Romanian National Supervisory Authority for Personal Data Processing
27/06/2019
EUR €
130,000
UNICREDIT BANK SA
Art. 25 (1) and Art. 5 (1) (c) GDPR
Banking/Mortgage
The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (internal/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).
Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided.
326
Denmark
Danish Data Protection Authority (Datatilsynet)
03/06/2019
EUR €
200,850
IDdesign A / S
Art. 5 (1) (e) and (2) GDPR
Retail
The fine was imposed as a result of an inspection carried out in atom of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.
327
Belgium
Belgian Data Protection Authority
28/05/2019
EUR €
2,000
Mayor
Art. 5 (1) (b) GDPR, Art. 6 GDPR
Public Authority
The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.
328
France
French Data Protection Authority
28/05/2019
EUR €
400,000
SERGIC, a company specialized in real estate development, purchase, sale, rental and property management
Art. 32 and 5 (1) e) GDPR
Real Estate
The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.
329
Lithuania
Lithuanian Data Protection Authority
16/05/2019
EUR €
61,500
Payment service provider UAB MisterTango
Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR
Financial Services
During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 DSGVO would have been necessary. The controller did not report the Data Breach.
330
Czech Republic
Czech Data Protection Authority
13/05/2019
EUR €
3,105
Not disclosed
Art. 5 (1) a) and b) GDPR, Art. 32 (1) GDPR
Not disclosed
Not disclosed
331
Germany
Data Protection Authority of Baden-Wuerttemberg
09/05/2019
EUR €
1,400
Police Officer
Art. 6 GDPR
Public Authority
The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority.
332
Czech Republic
Czech Data Protection Authority
06/05/2019
EUR €
194
Not disclosed
Art. 15 GDPR
Not disclosed
Not disclosed
333
Poland
Polisch National Personal Data Protection Office
25/04/2019
EUR €
12,950
Sports association
Art. 6 GDPR
Sport/Recreation
One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty. When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges).
334
Italy
Italian Data Protection Authority
17/04/2019
EUR €
50,000
Italian political party Movimento 5 Stelle
Art. 32 GDPR
Government/Military
A number of websites referral partnerd to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures.
335
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
17/04/2019
EUR €
9,400
Not disclosed
Art. 5 (1) a) GDPR, Art. 6 GDPR
Business/Company/Employer
A data controller used a, (in the point of view of NAIH), wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims.
The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical center for the purpose of changing his GP. The medical center used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical center, which subsequently also unlawfully processed the personal data of G.B.
337
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year. The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's web-page. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.
338
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
05/04/2019
EUR €
1,900
Not disclosed
Art. 15 GDPR
Business/Company/Employer
The data controller did not fulfill the data subject's access request.
339
Norway
Norwegian Supervisory Authority
01/03/2019
EUR €
170,000
Bergen Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Public Authority
The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistle-blower, that the data security was inadequate.
340
Poland
Polisch National Personal Data Protection Office
26/03/2019
EUR €
219,538
Private company working with data from publicly available sources
Art. 14 GDPR
Business/Company/Employer
The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified noncompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.
341
Bulgaria
Data Protection Commission of Bulgaria
26/03/2019
EUR €
5,100
A.P. EOOD
Art. 5 (1) a) GDPR, Art. 6 GDPR
Real Estate
The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison.
342
Czech Republic
Czech Data Protection Authority
21/03/2019
EUR €
9,704
Not disclosed
Art. 5 (1) (c) and (e) GDPR
Not disclosed
Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation").
343
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasized that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.
344
Czech Republic
Czech Data Protection Authority
28/02/2019
EUR €
582
Not disclosed
Art. 5 (1) (f) GDPR
Not disclosed
Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
345
Bulgaria
Bulgarian Commission for Personal Data Protection
26/02/2019
EUR €
27,100
Telecommunication service provider
Art. 6 GDPR, Art. 5 (1) (a) GDPR
Telecommunications
Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one.
An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.
348
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
20/02/2019
EUR €
1,560
Debt collector
Art. 5 (1) a) and (c) GDPR - principles of transparency and data minimisation
Financial Services
A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.
349
Malta
Data Protection Commissioner of Malta
18/02/2019
EUR €
5,000
Lands Authority
Art. 5 GDPR, Art. 32 GDPR
Public Authority
As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists.
350
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
08/02/2019
EUR €
1,560
Bank
Art. 5 (1) (d) GDPR - principle of accuracy
Banking/Mortgage
A bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank.
351
Germany
Data Protection Authority of Sachsen-Anhalt
05/02/2019
EUR €
2,000
Private person
Art. 6 GDPR, Art. 5 GDPR
Private Citizen
The fine was imposed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list.
352
Czech Republic
Czech Data Protection Authority
04/02/2019
EUR €
1,165
Car renting company
Art. 5 (1) (a) GDPR
Automotive
A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine.
353
Czech Republic
Czech Data Protection Authority
04/02/2019
EUR €
1,165
Credit brokerage
Art. 5 (1) (f) GDPR
Financial Services
Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
The fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the DSGVO became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given "specific" and not "unambiguous" (Art. 4 nr. 11 GDPR).
355
Bulgaria
Bulgarian Commission for Personal Data Protection
17/01/2019
EUR €
500
Bank
Art.6 GDPR, Art. 5 (1) (a) GDPR
Banking/Mortgage
A bank gained personal data concerning a student without a legal basis.
356
Czech Republic
Czech Data Protection Auhtority
10/01/2019
EUR €
388
Employer
Art. 6 GDPR
Business/Company/Employer
A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee.
357
Austria
Austrian Data Protection Authority
20/12/2018
EUR €
2,200
Private person
Art. 5 (1) (a) and c GDPR, Art. 6 (1) GDPR, Art. 13 GDPR
Private Citizen
The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated.
358
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information
The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.
359
Germany
Data Protection Authority of Hamburg
17/12/2018
EUR €
5,000
Kolibri Image Regina und Dirk Maass GbR
Art. 28 (3) GDPR
Professional Services
Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.
360
Austria
Austrian Data Protection Authority
09/12/2018
EUR €
4,800
Betting place
Art. 13 GDPR
Casino/Gambling
Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted.
361
Germany
Data Protection Authority of Baden-Wuerttemberg
21/11/2018
EUR €
20,000
Social media network
Art. 32 (1) (a) GDPR
Internet
After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed.
362
Czech Republic
Czech Data Protection Authority
25/10/2018
EUR €
388
Not disclosed
Art. 15 GDPR
Not disclosed
Not disclosed
363
Portugal
Portuguese Data Protection Authority
17/07/2018
EUR €
400,000
Hospital
Art. 5 (1) f) GDPR, Art. 32 GDPR
Healthcare
Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.
364
Bulgaria
Bulgarian Commission for Personal Data Protection
12/04/2018
EUR €
500
Bank
Art. 5 (1) b) GDPR, Art. 6 GDPR
Banking/Mortgage
A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.
365
Austria
Austrian Data Protection Authority
31/12/2018
EUR €
1,800
Kebab restaurant
Not disclosed
Restaurant/Food Service
CCTV was unlawfully used. No further information available.
366
Austria
Austrian Data Protection Authority
31/12/2018
EUR €
5,280
Restaurant
Not disclosed
Restaurant/Food Service
CCTV was unlawfully used. No further information available.
367
Austria
Austrian Data Protection Authority
31/12/2018
EUR €
300
Private car owner
Not disclosed
Private Citizen
CCTV was unlawfully used. No further information available.
368
Cyprus
Cyprian Data Protection Commissioner
05/07/2019
EUR €
5,000
State Hospital
Art. 15 GDPR
Healthcare
A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.
369
Cyprus
Cyprian Data Protection Commissioner
05/07/2019
EUR €
10,000
Newspaper
Art. 6 GDPR
News/Media
The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.
370
Denmark
Danish Data Protection Authority
05/07/2019
EUR €
160,000
Taxa 4x35
Art. 5(1) e) GDPR
Transportation/Logistics
The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.
371
Germany
Data Protection Authority of Baden-Wuerttemberg
05/07/2019
EUR €
80,000
Not disclosed
Not disclosed
Not disclosed
There is no further information available. This fine should not be mixed up with the one fine dealing with health data and which was also issued by the same authority, since the one dealing with health data was issued under the old German Data Protection Act. The existences of a second fine worth the same amount of money is only known due to a tweet of the Data Protection Commissioner of Baden-Wuerttemberg.
Late notification of a data breach and failure to notify the data subjects.
373
Germany
Data Protection Authority of Saarland
31/12/2018
EUR €
118
Not disclosed
Art. 6 GDPR
Not disclosed
Illegal disclosure of personal data relating to a third party.
374
Germany
Data Protection Authority of Berlin
31/12/2018
EUR €
50,000
German Bank
Art. 6 GDPR
Banking/Mortgage
The fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had "not yet been legally concluded".
376
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
5,000
VODAFONE ESPANA, S.A.U.
Art. 5 (1) (d) GDPR
Telecommunications
The Spanish telecommunications and information agency (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behavior violated the principle of accuracy.
377
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
250,000
Professional Football League (LaLiga)
Art. 5 (1) a), 7 (3) GDPR
Sport/Recreation
The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
378
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
60,000
Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Art. 5 (1) (f) GDPR
Professional Services
After the claimant did allegedly not pay back a micro-credit to an online credit agency, the claim was assigned to the debt collecting agency. Subsequently, the latter started sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.
379
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
27,000
VODAFONE ESPANA, S.A.U.
Art. 5 (1) (d) GDPR
Telecommunications
Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k.
