (Bazar Real)
Art. 13 GDPR, Art. 14 GDPR
Other
nsufficient fulfilment of information obligations
Usage of CCTV camera in a shop without proper information.
5693
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
5,000
Consulting de Seguridad e Investigacion Mira Dp Madrid S.L.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
A data subject has received marketing messages without having consented.
5694
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
11/06/2020
EUR €
3,000
Telekom Romania
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR.
5695
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
12/06/2020
EUR €
288,000
Digi Távközlési Szolgáltató Kft. ("Digi") (electronic communication service provider)
Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPR
Other
Insufficient technical and organisational measures to ensure information security
The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms.
5696
Spain
Spanish Data Protection Authority (aepd)
15/06/2020
EUR €
75,000
Xfera Moviles S.A.
Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject received a notice from a debt collection company demanding payments in connection with Xfera Móviles' services, even though the claimant had not been a customer of Xfera Móviles since September 2017. Furthermore, the resolution states that Xfera Móviles carried out the processing of the personal data of the plaintiff without his consent, which constitutes a violation of Article 6 of the GDPR.
5697
Belgium
Belgian Data Protection Authority (APD)
16/06/2020
EUR €
1,000
Unknown
Art. 17 GDPR, Art. 21 GDPR, Art. 31 GDPR
Other
Insufficient fulfilment of data subjects rights
The data subject repeatedly received e-mails with advertising content from a company, although the data subject had objected to the processing of his personal data and requested the deletion of his data. In addition, the company did not respond to any inquiries from the data protection authority in this regard.
5698
Sweden
Data Protection Authority of Sweden
16/06/2020
EUR €
1,900
Housing Association
Art. 5 GDPR, Art. 6 GDPR
Hospitality/Travel
Non-compliance with general data processing principles
Unlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance.
Non-compliance with general data processing principles
Illegal use of CCTV cameras (recording of third parties) and insufficient fulfilment of information obligations.
5700
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
18/06/2020
EUR €
4,000
Enel Energie
Art. 32 GDPR
Energy/Utilities
Insufficient technical and organisational measures to ensure information security
Failure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail.
5701
Spain
Spanish Data Protection Authority (aepd)
19/06/2020
EUR €
6,000
National Police Brigade
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Making copies of a company's business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing.
5702
Norway
Norwegian Supervisory Authority (Datatilsynet)
19/06/2020
EUR €
28,000
Aquateknikk AS
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Request for data from a credit agency without legal basis.
5703
Belgium
Belgian Data Protection Authority (APD)
19/06/2020
EUR €
10,000
Unknown
Art. 5 GDPR, Art. 6 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The company sent an e-mail to the person concerned without his consent. Thereupon the person concerned requested timely information about the entries in the database concerning his person, which remained unanswered.
5704
Norway
Norwegian Supervisory Authority (Datatilsynet)
22/06/2020
EUR €
112,000
Østfold HF Hospital
Art. 32 GDPR
Healthcare
Insufficient technical and organisational measures to ensure information security
It was found that Østfold HF Hospital had stored patient data, including sensitive data such as the reason for hospitalisation, during the period 2013-2019 without controlling access to the folders where the data was stored. Datatilsynet therefore decided that the hospital had not taken sufficient technical and organisational measures to protect personal data and was therefore in breach of the GDPR and the Patient Records Act.
Non-compliance with general data processing principles
Illegal use of CCTV cameras due to coverage of public space and recording of passing pedestrians. Furthermore, insufficient fulfilment of information obligations.
5706
Spain
Spanish Data Protection Authority (aepd)
23/06/2020
EUR €
7,500
Miraclia (telecommunications company)
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.
5707
Isle of Man
Information Commissioner of Isle of Man
25/06/2020
EUR €
13,500
Department of Home Affairs
Art. 12 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.
5708
Greece
Hellenic Data Protection Authority (HDPA)
29/06/2020
EUR €
5,000
New York College S.A.
Art. 5 GDPR
Education/Training
Non-compliance with general data processing principles
The College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner.
5709
Ireland
Data Protection Authority of Ireland
30/06/2020
EUR €
40,000
Tusla Child and Family Agency
Art. 33 GDPR
Other
Insufficient fulfilment of data breach notification obligations
The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.
Non-compliance with general data processing principles
The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach.
Insufficient technical and organisational measures to ensure information security
From 2015 to 2019, AOK Baden-Württemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Württemberg stopped all marketing measures in order to thoroughly examine all processes.
Insufficient fulfilment of data subjects rights
Mapei failed to respond to the request for access to personal data of the data subject. In addition, Mapei had left the e-mail account of the person concerned active even after the termination of the contract.
5713
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
5,000
Xfera Moviles S.A.
Art. 31 GDPR, Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
The company had not cooperated sufficiently with the data protection authority.
5714
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
3,600
Saunier-Tec Mantenimientos de Calor y Frio, SL.
Art. 33 GDPR
Other
Insufficient fulfilment of data breach notification obligations
Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.
5715
Norway
Norwegian Supervisory Authority (Datatilsynet)
02/07/2020
EUR €
28,000
Odin Flissenter AS
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so.
5716
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
4,000
De Vere Spain S.L.
Art. 21 GDPR
Other
Insufficient fulfilment of data subjects rights
The company did not respond to the data subject's request to stop processing his or her data, and therefore data subject continued to receive commercial calls.
5717
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
24,000
Iberdrola Clientes
Art. 5 GDPR
Other
Non-compliance with general data processing principles
A third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of €40,000 has been reduced to €24,000 due to voluntary payment.
5718
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
06/07/2020
EUR €
830,000
Bureau Krediet Registration ('BKR')
Art. 12 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post.
5719
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
09/07/2020
EUR €
15,000
Proleasing Motors SRL
Art. 32 GDPR
Automotive
Insufficient technical and organisational measures to ensure information security
The company had failed to take adequate technical and organisational measures to ensure data security, which led to the publication on Facebook of a document containing a password for access to personal data of 436 customers.
5720
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
55,000
Xfera Moviles S.A.
Art. 5 GDPR, Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The company had changed a contract for a mobile phone connection to a new owner, whereby the personal data of a data subject such as his address and telephone numbers were freely accessible. This constituted a violation of the principles of confidentiality and integrity.
5721
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
5,000
School Fitness Holiday & Franchising S.L.
Art. 5 GDPR
Education/Training
Non-compliance with general data processing principles
Breach of transparency principle. No further information available at the moment.
5722
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
5,000
Global Business Travel Spain SLU
Art. 32 GDPR
Hospitality/Travel
Insufficient technical and organisational measures to ensure information security
The fine was preceded by an employee's access to health data of a person concerned. In the course of its investigations, the Data Protection Authority found that Global Business Travel Spain, as data controller, had infringed Article 32(2) and (4) of the GDPR by failing to take adequate technical and organisational measures to protect the data from unauthorised disclosure.
5723
Spain
Spanish Data Protection Authority (aepd)
10/09/2020
EUR €
12,000
Vodafone España, SAU
Art. 5 GDPR
Telecommunications
Non-compliance with general data processing principles
Fines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer.
5724
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
1,000
Centro Internacional De Crecimiento Laboral Y Profesional S.L.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Sending commercial messages without consent and without the possibility to object.
5725
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
1,500
Auto Desguaces Iglesias S.L.
Art. 5 GDPR
Other
Non-compliance with general data processing principles
The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization.
5726
Norway
Norwegian Supervisory Authority (Datatilsynet)
10/07/2020
EUR €
46,660
Municipality of Rælingen
Art. 32 GDPR, Art. 35 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
Fine for the processing of children's health data in connection with disability through the digital learning platform "Showbie". The Municipality had failed to carry out a Data Protection Impact Assessment ("DPIA") in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils.
5727
Poland
Polish National Personal Data Protection Office (UODO)
10/07/2020
EUR €
3,400
East Power Sp. z o.o.
Art. 31 GDPR, Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
After three subpoenas to East Power, in which the latter failed to provide sufficient explanations on a direct marketing complaint, the data protection authority found that East Power had deliberately obstructed the course of the procedure or at least failed to comply with its obligations to cooperate with the supervisory authority.
5728
Italy
Italian Data Protection Authority (Garante)
13/07/2020
EUR €
800,000
Iliad Italia S.p.A.
Art. 5 GDPR, Art. 25 GDPR
Other
Non-compliance with general data processing principles
The fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its website.
Insufficient legal basis for data processing
Fines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details. Furthermore, the data protection authority stated that the data of the data subjects were published on public telephone lists despite their objection. In addition, several apps distributed by the company were set up in such a way that the user had to give his consent to various processing activities each time he accessed them, with the possibility of withdrawing consent given only after 24 hours.
Insufficient legal basis for data processing
The company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third party provider as data processor without sufficient legal basis fpr data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third party provider.
5731
Belgium
Belgian Data Protection Authority (APD)
14/07/2020
EUR €
5,000
Operator of CCTV of a residential building
Art. 6 GDPR, Art. 7 GDPR
Other
Insufficient legal basis for data processing
The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.
Insufficient fulfilment of data subjects rights
The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google's rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: €500,000). In addition, a further €100,000 was imposed for breach of the principle of transparency, as Google's rejection of the request for deletion was not sufficiently justified
5733
Poland
Polish National Personal Data Protection Office (UODO)
17/07/2020
EUR €
22,300
Office for geodesy and cartography
Art. 31 GDPR, Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
Refusal of access to the premises by the supervisory authority in the course of an audit.
5734
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
70,000
Xfera Moviles S.A.
Art. 5 GDPR
Telecommunications
Non-compliance with general data processing principles
A data subject had received a call from another Xfera Móviles customer who stated that the company had charged his bank account with an invoice, disclosing the personal details of the other data subject. This was due to an error on the part of Xfera Móviles and was therefore a violation of the principles of integrity and confidentiality.
5735
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
80,000
Orange Espagne S.A.U
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company had unlawfully activated several telephone line contracts using the personal data of a data subject. This constituted an unlawful processing operation, since the data of the data subject was entered into the company's database and processed there without a legitimate legal basis.
5736
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
1,500
Comercial Vigobrandy, SL
Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR
Other
Insufficient fulfilment of information obligations
Installation of CCTV surveillance without adequate information by using a sign
5737
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
40,000
Iberia Lae SA Operadora Unipersonal
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company did not grant the data subject access to telephone records. The applicant's request for access did not receive a reply, despite the prior order of the AEPD.
5738
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
24,000
Banco Bilbao Vizcaya Argentaria, SA
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
BBVA had no legitimate basis for processing the data of the data subject and had therefore infringed Article 6(1) of the GDPR, since the company processed solvency and credit information files without a prior contractual relationship with the data subject.
5739
Spain
El Real Sporting de Gijón S.A.D.
23/07/2020
EUR €
5,000
El Real Sporting de Gijón S.A.D.
Art. 6 GDPR, Art. 7 GDPR
Sport/Recreation
Insufficient legal basis for data processing
Fines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in).
5740
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
5,000
Xfera Moviles S.A.
Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
Following a complaint, Xfera Móviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit.
5741
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
75,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefónica Móviles España in order to change the ownership of the telephone line without sufficient legal basis.
5742
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
70,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject's account was debited for two telephone lines that he had never ordered or approved. This constituted unlawful processing of personal data, since the data subject's information was stored in the information systems of Telefónica Móviles España without a legal basis for invoicing.
5743
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
55,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
Telefónica Móviles España has processed the personal data of a data subject, such as first and last name and bank details, in order to activate three telephone lines that were never requested. This constitutes a breach of the principle of lawfulness of the processing.
5744
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
10,000
El Periódico de Catalunya, S.L.U.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Following a request for erasure addressed to the company, the data subject received another newsletter from the newspaper, although El Periódico de Catalunya claimed to have granted the request. This was due to a failure of an external service provider of the company.
5745
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
27/07/2020
EUR €
5,000
SC Cntar Tarom SA
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Unauthorised disclosure of the data of five Tarom passengers due to inadequate technical and organisational measures for secure data processing. Among other things, the company was required to take corrective action, including training its employees and conducting risk assessment procedures.
5746
Belgium
Belgian Data Protection Authority (APD)
28/07/2020
EUR €
3,000
Communal political association
Art. 5 GDPR, Art. 6 GDPR, Art. 14 GDPR
Other
Insufficient legal basis for data processing
A local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR.
5747
Denmark
Danish Data Protection Authority (Datatilsynet)
28/07/2020
EUR €
147,800
Arp Hansen Hotel Group A/S
Art. 5 (1) e) GDPR
Hospitality/Travel
Non-compliance with general data processing principles
During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself.
5748
Italy
Italian Data Protection Authority (Garante)
29/07/2020
EUR €
4,000
Region of Campania
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Publication of an enforcement order in civil proceedings on the Region's website. The document listed the names and place of residence and the amount of the claim.
5749
Italy
Italian Data Protection Authority (Garante)
29/07/2020
EUR €
3,000
Community of San Giorgio Jonico
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Publication of personal data on the municipal website with regard to legal proceedings.