380
Spain
Spanish Data Protection Authority
31/12/2018
EUR €
60,000
ENDESA
Art. 5 (1) (f) GDPR
Energy/Utilities
Not disclosed
381
Greece
Hellenic Data Protection Authority (HDPA)
17/04/2019
EUR €
30,000
Hellenic Petroleum
Not disclosed
Oil/Gas/Petroleum
Greece’s Hellenic Data Protection Authority fined Hellenic Petroleum €20,000 for unlawful processing of personal data and €10,000 for failing to adopt appropriate data security measures totaling €30,000 for Data Protection violations.Hellenic Petroleum S.A. had engaged a vendor to conduct a study on its behalf. The study was exposed online and its results, which included sensitive data such as political opinions, trade union membership and participation in associations were publicly accessible on the Internet in violation of GDPR stipulations.
382
United Kingdom
Information Commissioners Office UK
08/07/2019
GBP £
183,000,000
British Airways
Not disclosed
Aerospace/Aviation
British Airways is facing a record fine of £183m for last year's breach of its security systems.The airline, owned by IAG, says it was "surprised and disappointed" by the penalty from the Information Commissioner's Office (ICO).At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website.The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules.The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said.
383
United States
Federal Trade Commission
12/07/2019
USD $
5,000,000,000
Facebook
Failing to give users very clear notifications when their data was being shared with third parties.
Technology
The Federal Trade Commission approved an approximately $5 billion settlement with Facebook over the company’s 2018 Cambridge Analytica scandal, a person familiar with the matter told The Wall Street Journal. The fine represents the largest ever imposed by the FTC against a tech company. Previously, the agency’s largest fine against a tech company came in 2012 when Google agreed to pay a $22.5 million penalty due to its privacy practices. The fine would represent approximately 9% of Facebook’s 2018 revenues. Facebook took a one-time charge of $3 billion in anticipation of the FTC fine in April during the company’s first-quarter results.
457
United Kingdom
ICO
19/07/2019
GBP £
80,000
estate agency
The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017.
Real Estate
The Information Commissioner’s Office (ICO) has fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years. The security breach happened when Life at Parliament View Ltd (LPVL) transferred personal data from its server to a partner organisation and failed to switch off an ‘Anonymous Authentication’ function. This failure meant access restrictions were not implemented and allowed anyone going online to have full access to all the data stored between March 2015 and February 2017. The exposed details included personal data such as bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
459
Greece
Hellenic Data Protection Authority (HDPA)
01/07/2019
EUR €
150,000
PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA
Article 5(1)(a)
Business/Company/Employer
The Hellenic Data Protection Authority, in response to a complaint, conducted an ex officio investigation of the lawfulness of the processing of personal data of the employees of the company ‘PRICEWATERHOUSECOOPERS BUSINESS SOLUTIONS SA’ (PWC BS). According to the above complaint the employees were required to provide consent to the processing of their personal data.
460
Greece
Hellenic Data Protection Authority (HDPA)
07/10/2019
EUR €
200,000
Telecommunication Service Provider
Articles 21(3) and 25 GDPR
Telecommunications
Non-compliance with general data processing principles.
Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.
575
Greece
Hellenic Data Protection Authority (HDPA)
07/10/2019
EUR €
200,000
Telecommunication Service Provider
Articles 5(1)(c), 25 GDPR
Telecommunications
Non-compliance with general data processing principles.
A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.
576
Austria
Austrian Data Protection Authority (dsb)
01/07/2019
EUR €
11,000
Private person (soccer coach)
Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing.
The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years.
577
Germany
Data Protection Authority of Berlin
01/08/2019
EUR €
195,407
Delivery Hero
Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR
Customer Service
Insufficient fulfilment of data subjects rights.
According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.
578
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.
579
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
01/01/2019
EUR €
92,146
Organizer of SZIGET festival and VOLT festival
Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR
Other
The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.
580
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
01/01/2019
EUR €
15,150
Unknown
Art. 33 GDPR
Not disclosed
The data controller did not fulfil its data breach obligations when a flash memory with personal data was lost.
581
Belgium
Belgian Data Protection Authority (APD)
19/09/2019
EUR €
10,000
Merchant
Art. 5 (1) c) GDPR
Other
The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number.
582
Poland
Polish National Personal Data Protection Office (UODO)
10/09/2019
EUR €
644,780
Morele.net
Art. 32 GDPR
Telecommunications
The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.
583
Austria
Austrian Data Protection Authority (dsb)
01/08/2019
EUR €
50,000
Company in the medical sector
Art. 13 GDPR, Art. 37 GDPR
Pharmaceutical/Biotech
The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.
584
France
French Data Protection Authority (CNIL)
25/07/2019
EUR €
180,000
ACTIVE ASSURANCES (car insurer)
Art. 32 GDPR
Insurance
Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).
585
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
28/08/2019
EUR €
511,000
DSK Bank
Art. 32 GDPR
Banking/Mortgage
Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.
586
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
28/08/2019
EUR €
2,600,000
National Revenue Agency
Art. 32 GDPR
Other
Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible.
587
Latvia
Data State Inspectorate (DSI)
26/08/2019
EUR €
7,000
Online Services
Art. 17 GDPR
Customer Service
A merchant who provides services in an online store has infringed the "right to be forgotten" pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number.
A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.
589
Spain
Spanish Data Protection Authority (aepd)
01/01/2018
EUR €
12,000
Restaurant
Art. 5 (1) a), Art. 6 GDPR
Restaurant/Food Service
A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes
590
Spain
Spanish Data Protection Authority (aepd)
16/08/2019
EUR €
60,000
AVON COSMETICS
Art. 6 GDPR
Pharmaceutical/Biotech
A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.
592
United Kingdom
Information Commissioner (ICO)
09/07/2019
EUR €
110,390,200
Marriott International, Inc
Art. 32 GDPR
Hospitality/Travel
Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc which relates to a cyber incident which was notified to the ICO by Marriott in November 2018.GDPR infringements are likely to involve a breach of Art. 32 GDPR. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
593
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
02/07/2019
EUR €
15,056
WORLD TRADE CENTER BUCHAREST SA
Art. 32 GDPR
Business/Company/Employer
The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.
594
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
05/07/2019
EUR €
3,000
LEGAL COMPANY & TAX HUB SRL
Art. 32 GDPR
Accounting/Finance
The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019. The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.
595
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.
596
Portugal
Portuguese Data Protection Authority (CNPD)
05/02/2019
EUR €
20,000
Unknown
Art. 15 GDPR
Not disclosed
Insufficient fulfilment of data subjects rights
597
Portugal
Portuguese Data Protection Authority (CNPD)
25/03/2019
EUR €
2,000
Unknown
Art. 15 GDPR
Not disclosed
Insufficient fulfilment of data subjects rights
598
Norway
Norwegian Supervisory Authority (Datatilsynet)
29/04/2019
EUR €
203,000
Oslo Municipal Education Department
Art. 32 GDPR
Education/Training
Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees.
599
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
18/06/2019
EUR €
460,000
Haga Hospital
Art. 32 GDPR
Healthcare
The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures.
600
Austria
Austrian Data Protection Authority
23/10/2019
EUR €
18,000,000
Austrian Post
Art. 5 (1) a) GDPR, Art. 6 GDPR
Public Authority
The Austrian Post had sold detailed personal profiles of approximately three million Austrians to various companies and political parties. The profiles contained names, addresses, political predilections, and even intimate details.
675
Germany
Data Protection Authority of Rheinland-Pfalz
03/12/2019
EUR €
105,000
Rheinland-Pfalz Hospital
Art. 5 GDPR
Healthcare
The Data Protection Authority of Rheinland-Pfalz issued a fine of €105,000 after a hospital after a mixup of patients. As a consequence of this, wrong invoices were issues to the patients that released sensitive personal data.
676
Spain
Spanish Data Protection Authority
02/12/2019
EUR €
10,000
Ikea Ibérica
Art. 6 GDPR
Consumer Goods
Ikea Ibérica was found to have installed cookies on a customer’s device without asking for permission.
677
Romania
Romanian National Supervisory Authority for Personal Data Processing
29/11/2019
EUR €
2,500
Royal President S.R.L.
Art. 12 GDPR, Art. 15 GDPR
Other
The pension Royal President near Bucharest was fined €2,500 after it refused to process a request for the exercise of the right of access. The Romanian Data Processing Authority also determined that customers’ personal data was not processed in accordance with GDPR principles.
678
Romania
Romanian National Supervisory Authority for Personal Data Processing
29/11/2019
EUR €
80,000
ING Bank N.V. Amsterdam
Art. 25 GDPR
Banking/Mortgage
The Romanian branch of ING Bank N.V. Amsterdam was fined with €80,000 due to not respecting data protection principles (privacy by design și privacy by default) by not implementing adequate technical measures to ensure the protection of personal data. As a consequence of this, a total of 225,525 had their transactions doubled on debit card payments during the period of 8-10 October 2018. This is one of the bigger fines in Romania, but it’s interesting to note that for similar offenses in other countries fines of over several millions of Euros are usually awarded. This denotes again the fact that different countries have different approaches to GDPR enforcement.
679
Romania
Romanian National Supervisory Authority for Personal Data Processing
29/11/2019
EUR €
20,000
SC CNTAR TAROM SA
Art. 32 GDPR
Aerospace/Aviation
A fine of €20,000 was issued to the Romanian national airline Tarom because it failed to implement the necessary technical measures to ensure the security of personal information. As a consequence of these inadequate measures, a Tarom employee was able to access the flight booking application without authorization and see the personal data of 22 passengers, after which the employee took a photo of the list and made it public online.
680
Romania
Romanian National Supervisory Authority for Personal Data Processing
22/11/2019
CNY ¥
2,000
BNP Paribas SA
Art. 12 GDPR, Art. 17 GDPR
Other
BNP Paribas Personal Finance was requested to erase personal data of a client and it did not do so during the timeframe required by GDPR legislation.
Futura Internationale was fined because after several individuals have complained that they were cold-called by the company even after they have expressly requested not to be called again. The reason why the fine was so high relative to similar cases and fines was that the CNIL determined that the company had received a large number of letters requesting to be taken off from the call lists but decided to ignore them. More so, Futura Internationale was found to store excessive information about customers and their health data. The company did also not inform their customers about the processing of their personal data and that all telephone conversations were recorded.