5750
Italy
Italian Data Protection Authority (Garante)
30/07/2020
EUR €
2,000
Community of Manduria
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The community transmitted personal data of a community employee to the press without sufficient legal basis.
5751
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
30/07/2020
EUR €
2,000
Romanian Post National Company
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Processing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation.
5752
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
30/07/2020
EUR €
2,000
SC Viva Credit IFN SA
Art. 17 GDPR
Banking/Mortgage
Insufficient fulfilment of data subjects rights
The company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data.
5753
Spain
Spanish Data Protection Authority (aepd)
31/07/2020
EUR €
1,500
Tour & People Max S.L.
Art. 21 GDPR
Other
Insufficient fulfilment of data subjects rights
Unsolicited marketing calls though data subjects had expressed their objection to data processing. In addition to the GDPR, this was also seen as a violation of Article 48(1)(b) of General Law 9/2014 (Spanish national law).
5754
Spain
Spanish Data Protection Authority (aepd)
31/07/2020
EUR €
45,000
Vodafone España SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
Unlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasure
5755
Italy
Italian Data Protection Authority (Garante)
04/08/2020
EUR €
1,000
Supermarket
Art. 5 GDPR, Art. 6 GDPR
Customer Service
Insufficient legal basis for data processing
The operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket.
5756
Italy
Italian Data Protection Authority (Garante)
04/08/2020
EUR €
5,000
National Institute for Social Security - Department of the Province of Brescia
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
Failure to graint access to personal health data of a data subject according to Art. 15 GDPR.
Insufficient legal basis for data processing
The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure.
5758
Spain
Spanish Data Protection Authority (aepd)
04/08/2020
EUR €
60,000
Vodafone España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject received confirmation from Vodafone of a number porting, which the latter had never commissioned.
5759
Denmark
Danish Data Protection Authority (Datatilsynet)
04/08/2020
EUR €
20,100
PrivatBo A.M.B.A.
Art. 5 GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.
5760
Italy
Italian Data Protection Authority (Garante)
05/08/2020
EUR €
2,000
School
Art. 5 GDPR, Art. 6 GDPR
Education/Training
Insufficient legal basis for data processing
Placing personal data of pupils on a public notice board.
5761
Austria
Austrian Data Protection Authority (dsb)
05/08/2020
EUR €
100
Bank
Art. 5 GDPR, Art. 6 GDPR
Banking/Mortgage
Insufficient legal basis for data processing
A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above.
5762
Spain
Spanish Data Protection Authority (aepd)
05/08/2020
EUR €
3,000
Restaurant
Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
Installation of CCTV surveillance cameras that were also monitoring the public space and without proper information.
5763
Finland
Deputy Data Protection Ombudsman
05/08/2020
EUR €
7,000
Acc Consulting Varsinais-Suomi
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Unsolicited marketing SMS without prior consent
5764
France
French Data Protection Authority (CNIL)
05/08/2020
EUR €
250,000
Spartoo
Art. 5 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR
Retail
Non-compliance with general data processing principles
A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.
5765
Spain
Spanish Data Protection Authority (aepd)
06/08/2020
EUR €
3,000
Just Landed S.L.
Art. 13 GDPR
Other
Insufficient fulfilment of information obligations
Just Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language).
5766
Italy
Italian Data Protection Authority (Garante)
06/08/2020
EUR €
3,000
GTL S.R.L.
Art. 12 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
Failure to graint access to personal data of a data subject according to Art. 15 GDPR.
5767
Spain
Spanish Data Protection Authority (aepd)
06/08/2020
EUR €
3,000
GROW BEATS SL
Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR
Other
Insufficient fulfilment of information obligations
The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment.
5768
Italy
Italian Data Protection Authority (Garante)
10/08/2020
EUR €
10,000
Community of Baronissi
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc.
5769
Italy
Italian Data Protection Authority (Garante)
10/08/2020
EUR €
10,000
Cavauto S.R.L.
Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR
Other
Insufficient legal basis for data processing
Access to personal data of a former employee (containing his browser history) on his work computer.
5770
Estonia
Estonian Data Protection Authority (aepd)
17/08/2020
EUR €
48
Police Officer
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Acess to personal data in a police database for private research activities.
5771
Spain
Spanish Data Protection Authority (aepd)
17/08/2020
EUR €
5,000
Party of the Socialists of Catalonia
Art. 5 (1) b) GDPR
Other
Non-compliance with general data processing principles
The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.
5772
Spain
Spanish Data Protection Authority (aepd)
28/08/2020
EUR €
5,000
Basketball Federation of Castilla and Leon
Art. 5 GDPR, Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing
The Basketball Association transmitted personal data to third parties, which were subsequently published on the Internet without consent of the data subjects. In addition, the data protection authority found that the Basketball Federation also disclosed personal data to a newspaper, violating - in addition - the principle of integrity and confidentiality (Art. 5 (1) f) GDPR).
5773
Spain
Spanish Data Protection Authority (aepd)
28/08/2020
EUR €
50,000
Bankia S.A.
Art. 5 (1) b) GDPR
Banking/Mortgage
Non-compliance with general data processing principles
The bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation.
5774
Poland
Polish National Personal Data Protection Office (UODO)
31/08/2020
EUR €
22,700
Surveyor General of Poland ('GKK')
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Processing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis.
5775
Spain
Spanish Data Protection Authority (aepd)
01/09/2020
EUR €
75,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages.
5776
Spain
Spanish Data Protection Authority (aepd)
07/09/2020
EUR €
3,000
Barcelona Airport Security Guard Association ('AVSAB')
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
A member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing.
5777
Sweden
Swedish Data Protection Authority
11/12/2020
EUR €
54,000
Umeå University
Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
5789
Spain
Spanish Data Protection Authority (aepd)
11/12/2020
EUR €
5,000,000
Banco Bilbao Vizcaya Argentaria, S.A.
Art. 6 GDPR, Art. 13 GDPR
Banking/Mortgage
Insufficient fulfilment of information obligations
5790
Poland
Polish National Personal Data Protection Office (UODO)
Non-compliance with general data processing principles
6138
Norway
Norwegian Supervisory Authority (Datatilsynet)
18/10/2021
EUR €
412,000
Østre Toten municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
6139
United Kingdom
Information Commissioner (ICO)
18/10/2021
EUR €
11,800
HIV Scotland
Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR
Other
Insufficient technical and organisational measures to ensure information security
6140
Not disclosed
Spanish Data Protection Authority (aepd)
19/10/2021
EUR €
70,000
Vodafone España, S.A.U.