682
Spain
Spanish Data Protection Authority
21/11/2019
EUR €
60,000
Viaqua Xestión SA
Art. 6 GDPR
Other
A third party had access to and modified the personal data of a customer that was included in a contract. The third party had no legal basis to access the data.
683
Spain
Spanish Data Protection Authority
19/11/2019
EUR €
60,000
Xfera Moviles S.A.
Art. 32 GDPR
Other
A private individual received an SMS from Xfera Móviles which was actually addressed to a different person and which included personal details of that third party person. The information included personal details as well as login details to the Xfera Móviles website for the third party person.
684
Spain
Spanish Data Protection Authority
19/11/2019
EUR €
60,000
Corporacion RTVE
Art. 32 GDPR
Other
Corporacion de Radio y Television Espanola lost 6 USB sticks with unencrypted personal information and data.
685
Spain
Spanish Data Protection Authority
14/11/2019
EUR €
30,000
Telefónica SA
Art. 5 GDPR
Telecommunications
A person was charged by the phone operator Telefónica for a telephone service that they never requested and owned. This happened because the bank account of the affected person was linked to the Telefónica profile of another person and as such the fees for the service were deduced from the affected person’s account. The AEDP ruled that this was against the principles described by article 5 of GDPR.
686
Slovakia
Slovak Data Protection
13/11/2019
EUR €
50,000
Social Insurance Agency
Art. 32 GDPR
Not disclosed
Applications that were received from Slovak citizens requesting social benefits were sent to foreign authorities by post. These were lost, which resulted in all the personal details of the affected people to become public, including their physical addresses.
687
Spain
Spanish Data Protection Authority
13/11/2019
EUR €
3,000
General Confederation of Labour
Art. 6 GDPR
Other
The General Confederation of Labour emailed personal data of a complainant with the aim of organizing a meeting. This included the name, home address, relationship status, pregnancy status and the date of an ongoing harassment case. The email was sent to around 400 members of the organization with the affected individual’s consent.
688
Spain
Spanish Data Protection Authority
07/11/2019
EUR €
900
TODOTECNICOS24H S.L.
Art. 13 GDPR
Other
The company TODOTECNICOS24H collected personal data without accurate information regarding the collection of this data.
689
Spain
Spanish Data Protection Authority
06/11/2019
EUR €
1,500
Cerrajero Online
Art. 13 GDPR
Other
The company collected personal data without accurate information regarding the collection of this data
690
Latvia
Data State Inspectorate
01/11/2019
EUR €
150,000
Unknown
Art. 6 GDPR
Not disclosed
No concrete details have been released at this point other than a fine of €150,000 was imposed in November 2019. We will update this card once further information emerges.
691
Spain
Spanish Data Protection Authority
31/10/2019
EUR €
6,000
Jocker Premium Invex
Art. 6 GDPR
Other
Postal advertisements and commercial offers were sent by Jocker Premium Invex to a registrant to a local census, even though the registrant did not consent to receive such advertisements and offers.
692
Netherlands
Not disclosed
31/10/2019
EUR €
900,000
UWV - Insurance provider
Art. 32 GDPR
Insurance
The Dutch employee insurance service provider – “Uitvoeringsinstituut Werknemersverzekeringen – UWV did not use multi-factor authentication for accessing the employer web portal. Health and safety services, as well as employers, were able to view and collect data from employees, data to which normally they should not have had access to.
693
Germany
Data Protection Authority of Baden-Wuerttemberg
30/10/2019
EUR €
14,500,000
Deutsche Wohnen SE
Art. 5 GDPR, Art. 25 GDPR
Real Estate
The company collected data from multiple tenants without providing the option to remove that data once it was no longer required. This led to the company retaining personal data of tenants for years (salary statements, social security insurances, health insurances, tax insurances, bank statements). The Berlin Data Commissioner issued a fine of €14,500,000.
694
Poland
Polisch National Personal Data Protection Office
18/10/2019
EUR €
9,380
Polish Mayor
Art. 28 GDPR
Public Authority
No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.
695
Poland
Polisch National Personal Data Protection Office
16/10/2019
EUR €
47,000
ClickQuickNow
Art. 5 GDPR
Other
The Company did not have the appropriate organizational measures in place that would allow data subjects to withdraw their consent to the processing of personal data. Moreover, the data subjects also couldn’t easily request the deletion of their personal data.
696
Spain
Spanish Data Protection Authority
16/10/2019
EUR €
8,000
Iberdrola Clientes
Art. 31 GDPR
Transportation/Logistics
Iberdrola Clientes violated Article 13 of the GDPR when it showed a complete lack of cooperation with the AEPD. The latter had requested Iberdrola Clientes to provide the necessary information needed to add a person to the solvency list.
697
Spain
Spanish Data Protection Authority
16/10/2019
EUR €
60,000
Xfera Moviles S.A.
Art. 5 GDPR, Art. 6 GDPR
Other
The company had unlawfully processed the personal data despite the subject’s request to stop doing so.
698
Romania
Romanian National Supervisory Authority for Personal Data Processing
09/10/2019
EUR €
20,000
Vreau Credit SRL
Art. 32 GDPR Art. 33 GDPR
Other
The Company sent personal information through the WhatsApp platform to Raiffeisen Bank in order to facilitate the assessment of personal scores. The results were returned on the same platform.
699
Romania
Romanian National Supervisory Authority for Personal Data Processing
09/10/2019
EUR €
150,000
Raiffeisen Bank SA
Art. 32 GDPR
Banking/Mortgage
Raiffeisen Bank Romania did not observe the necessary security measures required by the GDPR when it assessed the scores of individuals on the WhatsApp platform. The personal data was exchanged via WhatsApp.
700
Slovakia
Slovak Data Protection
27/09/2019
EUR €
40,000
Slovak Telekom
Art. 32 GDPR
Telecommunications
The data controller did not take the necessary technical measures to prevent a data breach. No further details have been disclosed.
701
Spain
Spanish Data Protection Authority
01/10/2019
EUR €
30,000
Vueling Airlines
Art. 5 GDPR, Art. 6 GDPR
Hospitality/Travel
Vueling Airlines made it impossible for users to access their website without accepting the cookies. Therefore, one couldn’t browse the website unless they accepted the cookies. The AEPD sanctioned the company with 30.000 euros
702
Germany
German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
01/12/2019
EUR €
9,550,000
1&1 Telecom
Not disclosed
Telecommunications
Personal information was available to anyone who provided the name and data of birth of a customer. The fine would have been much higher, but the company cooperated closely with regulators to quickly address the issue.
760
Netherlands
Dutch Data Protection Authority (Dutch DPA)
01/11/2019
EUR €
600,000
Uber
Not disclosed
Customer Service
The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. In 2016 a data breach occurred at the Uber concern in the form of unauthorised access to personal data of customers and drivers. The Uber concern is fined because it did not report the data breach to the Dutch DPA and the data subjects within 72 hours after the discovery of the breach.
762
Germany
Labour Court (ArbG) of Lübeck
14/01/2020
EUR €
1,000
Not disclosed
Art. 6 GDPR
Not disclosed
Lübeck Labour Court estimates a fine of €1,000 for the illegal use of an employee photo on Facebook
763
United Kingdom
Information Commissioner’s Office (ICO)
09/01/2019
GBP £
500,000
DSG Retail Limited (DSG)
Not disclosed
Retail
Not disclosedThe Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine month period before the attack was detected.
764
United Kingdom
Information Commissioner (ICO)
20/12/2019
EUR €
320,000
Doorstep Dispensaree
Art. 32 GDPR
Pharmaceutical/Biotech
The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.
The company stored around 500,000 documents that contained the names, addresses, birth fates, and NHS identification numbers as well as medical information and prescriptions in unsealed containers at the back of a building. As a result of this, the documents were exposed to the elements which resulted in water damage and potentially to the loss of some data.
765
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
18/12/2019
EUR €
2,000
Telekom Romania
Art. 32 GDPR
Telecommunications
The company did not ensure the accuracy of the processing of personal data. This resulted in the disclosure of a client’s personal data to a different client.
766
Belgium
Belgian Data Protection Authority (APD)
17/12/2019
EUR €
15,000
Legal information wesbite
Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR
Not disclosed
A website that provided legal information and news only had its privacy policy page available in English, even though it was also addressing the French and Dutch-speaking markets. Also, the privacy policy page was not easily accessible and did not mention the legal basis for the processing of data, as required by the GDPR. The website also used Google Analytics without effective consent.
767
Sweden
Data Protection Authority of Sweden
16/12/2019
EUR €
35,000
Nusvar AB
Art. 6 GDPR
Not disclosed
Nusvar AB, which operates the website Mrkoll.se, a site that provides information on all Swedes over the age of 16, published information on people with overdue payments.
768
Belgium
Belgian Data Protection Authority (APD)
16/12/2019
EUR €
2,000
Nursing Care Organization
Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR
Not disclosed
A nursing care organization failed to act on a request by a data subject to receive access to their data with the scope of erasing it.
769
Spain
Spanish Data Protection Authority (AEPD)
10/12/2019
EUR €
5,000
Shop Macoyn, S.L.
Art. 32 GDPR
Not disclosed
The company sent advertising emails to multiple recipients where every one of the recipients was able to see the email address of all other recipients. This was because the sender sent all the email addresses as CC instead of BCC.
770
Spain
Spanish Data Protection Authority (AEPD)
10/12/2019
EUR €
1,600
Megastar SL
Art. 5 (1) c) GDPR, Art. 13 GDPR
Not disclosed
The company was fined because it operated a video surveillance system that had an observation angle that extended too far into the public traffic area. The video surveillance system was also not accompanied by any data protection notices.