Art. 21 GDPR, Art. 21 LSSI
Telecommunications
Insufficient fulfilment of data subjects rights
6141
Spain
Spanish Data Protection Authority (aepd)
19/10/2021
EUR €
40,000
Vodafone España, S.A.U.
Art. 6 (1) GDPR
Telecommunications
Insufficient legal basis for data processing
6142
Spain
Spanish Data Protection Authority (aepd)
19/10/2021
EUR €
2,000
BEEPING FULFILMENT S.L.
Art. 13 GDPR
Other
Insufficient fulfilment of information obligations
6143
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
21/10/2021
EUR €
5,000
Glove Technology SRL
Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR
Customer Service
Insufficient legal basis for data processing
6144
Spain
Spanish Data Protection Authority (aepd)
21/10/2021
EUR €
3,000,000
CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
Art. 6 (1) GDPR
Banking/Mortgage
Insufficient legal basis for data processing
6145
Spain
Spanish Data Protection Authority (aepd)
25/10/2021
EUR €
3,000
MERCEDES GERENCIA, S.L.
Art. 58 (1) GDPR
Automotive
Insufficient cooperation with supervisory authority
6146
Spain
Spanish Data Protection Authority (aepd)
26/10/2021
EUR €
64,000
Vodafone España, S.A.U.
Art. 6 (1) GDPR
Telecommunications
Insufficient legal basis for data processing
6147
Greece
Hellenic Data Protection Authority (HDPA)
12/10/2021
EUR €
20,000
National Bank Hellas
Articles 15(1), 12(1),(2), and (3) of the GDPR
Financial Services
Failing to properly evaluate a data subject's request exercising his right of access in violation of Articles 15(1), 12(1),(2), and (3) of the GDPR.
6148
Greece
Hellenic Data Protection Authority (HDPA)
12/10/2021
EUR €
20,000
Dixons South East Europe
Articles 15(1), 12(1),(2), and (3) GDPR
Retail
Failing to exercise his right of access by a data subject, having requested from the company internal correspondence relating to him, which the company had refused to provide.
6149
Greece
Hellenic Data Protection Authority (HDPA)
11/10/2021
EUR €
8,000
Rhodes Municipal Transport Company (RODA)
Article 5(1)(c) + Articles 12(3) and 15 + Article 5(1)(c) of the GDPR
Transportation/Logistics
RODA had violated Article 5(1)(c) of the GDPR by granting the complainant, after his dismissal from the company, a certificate which listed, among other things, that he was fired due to a criminal act. Furthermore, the HDPA noted that RODA had also violated Articles 12(3) and 15 of the GDPR since it hadn't responded to the complainant's request for a copy of the video recorded of him on the day of a controversial incident, and dismissed it. Moreover, the decision notes that the €8,000 fine to RODA is a combination of €5,000 fined for violating Articles 12(3) and 15 of the GDPR, and €3,000 fined for violation of Article 5(1)(c) of the GDPR.
6150
Greece
Hellenic Data Protection Authority (HDPA)
07/09/2021
EUR €
10,000
Thessaloniki Urban Transport Organisation ('OASTH')
Articles 12 and 13 of Law 2472/1997
Transportation/Logistics
On 7 Sep 2021 the Hellenic Data Protection Authority ('HDPA') announced, that Thessaloniki Urban Transport Organisation ('OASTH') are fined €10,000, following complaints by 12 former shareholders of the same with regards to the unlawful disclosure of the personal data of 29 former employees by the President of the OASTH during a press conference, and OASTH's failure to satisfy the data subjects' right to information. In particular, the decision highlights that the HDPA, having considered all claims received, decided that the publication of the names of two former shareholders were not absolutely necessary in order to inform the public about the operation and future of transport in Thessaloniki. As a result of this violation, the decision notes that a fine of €3,000 was imposed on OASTH. Furthermore, the decision highlights that an additional fine of €7,000 was also imposed on OASTH, due to it's failure to satisfy the data subjects' right of access and/or objection pursuant to Articles 12 and 13 of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data ('the Law').
Finally, it is worth noting that the Law, instead of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') was applicable in this case, because all complaints against OASTH date back to the time prior to the implementation of the GDPR. However, the decision further ordered OASTH to comply with the provisions of the GDPR and adapt its processes to ensure the rights of data subjects are adequately met.
6151
Greece
Hellenic Data Protection Authority (HDPA)
21/07/2021
EUR €
5,000
Legal Public Sector Individual
Articles 5(1)(a), 12, and 14 of the GDPR
Public Authority
A legal entity in the public sector is fined €5,000 for transferring the personal data of the complainant to third parties without a valid legal basis and without informing the complainant of such further data processing.
6152
Greece
Hellenic Data Protection Authority (HDPA)
12/05/2021
EUR €
5,000
IEK Institute of Professional Training
Articles 5(1)(a)(b) + Article 15 + Article 12(3) + Article 17 of the GDPR
Education/Training
Aprivate Institute of Professional Training ('IEK') company €5,000 for unlawful data processing and an incorrect response to requests for access and erasure. In particular, the decision highlights that, following receipt of a promotional email, the complainant requested information on the legality of the IEK company's action in question, as well as the deletion of their personal data, to which the IEK company did not respond.
6153
Greece
Hellenic Data Protection Authority (HDPA)
25/05/2021
EUR €
10,000
DOPAKA Municipal Organisation of Preschool Education and Social Solidarity
Articles 5 + 6(1)(c) + Articles 12(3) (4), + 17(1)(d) of the GDPR
Education/Training
The Municipal Organisation of Preschool Education and Social Solidarity ('DOPAKA') of Moschato-Tavros municipality, is fined €10,000 for violations relating to processing personal data without a legal basis and its failure to comply with its obligation to delete personal data upon such request.
6154
Greece
Hellenic Data Protection Authority (HDPA)
05/01/2022
EUR €
1,000
Εγνατία Οδός Α.Ε.
Non-compliance with subjects' rights protection safeguards, Article 12 (3) GDPR
Transportation/Logistics
The Hellenic DPA has fined Εγνατία Οδός Α.Ε. with EUR 1,000. The company operated a video surveillance system that monitored the payment of tolls. One car owner received a fine for not paying the toll and then exercised his right to information as defined by the GDPR. He requested photographic material that was captured in the context of the fine. He also requested a copy of the documentation of the incident. However, the company didn’t provide this information to the data subject. After the DPA intervened, the company did offer this information but didn’t disclose any photographic material. For this reason, the DPA concluded that the company had violated Art. 13 (3) GDPR.
6162
Greece
Hellenic Data Protection Authority (HDPA)
31/12/2021
EUR €
30,000
INFO Communication Services
Information obligation non-compliance Article. 13 GDPR, Article. 14 GDPR and Article. 11 Law 3471/2006
Telecommunications
The Hellenic DPA has fined INFO COMMUNICATION SERVICES with EUR 30,000. The data controller had previously conducted several advertising calls without the data subjects’ consent. Additionally, it didn’t adequately inform the data subjects about the processing of their personal data. Therefore, it violated its information obligations.
6163
Greece
Hellenic Data Protection Authority (HDPA)
31/12/2021
EUR €
25,000
Plus Real Advertising
Information obligation non-compliance Article. 13 GDPR, Article. 14 GDPR and Article. 11 Law 3471/2006
Advertising/Public Relations
The Hellenic DPA has fined PLUS REAL Advertisement with EUR 25,000. The data controller had previously conducted several advertising calls without the data subjects’ consent. Additionally, it didn’t adequately inform the data subjects about the processing of their personal data. Therefore, it violated its information obligations.
6164
Greece
Hellenic Data Protection Authority (HDPA)
29/12/2021
EUR €
75,000
Greek Ministry of Tourism
Failure to implement sufficient measures to ensure protection of personal data Article. 13 GDPR, Article. 32 GDPR, Article. 33 GDPR and Article. 37 GDPR
Government/Military
The Hellenic DPA has fined the Greek Ministry of Tourism with EUR 75,000. There was a data breach which, according to the DPA, involved the attempt of a citizen to enter his/her credentials on the online platform of the Ministry. This resulted in the displaying of another person’s credentials, including full name, social security number, tax number, phone number, postal address, email address, and other fields that indicated their disability. The DPA discovered that the Ministry did not implement the required organizational and technical measures that would ensure the proper security of the personal data. It also did not report this incident to the DPA. So, the DPA concluded that this was a violation of Art. 33 of the GDPR. During the investigation, it was found that the Ministry of Tourism hadn’t appointed a data protection officer even though the authority’s platform mentioned an email address of a supposed data protection officer. However, this email address was inactive, as it was later found out.
6165
Greece
Hellenic Data Protection Authority (HDPA)
08/12/2021
EUR €
30,000
One Way Private Company
Failure to implement sufficient measures to ensure protection of personal data. Article. 28 (3) (c) GDPR, Article. 32 (2) (4) GDPR and Article. 11 (1) GDPR
Advertising/Public Relations
The Hellenic DPA has fined One Way Private Company with EUR 30,000. The DPA received a total of 17 complaints about illegal telephone calls made to data subjects regarding advertising. The DPA discovered that these telephone calls were made to subscribers because of an error in the application. Some of the subscribers were in the list of protection against unsolicited advertising calls. The DPA concluded that the data controller failed to implement the proper organizational and technical measures that would ensure a level of security appropriate to the risk of the data subjects.
Article. 6 GDPR, Article. 12 (2) GDPR and Article. 21 GDPR. Non-compliance with lawful basis for data processing
Marketing
The Hellenic DPA fined ΚΑΠΑ ΛΑΜΔΑ ΩΜΕΓΑ ΔΙΑΦΗΜΙΣΤΙΚΗ ΕΜΠΟΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ with EUR 20,000 because the company had carried out marketing calls without the consent of the data subjects on several occasions. Even though the data subjects notified the data controller that they didn’t want to keep receiving marketing calls, the company kept sending them advertising.
6167
Greece
Hellenic Data Protection Authority (HDPA)
04/10/2021
EUR €
5,000
Not disclosed
Article. 21 (3) GDPR and Article. 25 GDPR. Failure to comply with data subject access rights (DSAR).
Marketing
The Hellenic DPA has fined the company PREMIUMMEDIA ΠΑΡΑΓΩΓΗ ΟΠΤΙΚΟ-ΑΚΟΥΣΤΙΚΩΝ ΕΡΓΩΝ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ with EUR 5,000. A client of the company had tried to unsubscribe from the official newsletter mailing list of the company but didn’t succeed. This failure to unsubscribe was caused by an internal technical error of the company.
6168
Greece
Hellenic Data Protection Authority (HDPA)
31/01/2022
EUR €
6,000,000
Cosmote
Articles 5 and 6 of Law 3471/2006, Articles 12 (1) of Law 3471/2006, Article 5 (1)(a) GDPR, Article 13 GDPR, Article 14 GDPR, Article 35 (7) GDPR, Article 25 (1) GDPR
Telecommunications
The mobile operator reported a data breach to the HDPA along with requested documents. However, the HDPA’s investigation found that the parent company –Hellenic Telecommunications Organisation (OTE Group), should also have been a part of the investigation, which Cosmote failed to include.
Additionally, Cosmote mishandled the situation by failing to explain to the affected individuals the severity of the data breach and failing to implement appropriate data protection measures.
The HDPA investigation uncovered that Cosmote can legally keep call data for quality assurance reasons, for up to 90 days, and 12 additional months if the data has been pseudonymized.
However, in some cases, the pseudonymization process was not completed, and the data was held for longer than legally allowed.
6169
Greece
Hellenic Data Protection Authority (HDPA)
31/01/2022
EUR €
3,200,000
OTE Group
Article 83 (2) GDPR
Telecommunications
The Hellenic DPA has fined OTE Group with EUR 3,200,000 for insufficient security measures resulting in a data breach.
6170
Greece
Hellenic Data Protection Authority (HDPA)
10/08/2013
EUR €
150,000
Greek Ministry of Finance
Not disclosed
Government/Military
The Hellenic Data Protection Authority said the General Secretariat for Information Systems (GSIS), the public sector’s biggest data centre which falls under the finance ministry, was guilty of breach of duty. A 35-year-old computer programmer has been accused of hacking into finance ministry servers last year and stealing the personal data of roughly two thirds of the country’s 11 million population. The programmer, who was arrested last November and is awaiting trial, is suspected of attempting to sell 9 million files containing identification card data, addresses, tax ID numbers and licence plate numbers.
“Despite the volume of data it handles and how crucial it is, GSIS does still not have... the necessary safety measures to prevent unauthorised access and dissemination of the data,” said the HDPA.
6171
Spain
Spanish Data Protection Authority (aepd)
26/10/2021
EUR €
64,000
Vodafone España, S.A.U.
Art. 6 (1) GDPR
Telecommunications
Insufficient legal basis for data processing
6175
Spain
Spanish Data Protection Authority (aepd)
26/10/2020
EUR €
16,000
SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.