771
Germany
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
09/12/2019
EUR €
10,000
Rapidata GmbH
Art. 37 GDPR
Not disclosed
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) ha repeatedly requested the company to appoint a data protection officer in accordance with Article 37 GDPR but even so, Rapidata GmbH refused to do so. The company was fined with €10,000.
772
Spain
Spanish Data Protection Authority (AEPD)
03/12/2019
EUR €
5,000
Linea Directa Aseguradora
Art. 6 GDPR
Not disclosed
An insurance company sent advertising emails to clients without the necessary consent.
773
Germany
Data Protection Authority of Niedersachsen
02/12/2019
EUR €
294,000
Unknown
Art. 5 GDPR
Not disclosed
A company was fined with €294,000 because of the “unnecessarily long” storage and retention of personal data in the selection of personnel. During the selection process, even health data was requested, which was excessive according to the DPA.
774
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
02/12/2019
EUR €
2,000
Nicola Medical Team 17 SRL
Art. 58 GDPR
Not disclosed
The company did not comply with measures imposed by the Data Protection Authority.
775
United Kingdom
Information Commissioners Office UK
15/01/2019
GBP £
895
Leo Kirk
Breach of s55 of the Data Protection Act 1998
Social Care
A former social worker has been prosecuted for passing the personal information of service users to a third party provider for Local Authority young person placements.
Leo Kirk unlawfully disclosed referrals for residential or foster placements of vulnerable young people aged 16-18 years old. The referrals contained sensitive personal data including potential identifier information and vulnerability risks of the service user.
Mr Kirk of Audenshaw, Manchester appeared before Stockport Magistrates’ Court and admitted two offences of unlawfully disclosing personal data, in breach of s55 of the Data Protection Act 1998. He was fined £483 for the first offence with no separate penalty for offence two, he was ordered to pay costs of £364.08 and a victim surcharge of £48.
2386
United Kingdom
Information Commissioners Office UK
05/12/2019
GBP £
859
Dannyelle Shaw
Breach of s55 of the Data Protection Act 1998
Government/Military
A former Reablement Officer at Walsall Metropolitan Borough Council has been prosecuted for accessing social care records without authorisation.
An internal investigation by the Council found that Ms Shaw had inappropriately accessed the social care records of 7 adults and 9 children without any business need to do so.
Dannyelle Shaw of Bloxwich, Walsall, appeared before Wolverhampton Magistrates’ Court and admitted one offence of unlawfully obtaining personal data, in breach of s55 of the Data Protection Act 1998. She was sentenced to a fine of £450, ordered to pay costs of £364 and a victim surcharge of £45.
2387
United Kingdom
Information Commissioners Office UK
02/12/2019
GBP £
720
Michelle Shipsey
Breach of s170 of the Data Protection Act 2018
Government/Military
A former Social Services Support Officer at Dorset County Council has been prosecuted for accessing Social Care records without authorisation.
An internal investigation found that Ms Shipsey had inappropriately accessed the Social Care records without any business need to do so. The records related to four individuals known to Ms Shipsey.
Michelle Shipsey of Verwood, Dorset, appeared before Poole Magistrates’ Court and admitted one offence of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. She was sentenced to a 6 month conditional discharge, ordered to pay costs of £700 and a victim surcharge of £20.
2388
United Kingdom
Information Commissioners Office UK
17/09/2019
GBP £
150,000
Superior Style Home Improvements Ltd
Not disclosed
Marketing
Superior Style Home Improvements Ltd issued with monetary penalty notice after making unsolicited marketing calls to individuals registered with the TPS to try and generate UPVC installation leads.
The Information Commissioner’s Office (ICO) has fined a Swansea double-glazing company £150,000 for making nuisance calls.
Superior Style Home Improvements Ltd called people over an 11 month period whose numbers were registered with the Telephone Preference Service (TPS) and who had not given their consent to receive them. The ICO has also issued an Enforcement Notice warning them to stop making the calls.
Dave Clancy, of the ICO’s investigations team said: ”Companies engaged in this illegal activity should take note, we will take action against those that continue to disregard the law around electronic marketing via phone calls, emails and text messages. These cause a real nuisance - and often distress - to people who don’t want to receive them. Company directors should also be aware that they can now be made personally liable for fines that we issue.”
2389
United Kingdom
Information Commissioners Office UK
12/08/2019
GBP £
Hudson Bay Finance Ltd
Section 4(4) of the DPA Subject to Section 27(1)
Financial Services
Hudson Bay Finance Ltd issued with an enforcement notice for failing to respond to a subject access request.
2390
Greece
Hellenic Data Protection Authority (HDPA)
19/12/2019
EUR €
150,000
Aegean Marine Petroleum Network Inc.
Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR
Oil/Gas/Petroleum
Insufficient technical and organisational measures to ensure information security
2423
Spain
Spanish Data Protection Authority (aepd)
07/01/2020
EUR €
10,000
Asociación de Médicos Demócratas
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.
2424
Spain
Spanish Data Protection Authority (aepd)
07/01/2020
EUR €
75,000
EDP Comercializadora, S.A.U.
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier.
2425
Spain
Spanish Data Protection Authority
07/01/2020
EUR €
75,000
EDP España S.A.U.
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject
2426
Spain
Spanish Data Protection Authority (aepd)
09/01/2020
EUR €
44,000
Vodafone España, S.A.U.
Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
Failure to provide information to the AEPD within the required timeframe in violation of Article 58
2427
Greece
Hellenic Data Protection Authority (HDPA)
13/01/2020
EUR €
15,000
Allseas Marine S.A.
Art. 5 (1) a), (2) GDPR
Not disclosed
Non-compliance with general data processing principles.
The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it.
2428
Cyprus
Cyprian Data Protection Commissioner
13/01/2020
EUR €
1,000
eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD)
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.
2429
Cyprus
Cyprian Data Protection Commissioner
13/01/2020
EUR €
9,000
Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance
Art. 32 GDPR
Not disclosed
Insufficient technical and organisational measures to ensure information security
Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.
2430
Spain
Spanish Data Protection Authority (aepd)
14/01/2020
EUR €
3,600
Zhang Bordeta 2006, S.L. (Store and Restaurant)
Art. 5 GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization.
2431
Italy
Italian Data Protection Authority (Garante)
15/01/2020
EUR €
50,000
Community of Francavilla Fontana
Art. 5 GDPR, Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The community published on its website information about a court trial, including personal data such as health data about a data subject.
Insufficient legal basis for data processing
Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres.
2433
Italy
Italian Data Protection Authority (Garante)
23/01/2020
EUR €
30,000
Sapienza Università di Roma
Art. 5 (1) f) GDPR, Art. 32 GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
The fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only.
2434
Italy
Italian Data Protection Authority (Garante)
23/01/2020
EUR €
30,000
Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)
Art. 5 (1) f) GDPR, Art. 32 GDPR
Healthcare
Insufficient technical and organisational measures to ensure information security
The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.
2435
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
800
Automoción
Art. 5 GDPR, Art. 6 GDPR
Automotive
Insufficient legal basis for data processing
An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800.
2436
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
5,000
Queseria Artesenal Ameco S.L.
Art. 5 GDPR, Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
The company processed personal data of customers without required consent.
2437
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
6,670
Banco Bilbao Vizcaya Argentaria S.L.
Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR
Banking/Mortgage
Insufficient legal basis for data processing
The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.
2438
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
75,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error.
2439
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
20,000
Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal
Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPR
Not disclosed
Insufficient legal basis for data processing
Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him.
2440
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
50,000
Vodafone España, S.A.U.
Art. 5 GDPR
Telecommunications
Non-compliance with general data processing principles
The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour.
2441
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
60,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment.
2442
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
75,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.
2443
Spain
Spanish Data Protection Authority (aepd)
03/02/2020
EUR €
60,000
Xfera Moviles S.A.
Art. 5 GDPR, Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects.
2444
Spain
Spanish Data Protection Authority (aepd)
04/02/2020
EUR €
1,500
Cafetería Nagasaki
Art. 5 GDPR, Art. 6 GDPR
Restaurant/Food Service
Insufficient legal basis for data processing
The AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.
2445
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
30,000
Xfera Moviles S.A.
Art. 5 (1) f) GDPR, Art. 32 GDPR
Not disclosed
Insufficient technical and organisational measures to ensure information security
The AEPD found that a third party had access to the name, telephone number and address of another customer.
2446
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
42,000
Vodafone España, S.A.U.
Art. 5 (1) f) GDPR, Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The complainant had access to third party data in his personal Vodafone profile.
2447
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
50,000
Iberdrola Clientes
Art. 6 GDPR
Not disclosed
Insufficient legal basis for data processing
Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis.
2448
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
3,000
Colegio Arenales Carabanchel (School)
Art. 6 GDPR
Education/Training
Insufficient legal basis for data processing
The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis.
2449
Spain
Spanish Data Protection Authority (aepd)
14/02/2020
EUR €
2,500
Grupo Valsor Y Losan, S.L.
Art. 5 (1) f) GDPR
Not disclosed
Insufficient technical and organisational measures to ensure information security
The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data)
2450
Spain
Spanish Data Protection Authority (aepd)
18/02/2020
EUR €
1,500
Mymoviles Europa 2000, S.L.
Art. 13 GDPR
Not disclosed
Insufficient fulfilment of information obligations.
The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself.
2451
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
20/02/2020
EUR €
2,560
L.E. EOOD
Art. 25 (1) GDPR, Art. 32 GDPR, Art. 6 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (“KZLD”) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law.
5619
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
20/02/2020
EUR €
2,560
T.K. EOOD
Art. 25 (1) GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject.
5620
Greece
Hellenic Data Protection Authority (HDPA)
21/02/2020
EUR €
5,000
Public Power Corporation S.A.
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request.
5621
Spain
Spanish Data Protection Authority (aepd)
25/02/2020
EUR €
6,000
Casa Gracio Operation
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
The company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation.