Art. 35 GDPR
Financial Services
Non-compliance with general data processing principles
6176
Spain
Spanish Data Protection Authority (aepd)
26/10/2021
EUR €
40,000
VODAFONE SERVICIOS, S.L.U.
Art. 6 (1) GDPR
Telecommunications
Insufficient legal basis for data processing
6177
Spain
Spanish Data Protection Authority (aepd)
26/10/2021
EUR €
40,000
VODAFONE SERVICIOS, S.L.U.
Art. 6 (1) GDPR
Telecommunications
Insufficient legal basis for data processing
6178
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
26/10/2021
EUR €
380
Bank
Art. 5 (1) b) GDPR
Banking/Mortgage
Non-compliance with general data processing principles
6179
Luxembourg
National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD)
27/10/2021
EUR €
15,400
Unknown
Art. 38 (1), (3) GDPR, Art. 39 (1) a), b) GDPR
Not disclosed
Insufficient involvement of data protection officer
6180
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
22/02/2022
EUR €
3,000
IAMSAT Muntenia SA
Art. 12 GDPR, Art. 13 GDPR, Art. 21 GDPR
Consumer Goods
Insufficient fulfilment of data subjects rights
6325
Spain
Spanish Data Protection Authority (aepd)
22/02/2022
EUR €
1,000
MALAGATROM, S.L.U.
Art. 58 (2) GDPR
Other
Insufficient cooperation with supervisory authority
6326
Spain
Spanish Data Protection Authority (aepd)
22/02/2022
EUR €
3,000
Hotel operator
Art. 5 (1) c) GDPR, Art. 13 GDPR
Hospitality/Travel
Non-compliance with general data processing principles
6327
Spain
Spanish Data Protection Authority (aepd)
23/02/2022
EUR €
1,200
FRUTAS Y VERDURAS LOS CAMPEONES, S.L.
Art. 13 GDPR
Other
Insufficient fulfilment of information obligations
6328
Spain
Spanish Data Protection Authority (aepd)
23/02/2022
EUR €
1,500
WORLDWIDE CLASSIC CARS NETWORK S.L.
Art. 5 (1) c) GDPR, Art. 13 GDPR
Automotive
Non-compliance with general data processing principles
6329
Greece
Hellenic Data Protection Authority (HDPA)
15/02/2022
EUR €
30,000
HERAKLION PORT AUTHORITY SA
Insufficient fulfilment of data subjects rights. Art. 12 (1), (2) GDPR, Art. 15 (1) GDPR
Public Authority
A data subject who had gone through a car accident on the premises of the organization had filed a complaint against ΛΙΜΕΝΟΣ ΗΡΑΚΛΕΙΟΥ Α.Ε. to the DPA. The organization operated a video surveillance system that recorded the car accident. Regarding this accident, the data subject requested the organization to give them access to the recordings. However, the organization didn’t comply with their request, which led to the €30,000 fine.
Insufficient fulfilment of data subjects rights. Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR
Education/Training
A teacher (employee) complained that the controller-owner of a foreign languages private school constantly monitored his/her online courses, taught via “Zoom” platform, despite his/her objections.
The Greek Supervisory Authority (SA) found that the right to object of the complainant was not satisfied by the controller and that the processing in question was carried out in breach of the provisions of Articles 5(1)(f)(a), 5(2) and 13 of the GDPR and in any case without clearly specifying the legal basis upon which it is based, in accordance with Article 6 of the GDPR.
The Greek Supervisory Authority (SA) imposed a fine of €2,000 οn the controller-employer for failure to satisfy the right to object of the complainant and infringement of Articles 5(1)(a), 5(2) and 13 of the GDPR in accordance with Articles 58(2)(i) and 83(5)(a) and (b) of the GDPR.
6344
United States
US Federal Trade Commission
01/07/2019
USD $
575,000,000
Equifax
Not disclosed
Financial Services
2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.
6346
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
24/02/2022
EUR €
565,000
Dutch Foreign Ministry
Art. 13 (1) e) GDPR, Art. 32 (1) GDPR. Insufficient technical and organisational measures to ensure information security
Government/Military
The Dutch Data Protection Authority (AP) has imposed a fine of 565,000 euros on the Ministry of Foreign Affairs, because the Ministry has violated the law on a large scale and in a serious way when granting visas for years.
The Ministry of Foreign Affairs has handled an average of 530,000 visa applications per year for the past three years. The personal data of citizens from all these applications is insufficiently secured.
This concerns sensitive information, such as fingerprints, name, address, place of residence, country of birth, purpose of the trip, nationality and photo. When applying for a visa, people are obliged to provide this personal data to the Ministry of Foreign Affairs.
Monique Verdier, vice-chairman of the AP: 'Inadequate physical and digital security increases the chance that unauthorized employees can view and change personal data, but also the risk that other errors or abuses can go unnoticed for too long. That can have major consequences for citizens.'
'For example, if their visa application is wrongly refused as a result. This can mean a serious infringement of their freedom of movement. Precisely because citizens are so dependent on the Ministry of Foreign Affairs for their visa, the inadequate security is very serious.'
Art. 32 GDPR, Art. 33 GDPR, Art. 34 GDPR. Insufficient technical and organisational measures to ensure information security.
Banking/Mortgage
Bank of Ireland has been fined €463,000 by the Data Protection Commission for data breaches affecting more than 50,000 customers.
It follows an inquiry into 22 personal data breach notifications that Bank of Ireland made to the Commission between 9 November 2018 and 27 June 2019.
One of the data breach notifications affected 47,000 customers.
The breaches related to the corruption of information in the bank's data feed to the Central Credit Register, a centralised system that collects and securely stores information about loans.
The incidents included unauthorised disclosures of customer personal data to the CCR and accidental alterations of customer personal data on the CCR.
The Commission found that 19 of the incidents reported met the definition of a "personal data breach" under the General Data Protection Regulation (GDPR).
It also found that in a number of cases, Bank of Ireland failed to report the personal data breaches without undue delay and also failed to notify the impacted customers without delay.
As well as the €463,000 in fines, the Data Protection Commission has issued Bank of Ireland with a reprimand and has ordered the bank to bring its processing into compliance with data protection regulations.
In a statement Bank of Ireland said it fully acknowledges and sincerely apologises for the breaches.
6349
Denmark
Danish Data Protection Authority (Datatilsynet)
05/04/2022
EUR €
1,300,000
Danske Bank
Art. 5 (2) GDPR. Non-compliance with general data processing principles
Banking/Mortgage
The Danish Data Protection Agency has reported Danske Bank to the police and fined the bank DKK 10 million. This follows on from the fact that in November 2020 the Authority initiated a case of its own motion, after the bank itself had stated that they had identified a problem with the deletion of personal data, which there was not necessarily a commercial justification for continuing to process. .
In connection with the Danish Data Protection Agency's investigation, it has emerged that the bank in more than 400 systems has not been able to document that rules have been laid down for deletion and storage of personal data, or that manual deletion of personal data has been carried out. These systems process personal data of millions of people.
"One of the basic principles of the GDPR is that you can only process information you need - and when you no longer need it, it must be deleted. When it comes to an organization the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place, ”says Kenni Elm Olsen, specialist consultant at the Danish Data Protection Agency.
6350
Sweden
Swedish Data Protection Authority
28/03/2022
EUR €
720,000
Klarna Bank AB
Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 12 (1) GDPR, Art. 13 (2) f) GDPR, Art. 14 (2) g) GDPR. Insufficient fulfilment of information obligations
Banking/Mortgage
The Privacy Protection Authority (IMY) issues an administrative sanction fee of SEK 7,500,000 against Klarna Bank AB after an investigation has shown that the company has not complied with several of the rules in the Data Protection Ordinance (GDPR).
IMY has now completed an audit of Klarna Bank AB (Klarna). The authority has examined how the company on its website informs about how it processes personal data in accordance with the Data Protection Ordinance.
- Klarna is a financial company that processes personal data about very many people and in many different ways. It is important that the information that Klarna provides about how the company processes personal data is correct and as complete as possible. Here we have seen shortcomings, says lawyer Hans Kärnlöf who led the review.
During the review, Klarna has continuously changed the information provided on how the company handles personal data. IMY's decision concerns the information provided in the spring of 2020. In its decision, IMY states that Klarna did not then provide information on the purpose for which and on the basis of which legal basis personal data was processed in one of the company's services. The company also provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies.
Klarna also did not provide information on to which countries outside the EU / EEA personal data were transferred or on where and how the individual could obtain information on the protection measures that applied to the transfer to third countries. IMY also states that the company provided insufficient information about the data subjects' rights, including the right to delete data, the right to data portability and the right to object to how one's personal data is processed.
IMY issues an administrative sanction fee against Klarna of SEK 7,500,000 for the deficiencies discovered during the review.
The Guarantor for the protection of personal data has imposed a fine of 20 million euros on the American company Clearview AI, for having implemented a real biometric monitoring even of people who are in the Italian territory.
The Company - which claims to have a database of over 10 billion images of people's faces from around the world, extracted from public web sources via web scraping (such as news sites, social media and online videos) - offers a search service. highly qualified that, thanks to artificial intelligence systems, allows the creation of profiles based on biometric data extracted from the images, possibly enriched by other related information, such as title and geolocation of the photo, publication web page.
From the investigation of the Guarantor, also activated following complaints and reports, it emerged that Clearview AI, contrary to what the company affirmed, also allows the tracking of Italian citizens and people located in Italy. The findings revealed that the personal data held by the company, including biometric and geolocation data, are processed illegally, without an adequate legal basis, which certainly cannot be the legitimate interest of the American company. The company has also violated other basic principles of the GDPR, such as those relating to the transparency obligations, by not having adequately informed users, of limitation of the purposes of the processing, having used user data for purposes other than those for which they were published online and to limit storage, not having established data retention times. Clearview AI's activity therefore violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against.
6352
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
10/03/2022
EUR €
2,000
Operatorul Briza Land S.R.L.
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
6353
Ireland
Data Protection Authority of Ireland
15/03/2022
EUR €
17,000,000
Meta Platforms Ireland Limited
Art. 5 (2) GDPR, Art. 24 (1) GDPR
Internet
Insufficient technical and organisational measures to ensure information security
6354
Cyprus
Cyprian Data Protection Commissioner
21/03/2022
EUR €
5,000
English School staff union (ESSA)
Art. 32 GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
6355
Cyprus
Cyprian Data Protection Commissioner
22/03/2022
EUR €
4,000
English School Cyprus
Art. 32 GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
6356
Denmark
Danish Data Protection Authority (Datatilsynet)
25/03/2022
EUR €
6,700
Danish National Genome Center
Art. 36 GDPR
Other
Insufficient technical and organisational measures to ensure information security
6357
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2022
EUR €
2,000
Kaufland Romania SCS
Art. 15 (3) GDPR
Other
Insufficient fulfilment of data subjects rights
6358
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
28/03/2022
EUR €
2,000
Condor SA
Art. 32 (1), (2), (4) GDPR
Aerospace/Aviation
Insufficient technical and organisational measures to ensure information security
The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, and criminal personal data as part of the list maintenance. The DPA initially found that the administration did not have a valid legal basis for processing the data contained in the list. For this reason, the data were processed unlawfully. Further, the DPA found that the information in the list was often incorrect, so that a large number of individuals were falsely registered as possible fraudsters. In addition, the investigation revealed that the maintenance of the list led to discrimination against some individuals, as the risk of fraud was determined on the basis of the nationality and appearance of the data subjects, among other factors. For example, donations to mosques were considered a risk factor for fraud. Furthermore, the DPA found that the administration violated its obligation under the GDPR to implement appropriate technical and organizational measures that ensure adequate protection of the personal data it collects. Indeed, the administration had inadequately secured the personal data. The DPA also found that the administration had violated the principle of storage limitation by storing the data for a longer time contrary to the retention period established for the personal data in the list. Furthermore, the DPA found that the processing of the data in the list had not been necessary for the administration to properly perform its tasks. The processing was therefore disproportionate. Also, the administration had not sufficiently defined the purposes underlying the processing and thus violated the principle of purpose limitation. The fine is composed as follows: EUR 1 million for a breach of Art. 5 (1) a) GDPR and Art. 6 (1) GDPR; EUR 750,000 for a breach of Art. 5 (1) b) GDPR; EUR 750,000 for a breach of Art. 5 (1) d) GDPR; EUR 250,000 for a breach of Art. 5 (1) e) GDPR; EUR 500,000 for a breach of Art. 32 (1) GDPR EUR 450,000 for a breach of Art. 35 (2) GDPR.
6368
Greece
Hellenic Data Protection Authority (HDPA)
04/04/2022
EUR €
5,000
Mayor
Art. 5 (1) a) GDPR
Government/Military
The Hellenic DPA has fined a mayor EUR 5,000. The mayor had sent documents of an employee of the municipality to third parties without the employee's consent. The DPA considered this to be a violation of Art. 5 (1) a) GDPR.