5622
Spain
Spanish Data Protection Authority (aepd)
25/02/2020
EUR €
48,000
HM Hospitales
Art. 5 GDPR, Art. 6 GDPR
Healthcare
Insufficient legal basis for data processing
The data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject.
5623
Norway
Norwegian Supervisory Authority (Datatilsynet
26/02/2020
EUR €
73,600
Rælingen Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Health information on 15 children with physical and mental disabilities was processed in the Showbie digital learning platform, for the transfer of health-related personal information between schools and their homes. Datatilsynet found that no necessary risk assessments, privacy impact assessments or tests had been carried out before using the application and that a lack of security when logging into the application allowed access to the information of other students in the group.
5624
Spain
Spanish Data Protection Authority (aepd)
27/02/2020
EUR €
120,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone España also unlawfully disclosed the personal data of the data subject to various credit agencies.
5625
Norway
Norwegian Supervisory Authority (Datatilsynet)
28/02/2020
EUR €
36,800
Coop Finnmark SA
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company had distributed video surveillance footage of children under 16 who had allegedly stolen from a store. There was no sufficient legal basis for this data processing.
5626
Spain
Spanish Data Protection Authority (aepd)
28/02/2020
EUR €
3,600
AEMA Hispánica
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
The company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party.
5627
Spain
Spanish Data Protection Authority (aepd)
28/02/2020
EUR €
48,000
Vodafone ONO, S.A.U.
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The decision was taken due to several deficiencies in information security. For example, two people were given the same security access key.
5628
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
24,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
5629
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
40,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
5630
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
42,000
Vodafone España, S.A.U.
Art. 5 (1) f) GDPR, Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client.
5631
Spain
Spanish Data Protection Authority (aepd)
03/03/2020
EUR €
1,800
Solo Embrague
Art. 13 GDPR
Other
Insufficient fulfilment of information obligations
The corporate website did not present a privacy policy or a cookie banner on its main page.
5632
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
03/03/2020
EUR €
525,000
Royal Dutch Tennis Association ("KNLTB")
Art. 5 GDPR, Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing
The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ("KNLTB") with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors.
5633
Spain
Spanish Data Protection Authority (aepd)
04/03/2020
EUR €
60,000
Vodafone España, S.A.U.
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.
5635
Poland
Polish National Personal Data Protection Office (UODO)
03/04/2020
EUR €
4,600
School in Gdansk (Danzig) (fine imposed against town of Gdansk)
Art. 5 GDPR, Art. 9 GDPR
Education/Training
Insufficient legal basis for data processing
A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily.
5636
Italy
Italian Data Protection Authority (Garante)
05/03/2020
EUR €
3,000
San Giorgio Jonico
Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR
Other
Insufficient legal basis for data processing
Publication of a citizen's personal data on a website and failure to comply with requests for deletion.
5637
Spain
Spanish Data Protection Authority (aepd)
06/03/2020
EUR €
3,200
Retailer
Art. 13 GDPR, Art. 14 GDPR
Retail
Insufficient fulfilment of information obligations
Insufficient declaration of video surveillance.
5638
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
Insufficient legal basis for data processing
A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information.
5639
Spain
Spanish Data Protection Authority (aepd)
06/03/2020
EUR €
4,000
Private person
Art. 5 GDPR
Private Citizen
Non-compliance with general data processing principles
Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization).
5640
Italy
Italian Data Protection Authority (Garante)
06/03/2020
EUR €
4,000
Liceo Scientifico Nobel di Torre del Greco
Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
The AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.
5641
Italy
Italian Data Protection Authority (Garante)
06/03/2020
EUR €
4,000
Liceo Artistico Statale di Napoli
Art. 5 GDPR, Art. 6 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
The AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.
5642
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
09/03/2020
EUR €
870
Creditor
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Sending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid.
5643
Poland
Polish National Personal Data Protection Office (UODO)
09/03/2020
EUR €
4,400
Vis Consulting Sp. z o.o.
Art. 31 GDPR, Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR.
5644
Spain
Spanish Data Protection Authority (aepd)
09/03/2020
EUR €
15,000
Gesthotel Activos Balagares
Art. 5 (1) f) GDPR
Hospitality/Travel
Non-compliance with general data processing principles
The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees.
5645
Iceland
Icelandic data protection authority ('Persónuvernd')
10/03/2020
EUR €
9,000
Breiðholt Upper Secondary School
Art. 5 (1) f) GDPR, Art. 32 GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.
5646
Iceland
Icelandic data protection authority ('Persónuvernd')
10/03/2020
EUR €
20,600
National Center of Addiction Medicine ('SAA')
Art. 5 (1) f) GDPR, Art. 32 GDPR
Healthcare
Insufficient technical and organisational measures to ensure information security
Persónuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.
5647
Denmark
Danish Data Protection Authority (Datatilsynet)
10/03/2020
EUR €
14,000
Gladsaxe Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.
5648
Denmark
Danish Data Protection Authority (Datatilsynet)
10/03/2020
EUR €
7,000
Hørsholm Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.
5649
Sweden
Data Protection Authority of Sweden
11/03/2020
EUR €
7,000,000
Google LLC
Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR
Technology
Insufficient fulfilment of data subjects rights
The Swedish data protection authority has fined Google LLC €7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Datainspektionen had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Datainspektionen had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google's practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Datainspektionen also objected to Google's current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis.
5650
Spain
Spanish Data Protection Authority (aepd)
12/03/2020
EUR €
2,000
Homeowners Association
Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR
Real Estate
Non-compliance with general data processing principles
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
5651
Spain
Spanish Data Protection Authority (aepd)
16/03/2020
EUR €
6,000
Amalfi Servicios de Restauracion S.L.
Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
5652
Spain
Spanish Data Protection Authority (aepd)
16/03/2020
EUR €
4,000
Private Person
Art. 5 GDPR, Art. 6 GDPR
Private Citizen
Insufficient legal basis for data processing
On a beach, a private person secretly photographed female bathers. The incident was reported to the AEPD by the local police.
5653
Spain
Spanish Data Protection Authority (aepd)
16/03/2020
EUR €
5,000
Centro De Estudio Dirigidos Delta, S.L.
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
Centro De Estudio Dirigidos Delta sent a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects. This constitutes a violation of the principles of integrity and confidentiality under Article 5(1)(f) GDPR.
5654
Spain
Spanish Data Protection Authority (aepd)
18/03/2020
EUR €
30,000
Telefónica
Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
Telefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects' request for right of access and erasure of data.
5655
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
19/03/2020
EUR €
5,800
Unknown Company
Art. 6 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.
5656
Spain
Spanish Data Protection Authority (aepd)
19/03/2020
EUR €
6,000
Oliveros Ustrell, S.L.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis.
5657
Greece
Hellenic Data Protection Authority (HDPA)
20/03/2020
EUR €
8,000
Speech and Special Education Centre - Mihou Dimitra
Art. 15 GDPR, Art. 58 GDPR
Education/Training
Insufficient fulfilment of data subjects rights
The complainant had requested access to his child's data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority.
5658
Spain
Spanish Data Protection Authority (aepd)
25/03/2020
EUR €
5,000
Xfera Moviles S.A.
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company did not provide the data protection authority with the requested information in a timely manner. The AEPD's request was preceded by a request from a data subject for access to its personal data.
5659
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
3,000
Dante International
Art. 6 GDPR, Art. 21 GDPR
Other
Insufficient legal basis for data processing
The company has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.
5660
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
4,150
Vodafone Romania
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security.
5661
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
3,000
Enel Energie
Art. 32 GDPR
Energy/Utilities
Insufficient technical and organisational measures to ensure information security
The company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security.
5662
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
25/03/2020
EUR €
2,000
SOS Infertility Association
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis.
5663
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
26/03/2020
EUR €
2,890
Bank
Art. 5 GDPR, Art. 6 GDPR
Banking/Mortgage
Insufficient legal basis for data processing
Due to an administrative error, the personal data of the data subject were registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement.
5664
Bulgaria
Data Protection Commision of Bulgaria (KZLD)
14/04/2020
EUR €
2,000
Political Party
Art. 6 GDPR
Other
Insufficient legal basis for data processing
Forging signatures on a voters' list.
5665
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
23/04/2020
EUR €
3,000
Telekom Romania Communications SA
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects
5666
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
23/04/2020
EUR €
3,000
Estee Lauder Romania
Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
Processing of personal data without sufficient legal basis including health data.
5667
Belgium
Belgian Data Protection Authority (APD)
28/04/2020
EUR €
50,000
Proximus SA
Art. 31 GDPR, Art. 58 GDPR, Art. 37 GDPR
Other
Lack of appointment of data protection officer
According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.
5668
Sweden
Data Protection Authority of Sweden
29/04/2020
EUR €
18,700
National Government Service Centre (NGSC)
Art. 33 GDPR, Art. 34 GDPR
Government/Military
Insufficient fulfilment of data breach notification obligations
The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.
5669
Estonia
Estonian Data Protection Authority (aepd)
30/04/2020
EUR €
500
Housing Association
Art. 6 GDPR
Other
Insufficient legal basis for data processing
Fine of EUR 500 against a housing association for publishing photos showing members of the association without their consent.
5670
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
30/04/2020
EUR €
725,000
Unknown Organisation
Art. 5 GDPR, Art. 9 GDPR
Other
Insufficient legal basis for data processing
The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.
5671
Norway
Norwegian Supervisory Authority (Datatilsynet)
03/05/2020
EUR €
134,000
Telenor Norge AS
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Fines for security breaches in a voice mailbox function.
5672
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
05/05/2020
EUR €
5,000
Banca Comercială Română SA
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.
5673
Sweden
Data Protection Authority of Sweden
12/05/2020
EUR €
11,200
Health and Medical Board of the Region of Örebro County
Art. 5 GDPR, Art. 6 GDPR
Healthcare
Insufficient legal basis for data processing
Publication of personal data of a patient without sufficient legal basis.