6369
Greece
Hellenic Data Protection Authority (HDPA)
04/04/2022
EUR €
10,000
Piraeus Bank
Art. 5 (1) f) GDPR, Art. 33 GDPR, Art. 34 GDPR
Banking/Mortgage
The Hellenic DPA has imposed a fine of EUR 10,000 on Piraeus Bank. The bank had mistakenly sent a document containing data of the data subject to a third party. This error was based on a wrongly provided e-mail address by a co-owner of the account. Although the bank became aware of this error, they did not stop sending the communications to the third party, but instead instructed the data subject to exercise their right to correct the inaccurate data. As a result of its investigation, the DPA found that the bank had violated the principle of confidentiality for failing to stop sending the communications. The DPA also found that the bank had failed to report the data breach to the DPA and the data subject in a timely manner.
6370
Greece
Hellenic Data Protection Authority (HDPA)
09/03/2022
EUR €
2,000
Private Company Employer
Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR
Not disclosed
The Hellenic DPA has imposed a fine of EUR 2,000 on an employer. An employee had filed a complaint due to the employer's failure to comply with the employee's right to object. The employee had objected to continuous monitoring of his online courses offered via zoom. However, the employer had continued the monitoring. In addition, the DPA found that the employer could not provide a sufficient legal basis for processing the data.
6371
Spain
Spanish Data Protection Authority (aepd)
11/04/2022
EUR €
150,000
BASER COMERCIALIZADORA DE REFERENCIA, S.A.
Art. 6 GDPR, Art. 32 GDPR
Other
Insufficient legal basis for data processing
6372
Spain
Spanish Data Protection Authority (aepd)
12/04/2022
EUR €
500
Homeowners Association
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
6373
Spain
Spanish Data Protection Authority (aepd)
13/04/2022
EUR €
8,000
RAMONA FILMS, S.L.
Art. 13 GDPR, Art. 22 (2) LSSI
Arts/Entertainment/Publishing
Insufficient fulfilment of information obligations
6374
France
French Data Protection Authority (CNIL)
15/04/2022
EUR €
1,500,000
DEDALUS BIOLOGIE
Art. 28 GDPR, Art. 29 GDPR, Art. 32 GDPR
Science/Research
Insufficient technical and organisational measures to ensure information security
6375
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
18/04/2022
EUR €
1,000
IKEA România S.R.L.
Art. 12 (3) GDPR
Consumer Goods
Insufficient fulfilment of data subjects rights
6376
Spain
Spanish Data Protection Authority (aepd)
18/04/2022
EUR €
1,800
FLORAQUEEN FLOWERING THE WORLD S.L.
Art. 58 (1) GDPR
Consumer Goods
Insufficient cooperation with supervisory authority
6377
Spain
Spanish Data Protection Authority (aepd)
18/04/2022
EUR €
9,000
JIMBO NETWORKS, S.L.
Art. 6 (1) GDPR, Art. 13 GDPR, Art. 22 (2) LSSI
Sales
Insufficient fulfilment of information obligations
6378
Spain
Spanish Data Protection Authority (aepd)
18/04/2022
EUR €
1,800
Website operator
Art. 6 (1) GDPR, Art. 13 GDPR, Art. 22 (2) LSSI
Internet
Insufficient fulfilment of information obligations
6379
Spain
Spanish Data Protection Authority (aepd)
19/04/2022
EUR €
600
DOOR2DOOR SPAIN, S.L.
Art. 58 (2) GDPR
Customer Service
Insufficient cooperation with supervisory authority
6380
Spain
Spanish Data Protection Authority (aepd)
22/04/2022
EUR €
5,600
Physician
Art. 6 (1) GDPR
Science/Research
Insufficient legal basis for data processing
6381
Spain
Spanish Data Protection Authority (aepd)
23/04/2022
EUR €
1,200
MOVALIA TRASLADOS, S.L.U.
Art. 6 (1) GDPR, Art. 13 GDPR
Customer Service
Insufficient legal basis for data processing
6382
Spain
Spanish Data Protection Authority (aepd)
29/04/2022
EUR €
4,200
CLÍNICA DENTAL SAN FRANCISCO, S.L.
Art. 17 GDPR, Art. 21 LSSI
Healthcare
Insufficient fulfilment of data subjects rights
6384
Spain
Spanish Data Protection Authority (aepd)
29/04/2022
EUR €
16,000
LABORATORIOS GONZÁLEZ, S.L.
Art. 5 (1) f) GDPR
Healthcare
Non-compliance with general data processing principles
6385
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
03/05/2022
EUR €
4,000
Megareduceri TV S.R.L.
Art. 58 (1) GDPR
News/Media
Insufficient cooperation with supervisory authority
6386
Spain
Spanish Data Protection Authority (aepd)
03/05/2022
EUR €
5,000
MISTORE CANARIAS, S.L.
Art. 6 (1) GDPR
Other
Insufficient legal basis for data processing
6387
Iceland
Icelandic data protection authority (Persónuvernd')
03/05/2022
EUR €
36,000
City of Reykjavík
Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR
Public Authority
Insufficient legal basis for data processing
6388
Spain
Spanish Data Protection Authority (aepd)
09/05/2022
EUR €
1,200
CONTIMAG INVEST, S.L.
Art. 13 GDPR
Sales
Insufficient fulfilment of information obligations
6391
Spain
Spanish Data Protection Authority (aepd)
10/05/2022
EUR €
300
Store owner
Art. 13 GDPR
Restaurant/Food Service
Insufficient fulfilment of information obligations
6392
Spain
Spanish Data Protection Authority (aepd)
11/05/2022
EUR €
600
Bar owner
Art. 5 (1) c) GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
6393
Denmark
Danish Data Protection Authority (Datatilsynet)
12/05/2022
EUR €
13,400
Civilstyrelsen
Art. 32 GDPR, Art. 33 GDPR
Other
Insufficient technical and organisational measures to ensure information security
6395
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
12/05/2022
EUR €
1,000
LORIS FUEL SHOP SRL
Art. 29 GDPR, Art. 32 (4) GDPR
Oil/Gas/Petroleum
Insufficient technical and organisational measures to ensure information security
6396
Spain
Spanish Data Protection Authority (aepd)
12/05/2022
EUR €
500
Private individual
Art. 5 (1) c) GDPR
Private Citizen
Non-compliance with general data processing principles
6397
Spain
Spanish Data Protection Authority (aepd)
13/05/2022
EUR €
130,000
Mercadona S.A.
Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR
Consumer Goods
Insufficient legal basis for data processing
6399
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
17/05/2022
EUR €
1,500
Private individual
Art. 5 (1) c) GDPR
Private Citizen
Non-compliance with general data processing principles