5674
Belgium
Belgian Data Protection Authority (APD)
14/05/2020
EUR €
50,000
Social Media Provider
Art. 6 GDPR
Technology
Insufficient legal basis for data processing
The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.
5675
Denmark
Danish Data Protection Authority (Datatilsynet)
15/05/2020
EUR €
6,700
JobTeam A/S DKK
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The company has deleted personal data affected by a request for access without legal reason.
5676
Ireland
Data Protection Authority of Ireland
17/05/2020
EUR €
75,000
Tusla Child and Family Agency
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison.
5677
Norway
Norwegian Supervisory Authority (Datatilsynet)
19/05/2020
EUR €
283,000
Bergen Municipality
Art. 5 (1) f) GDPR, Art. 32 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
Fine due to several security shortcomings and non-compliance with general data processing principles in a module for communication between schools and parents.
5678
Finland
Deputy Data Protection Ombudsman
22/05/2020
EUR €
12,500
Unknown Company
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Processing of employee data without sufficient legal basis.
5679
Finland
Deputy Data Protection Ombudsman
22/05/2020
EUR €
16,000
Kymen Vesi Oy
Art. 35 GDPR
Other
Non-compliance with general data processing principles
Fine for failure to carry out a data protection impact assessment ("DPIA") for the processing of location data of employees with a vehicle information system
5680
Finland
Deputy Data Protection Ombudsman
29/05/2020
EUR €
72,000
Taksi Helsinki
Art. 5 GDPR, Art. 6 GDPR, Art. 35 GDPR
Other
Non-compliance with general data processing principles
Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization.
5681
Belgium
Belgian Data Protection Authority (APD)
29/05/2020
EUR €
1,000
Non-profit organisation
Art. 6 GDPR, Art. 21 GDPR
Non-Profit/Volunteer
Insufficient fulfilment of data subjects rights
The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.
5682
Spain
Spanish Data Protection Authority (aepd)
04/06/2020
EUR €
4,000
Iberdrola Clientes
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR.
5683
Belgium
Belgian Data Protection Authority (APD)
08/06/2020
EUR €
5,000
Municipal employee
Art. 5 GDPR, Art. 6 GDPR
Government/Military
Insufficient legal basis for data processing
In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.
5684
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
2,000
Property Owner
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
5685
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
2,000
Attorney
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
In the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties.
5686
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
3,000
Salad Market S.L. (Catering Company)
Art. 13 GDPR, Art. 14 GDPR
Restaurant/Food Service
Insufficient fulfilment of information obligations
Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.
5687
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
40,000
TELEFONICA MOVILES ESPAÑA, S.A.U.
Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name.
5688
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
25,000
Glovoapp23
Art. 37 GDPR
Technology
Lack of appointment of data protection officer
The company had not appointed a Data Protection Officer ('DPO') to whom requests from data subjects could be addressed, and the company's website did not contain information about an appointed DPO.
5689
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
39,000
Xfera Moviles S.A.
Art. 5 (1) f) GDPR
Telecommunications
Insufficient legal basis for data processing
A customer claimed to have received an SMS from Xfera Móviles informing about the non-payment and the resulting suspension of the service in relation to the account of another data subject.
5690
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
75,000
Equifax Iberica, S.L.
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The Data Subject has requested by e-mail the deletion of his data from the file of the National Association of Financial Credit Institutions ("ASNEF"). Equifax Iberica had replied that the exercise of the complainant's right was excessive due to an earlier request and that therefore the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws.
5691
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
1,000
Property Owner
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
5692
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
540
Chenming Ye (Bazar Real)
Art. 13 GDPR, Art. 14 GDPR
Other
nsufficient fulfilment of information obligations
Usage of CCTV camera in a shop without proper information.
5693
Spain
Spanish Data Protection Authority (aepd)
09/06/2020
EUR €
5,000
Consulting de Seguridad e Investigacion Mira Dp Madrid S.L.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
A data subject has received marketing messages without having consented.
5694
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
11/06/2020
EUR €
3,000
Telekom Romania
Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR.
5695
Hungary
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
12/06/2020
EUR €
288,000
Digi Távközlési Szolgáltató Kft. ("Digi") (electronic communication service provider)
Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPR
Other
Insufficient technical and organisational measures to ensure information security
The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms.
5696
Spain
Spanish Data Protection Authority (aepd)
15/06/2020
EUR €
75,000
Xfera Moviles S.A.
Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject received a notice from a debt collection company demanding payments in connection with Xfera Móviles' services, even though the claimant had not been a customer of Xfera Móviles since September 2017. Furthermore, the resolution states that Xfera Móviles carried out the processing of the personal data of the plaintiff without his consent, which constitutes a violation of Article 6 of the GDPR.
5697
Belgium
Belgian Data Protection Authority (APD)
16/06/2020
EUR €
1,000
Unknown
Art. 17 GDPR, Art. 21 GDPR, Art. 31 GDPR
Other
Insufficient fulfilment of data subjects rights
The data subject repeatedly received e-mails with advertising content from a company, although the data subject had objected to the processing of his personal data and requested the deletion of his data. In addition, the company did not respond to any inquiries from the data protection authority in this regard.
5698
Sweden
Data Protection Authority of Sweden
16/06/2020
EUR €
1,900
Housing Association
Art. 5 GDPR, Art. 6 GDPR
Hospitality/Travel
Non-compliance with general data processing principles
Unlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance.
Non-compliance with general data processing principles
Illegal use of CCTV cameras (recording of third parties) and insufficient fulfilment of information obligations.
5700
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
18/06/2020
EUR €
4,000
Enel Energie
Art. 32 GDPR
Energy/Utilities
Insufficient technical and organisational measures to ensure information security
Failure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail.
5701
Spain
Spanish Data Protection Authority (aepd)
19/06/2020
EUR €
6,000
National Police Brigade
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Making copies of a company's business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing.
5702
Norway
Norwegian Supervisory Authority (Datatilsynet)
19/06/2020
EUR €
28,000
Aquateknikk AS
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Request for data from a credit agency without legal basis.
5703
Belgium
Belgian Data Protection Authority (APD)
19/06/2020
EUR €
10,000
Unknown
Art. 5 GDPR, Art. 6 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
The company sent an e-mail to the person concerned without his consent. Thereupon the person concerned requested timely information about the entries in the database concerning his person, which remained unanswered.
5704
Norway
Norwegian Supervisory Authority (Datatilsynet)
22/06/2020
EUR €
112,000
Østfold HF Hospital
Art. 32 GDPR
Healthcare
Insufficient technical and organisational measures to ensure information security
It was found that Østfold HF Hospital had stored patient data, including sensitive data such as the reason for hospitalisation, during the period 2013-2019 without controlling access to the folders where the data was stored. Datatilsynet therefore decided that the hospital had not taken sufficient technical and organisational measures to protect personal data and was therefore in breach of the GDPR and the Patient Records Act.
Non-compliance with general data processing principles
Illegal use of CCTV cameras due to coverage of public space and recording of passing pedestrians. Furthermore, insufficient fulfilment of information obligations.
5706
Spain
Spanish Data Protection Authority (aepd)
23/06/2020
EUR €
7,500
Miraclia (telecommunications company)
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.
5707
Isle of Man
Information Commissioner of Isle of Man
25/06/2020
EUR €
13,500
Department of Home Affairs
Art. 12 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.
5708
Greece
Hellenic Data Protection Authority (HDPA)
29/06/2020
EUR €
5,000
New York College S.A.
Art. 5 GDPR
Education/Training
Non-compliance with general data processing principles
The College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner.
5709
Ireland
Data Protection Authority of Ireland
30/06/2020
EUR €
40,000
Tusla Child and Family Agency
Art. 33 GDPR
Other
Insufficient fulfilment of data breach notification obligations
The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.
Non-compliance with general data processing principles
The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach.
Insufficient technical and organisational measures to ensure information security
From 2015 to 2019, AOK Baden-Württemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Württemberg stopped all marketing measures in order to thoroughly examine all processes.
Insufficient fulfilment of data subjects rights
Mapei failed to respond to the request for access to personal data of the data subject. In addition, Mapei had left the e-mail account of the person concerned active even after the termination of the contract.
5713
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
5,000
Xfera Moviles S.A.
Art. 31 GDPR, Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
The company had not cooperated sufficiently with the data protection authority.
5714
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
3,600
Saunier-Tec Mantenimientos de Calor y Frio, SL.
Art. 33 GDPR
Other
Insufficient fulfilment of data breach notification obligations
Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.
5715
Norway
Norwegian Supervisory Authority (Datatilsynet)
02/07/2020
EUR €
28,000
Odin Flissenter AS
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so.
5716
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
4,000
De Vere Spain S.L.
Art. 21 GDPR
Other
Insufficient fulfilment of data subjects rights
The company did not respond to the data subject's request to stop processing his or her data, and therefore data subject continued to receive commercial calls.
5717
Spain
Spanish Data Protection Authority (aepd)
02/07/2020
EUR €
24,000
Iberdrola Clientes
Art. 5 GDPR
Other
Non-compliance with general data processing principles
A third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of €40,000 has been reduced to €24,000 due to voluntary payment.
5718
Netherlands
Dutch Supervisory Authority for Data Protection (AP)
06/07/2020
EUR €
830,000
Bureau Krediet Registration ('BKR')
Art. 12 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post.
5719
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
09/07/2020
EUR €
15,000
Proleasing Motors SRL
Art. 32 GDPR
Automotive
Insufficient technical and organisational measures to ensure information security
The company had failed to take adequate technical and organisational measures to ensure data security, which led to the publication on Facebook of a document containing a password for access to personal data of 436 customers.
5720
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
55,000
Xfera Moviles S.A.
Art. 5 GDPR, Art. 32 GDPR
Telecommunications
Insufficient technical and organisational measures to ensure information security
The company had changed a contract for a mobile phone connection to a new owner, whereby the personal data of a data subject such as his address and telephone numbers were freely accessible. This constituted a violation of the principles of confidentiality and integrity.
5721
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
5,000
School Fitness Holiday & Franchising S.L.
Art. 5 GDPR
Education/Training
Non-compliance with general data processing principles
Breach of transparency principle. No further information available at the moment.
5722
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
5,000
Global Business Travel Spain SLU
Art. 32 GDPR
Hospitality/Travel
Insufficient technical and organisational measures to ensure information security
The fine was preceded by an employee's access to health data of a person concerned. In the course of its investigations, the Data Protection Authority found that Global Business Travel Spain, as data controller, had infringed Article 32(2) and (4) of the GDPR by failing to take adequate technical and organisational measures to protect the data from unauthorised disclosure.
5723
Spain
Spanish Data Protection Authority (aepd)
10/09/2020
EUR €
12,000
Vodafone España, SAU
Art. 5 GDPR
Telecommunications
Non-compliance with general data processing principles
Fines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer.
5724
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
1,000
Centro Internacional De Crecimiento Laboral Y Profesional S.L.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Sending commercial messages without consent and without the possibility to object.
5725
Spain
Spanish Data Protection Authority (aepd)
10/07/2020
EUR €
1,500
Auto Desguaces Iglesias S.L.
Art. 5 GDPR
Other
Non-compliance with general data processing principles
The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization.
5726
Norway
Norwegian Supervisory Authority (Datatilsynet)
10/07/2020
EUR €
46,660
Municipality of Rælingen
Art. 32 GDPR, Art. 35 GDPR
Government/Military
Insufficient technical and organisational measures to ensure information security
Fine for the processing of children's health data in connection with disability through the digital learning platform "Showbie". The Municipality had failed to carry out a Data Protection Impact Assessment ("DPIA") in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils.
5727
Poland
Polish National Personal Data Protection Office (UODO)
10/07/2020
EUR €
3,400
East Power Sp. z o.o.
Art. 31 GDPR, Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
After three subpoenas to East Power, in which the latter failed to provide sufficient explanations on a direct marketing complaint, the data protection authority found that East Power had deliberately obstructed the course of the procedure or at least failed to comply with its obligations to cooperate with the supervisory authority.
5728
Italy
Italian Data Protection Authority (Garante)
13/07/2020
EUR €
800,000
Iliad Italia S.p.A.
Art. 5 GDPR, Art. 25 GDPR
Other
Non-compliance with general data processing principles
The fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its website.
Insufficient legal basis for data processing
Fines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details. Furthermore, the data protection authority stated that the data of the data subjects were published on public telephone lists despite their objection. In addition, several apps distributed by the company were set up in such a way that the user had to give his consent to various processing activities each time he accessed them, with the possibility of withdrawing consent given only after 24 hours.
Insufficient legal basis for data processing
The company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third party provider as data processor without sufficient legal basis fpr data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third party provider.
5731
Belgium
Belgian Data Protection Authority (APD)
14/07/2020
EUR €
5,000
Operator of CCTV of a residential building
Art. 6 GDPR, Art. 7 GDPR
Other
Insufficient legal basis for data processing
The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.
Insufficient fulfilment of data subjects rights
The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google's rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: €500,000). In addition, a further €100,000 was imposed for breach of the principle of transparency, as Google's rejection of the request for deletion was not sufficiently justified
5733
Poland
Polish National Personal Data Protection Office (UODO)
17/07/2020
EUR €
22,300
Office for geodesy and cartography
Art. 31 GDPR, Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
Refusal of access to the premises by the supervisory authority in the course of an audit.
5734
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
70,000
Xfera Moviles S.A.
Art. 5 GDPR
Telecommunications
Non-compliance with general data processing principles
A data subject had received a call from another Xfera Móviles customer who stated that the company had charged his bank account with an invoice, disclosing the personal details of the other data subject. This was due to an error on the part of Xfera Móviles and was therefore a violation of the principles of integrity and confidentiality.
5735
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
80,000
Orange Espagne S.A.U
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The company had unlawfully activated several telephone line contracts using the personal data of a data subject. This constituted an unlawful processing operation, since the data of the data subject was entered into the company's database and processed there without a legitimate legal basis.
5736
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
1,500
Comercial Vigobrandy, SL
Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR
Other
Insufficient fulfilment of information obligations
Installation of CCTV surveillance without adequate information by using a sign
5737
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
40,000
Iberia Lae SA Operadora Unipersonal
Art. 58 GDPR
Other
Insufficient cooperation with supervisory authority
The company did not grant the data subject access to telephone records. The applicant's request for access did not receive a reply, despite the prior order of the AEPD.
5738
Spain
Spanish Data Protection Authority (aepd)
20/07/2020
EUR €
24,000
Banco Bilbao Vizcaya Argentaria, SA
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
BBVA had no legitimate basis for processing the data of the data subject and had therefore infringed Article 6(1) of the GDPR, since the company processed solvency and credit information files without a prior contractual relationship with the data subject.
5739
Spain
El Real Sporting de Gijón S.A.D.
23/07/2020
EUR €
5,000
El Real Sporting de Gijón S.A.D.
Art. 6 GDPR, Art. 7 GDPR
Sport/Recreation
Insufficient legal basis for data processing
Fines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in).
5740
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
5,000
Xfera Moviles S.A.
Art. 58 GDPR
Telecommunications
Insufficient cooperation with supervisory authority
Following a complaint, Xfera Móviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit.
5741
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
75,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefónica Móviles España in order to change the ownership of the telephone line without sufficient legal basis.
5742
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
70,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject's account was debited for two telephone lines that he had never ordered or approved. This constituted unlawful processing of personal data, since the data subject's information was stored in the information systems of Telefónica Móviles España without a legal basis for invoicing.
5743
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
55,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
Telefónica Móviles España has processed the personal data of a data subject, such as first and last name and bank details, in order to activate three telephone lines that were never requested. This constitutes a breach of the principle of lawfulness of the processing.
5744
Spain
Spanish Data Protection Authority (aepd)
23/07/2020
EUR €
10,000
El Periódico de Catalunya, S.L.U.
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Following a request for erasure addressed to the company, the data subject received another newsletter from the newspaper, although El Periódico de Catalunya claimed to have granted the request. This was due to a failure of an external service provider of the company.
5745
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
27/07/2020
EUR €
5,000
SC Cntar Tarom SA
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Unauthorised disclosure of the data of five Tarom passengers due to inadequate technical and organisational measures for secure data processing. Among other things, the company was required to take corrective action, including training its employees and conducting risk assessment procedures.
5746
Belgium
Belgian Data Protection Authority (APD)
28/07/2020
EUR €
3,000
Communal political association
Art. 5 GDPR, Art. 6 GDPR, Art. 14 GDPR
Other
Insufficient legal basis for data processing
A local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR.
5747
Denmark
Danish Data Protection Authority (Datatilsynet)
28/07/2020
EUR €
147,800
Arp Hansen Hotel Group A/S
Art. 5 (1) e) GDPR
Hospitality/Travel
Non-compliance with general data processing principles
During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself.
5748
Italy
Italian Data Protection Authority (Garante)
29/07/2020
EUR €
4,000
Region of Campania
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Publication of an enforcement order in civil proceedings on the Region's website. The document listed the names and place of residence and the amount of the claim.
5749
Italy
Italian Data Protection Authority (Garante)
29/07/2020
EUR €
3,000
Community of San Giorgio Jonico
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Publication of personal data on the municipal website with regard to legal proceedings.
5750
Italy
Italian Data Protection Authority (Garante)
30/07/2020
EUR €
2,000
Community of Manduria
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The community transmitted personal data of a community employee to the press without sufficient legal basis.
5751
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
30/07/2020
EUR €
2,000
Romanian Post National Company
Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
Processing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation.
5752
Romania
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
30/07/2020
EUR €
2,000
SC Viva Credit IFN SA
Art. 17 GDPR
Banking/Mortgage
Insufficient fulfilment of data subjects rights
The company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data.
5753
Spain
Spanish Data Protection Authority (aepd)
31/07/2020
EUR €
1,500
Tour & People Max S.L.
Art. 21 GDPR
Other
Insufficient fulfilment of data subjects rights
Unsolicited marketing calls though data subjects had expressed their objection to data processing. In addition to the GDPR, this was also seen as a violation of Article 48(1)(b) of General Law 9/2014 (Spanish national law).
5754
Spain
Spanish Data Protection Authority (aepd)
31/07/2020
EUR €
45,000
Vodafone España SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
Unlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasure
5755
Italy
Italian Data Protection Authority (Garante)
04/08/2020
EUR €
1,000
Supermarket
Art. 5 GDPR, Art. 6 GDPR
Customer Service
Insufficient legal basis for data processing
The operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket.
5756
Italy
Italian Data Protection Authority (Garante)
04/08/2020
EUR €
5,000
National Institute for Social Security - Department of the Province of Brescia
Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
Failure to graint access to personal health data of a data subject according to Art. 15 GDPR.
Insufficient legal basis for data processing
The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure.
5758
Spain
Spanish Data Protection Authority (aepd)
04/08/2020
EUR €
60,000
Vodafone España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
The data subject received confirmation from Vodafone of a number porting, which the latter had never commissioned.
5759
Denmark
Danish Data Protection Authority (Datatilsynet)
04/08/2020
EUR €
20,100
PrivatBo A.M.B.A.
Art. 5 GDPR, Art. 32 GDPR
Other
Insufficient technical and organisational measures to ensure information security
The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.
5760
Italy
Italian Data Protection Authority (Garante)
05/08/2020
EUR €
2,000
School
Art. 5 GDPR, Art. 6 GDPR
Education/Training
Insufficient legal basis for data processing
Placing personal data of pupils on a public notice board.
5761
Austria
Austrian Data Protection Authority (dsb)
05/08/2020
EUR €
100
Bank
Art. 5 GDPR, Art. 6 GDPR
Banking/Mortgage
Insufficient legal basis for data processing
A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above.
5762
Spain
Spanish Data Protection Authority (aepd)
05/08/2020
EUR €
3,000
Restaurant
Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR
Restaurant/Food Service
Non-compliance with general data processing principles
Installation of CCTV surveillance cameras that were also monitoring the public space and without proper information.
5763
Finland
Deputy Data Protection Ombudsman
05/08/2020
EUR €
7,000
Acc Consulting Varsinais-Suomi
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Unsolicited marketing SMS without prior consent
5764
France
French Data Protection Authority (CNIL)
05/08/2020
EUR €
250,000
Spartoo
Art. 5 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR
Retail
Non-compliance with general data processing principles
A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.
5765
Spain
Spanish Data Protection Authority (aepd)
06/08/2020
EUR €
3,000
Just Landed S.L.
Art. 13 GDPR
Other
Insufficient fulfilment of information obligations
Just Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language).
5766
Italy
Italian Data Protection Authority (Garante)
06/08/2020
EUR €
3,000
GTL S.R.L.
Art. 12 GDPR, Art. 15 GDPR
Other
Insufficient fulfilment of data subjects rights
Failure to graint access to personal data of a data subject according to Art. 15 GDPR.
5767
Spain
Spanish Data Protection Authority (aepd)
06/08/2020
EUR €
3,000
GROW BEATS SL
Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR
Other
Insufficient fulfilment of information obligations
The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment.
5768
Italy
Italian Data Protection Authority (Garante)
10/08/2020
EUR €
10,000
Community of Baronissi
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
The community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc.
5769
Italy
Italian Data Protection Authority (Garante)
10/08/2020
EUR €
10,000
Cavauto S.R.L.
Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR
Other
Insufficient legal basis for data processing
Access to personal data of a former employee (containing his browser history) on his work computer.
5770
Estonia
Estonian Data Protection Authority (aepd)
17/08/2020
EUR €
48
Police Officer
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Acess to personal data in a police database for private research activities.
5771
Spain
Spanish Data Protection Authority (aepd)
17/08/2020
EUR €
5,000
Party of the Socialists of Catalonia
Art. 5 (1) b) GDPR
Other
Non-compliance with general data processing principles
The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.
5772
Spain
Spanish Data Protection Authority (aepd)
28/08/2020
EUR €
5,000
Basketball Federation of Castilla and Leon
Art. 5 GDPR, Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing
The Basketball Association transmitted personal data to third parties, which were subsequently published on the Internet without consent of the data subjects. In addition, the data protection authority found that the Basketball Federation also disclosed personal data to a newspaper, violating - in addition - the principle of integrity and confidentiality (Art. 5 (1) f) GDPR).
5773
Spain
Spanish Data Protection Authority (aepd)
28/08/2020
EUR €
50,000
Bankia S.A.
Art. 5 (1) b) GDPR
Banking/Mortgage
Non-compliance with general data processing principles
The bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation.
5774
Poland
Polish National Personal Data Protection Office (UODO)
31/08/2020
EUR €
22,700
Surveyor General of Poland ('GKK')
Art. 5 GDPR, Art. 6 GDPR
Other
Insufficient legal basis for data processing
Processing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis.
5775
Spain
Spanish Data Protection Authority (aepd)
01/09/2020
EUR €
75,000
Telefónica Móviles España, SAU
Art. 5 GDPR, Art. 6 GDPR
Telecommunications
Insufficient legal basis for data processing
According to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages.
5776
Spain
Spanish Data Protection Authority (aepd)
07/09/2020
EUR €
3,000
Barcelona Airport Security Guard Association ('AVSAB')
Art. 5 (1) f) GDPR
Other
Non-compliance with general data processing principles
A member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing.
5777
Sweden
Swedish Data Protection Authority
11/12/2020
EUR €
54,000
Umeå University
Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR
Education/Training
Insufficient technical and organisational measures to ensure information security
5789
Spain
Spanish Data Protection Authority (aepd)
11/12/2020
EUR €
5,000,000
Banco Bilbao Vizcaya Argentaria, S.A.
Art. 6 GDPR, Art. 13 GDPR
Banking/Mortgage
Insufficient fulfilment of information obligations
5790
Poland
Polish National Personal Data Protection Office (UODO)
Insufficient technical and organisational measures to ensure information security
6067
Austria
Austrian Data Protection Authority
02/08/2021
EUR €
2,000,000
Unser Ö-Bonus Club GmbH
Art. 6 GDPR, Art. 7 GDPR, Art. 12 GPDR
Other
Insufficient legal basis for data processing
6068
Spain
Spanish Data Protection Authority (aepd)
03/08/2021
EUR €
96,000
Vodafone España, S.A.U.
Art. 6 (1) GDPR, Art. 17 GDPR
Telecommunications
Insufficient legal basis for data processing
6069
Spain
Spanish Data Protection Authority (aepd)
05/08/2021
EUR €
3,000
Private Individual
Art. 5 (1) c) GDPR
Other
Non-compliance with general data processing principles
6070
Spain
Spanish Data Protection Authority (aepd)
05/08/2021
EUR €
6,000
Future Vinline S.L.
Art. 13 GDPR
Customer Service
Insufficient fulfilment of information obligations
6071
Spain
Spanish Data Protection Authority (aepd)
09/08/2021
EUR €
1,000
BAZTANDIS, S.L.
Art. 13 GDPR
Customer Service
Insufficient fulfilment of information obligations
6072
Spain
Spanish Data Protection Authority (aepd)
09/08/2021
EUR €
5,000
CLUB GIMNASIA RÍTMICA SAN ANTONIO
Art. 6 GDPR
Sport/Recreation
Insufficient legal basis for data processing
6073
Spain
Spanish Data Protection Authority (aepd)
10/08/2021
EUR €
2,000
DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES
Art. 5 (1) f) GDPR
Financial Services
Non-compliance with general data processing principles
6074
Norway
Norwegian Supervisory Authority (Datatilsynet)
12/08/2021
EUR €
9,600
Waxing Palace AS
Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR
Customer Service
Insufficient legal basis for data processing
6075
Germany
Germany Data Protection Authority
24/09/2021
EUR €
900,000
Vattenfall Europe Sales GmbH
Art. 12 GDPR, Art. 13 GDPR
Energy/Utilities
Insufficient data processing agreement
6125
Austria
Austrian Data Protection Authority (dsb)
28/09/2021
EUR €
9,500,000
Austrian Post
Unknown
Other
Unknown
6128
Spain
Spanish Data Protection Authority (aepd)
29/09/2021
EUR €
10,000
ACONCAGUA JUEGOS S.A.
Art. 37 GDPR
Other
Lack of appointment of data protection officer
6130
Spain
Spanish Data Protection Authority (aepd)
25/10/2021
EUR €
3,000
MERCEDES GERENCIA, S.L.
Art. 58 (1) GDPR
Automotive
Insufficient cooperation with supervisory authority
6146
Greece
Hellenic Data Protection Authority (HDPA)
12/10/2021
EUR €
20,000
National Bank Hellas
Articles 15(1), 12(1),(2), and (3) of the GDPR
Financial Services
Failing to properly evaluate a data subject's request exercising his right of access in violation of Articles 15(1), 12(1),(2), and (3) of the GDPR.
6148
Greece
Hellenic Data Protection Authority (HDPA)
12/10/2021
EUR €
20,000
Dixons South East Europe
Articles 15(1), 12(1),(2), and (3) GDPR
Retail
Failing to exercise his right of access by a data subject, having requested from the company internal correspondence relating to him, which the company had refused to provide.
6149
Greece
Hellenic Data Protection Authority (HDPA)
11/10/2021
EUR €
8,000
Rhodes Municipal Transport Company (RODA)
Article 5(1)(c) + Articles 12(3) and 15 + Article 5(1)(c) of the GDPR
Transportation/Logistics
RODA had violated Article 5(1)(c) of the GDPR by granting the complainant, after his dismissal from the company, a certificate which listed, among other things, that he was fired due to a criminal act. Furthermore, the HDPA noted that RODA had also violated Articles 12(3) and 15 of the GDPR since it hadn't responded to the complainant's request for a copy of the video recorded of him on the day of a controversial incident, and dismissed it. Moreover, the decision notes that the €8,000 fine to RODA is a combination of €5,000 fined for violating Articles 12(3) and 15 of the GDPR, and €3,000 fined for violation of Article 5(1)(c) of the GDPR.
6150
Greece
Hellenic Data Protection Authority (HDPA)
07/09/2021
EUR €
10,000
Thessaloniki Urban Transport Organisation ('OASTH')
Articles 12 and 13 of Law 2472/1997
Transportation/Logistics
On 7 Sep 2021 the Hellenic Data Protection Authority ('HDPA') announced, that Thessaloniki Urban Transport Organisation ('OASTH') are fined €10,000, following complaints by 12 former shareholders of the same with regards to the unlawful disclosure of the personal data of 29 former employees by the President of the OASTH during a press conference, and OASTH's failure to satisfy the data subjects' right to information. In particular, the decision highlights that the HDPA, having considered all claims received, decided that the publication of the names of two former shareholders were not absolutely necessary in order to inform the public about the operation and future of transport in Thessaloniki. As a result of this violation, the decision notes that a fine of €3,000 was imposed on OASTH. Furthermore, the decision highlights that an additional fine of €7,000 was also imposed on OASTH, due to it's failure to satisfy the data subjects' right of access and/or objection pursuant to Articles 12 and 13 of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data ('the Law').
Finally, it is worth noting that the Law, instead of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') was applicable in this case, because all complaints against OASTH date back to the time prior to the implementation of the GDPR. However, the decision further ordered OASTH to comply with the provisions of the GDPR and adapt its processes to ensure the rights of data subjects are adequately met.
6151
Greece
Hellenic Data Protection Authority (HDPA)
21/07/2021
EUR €
5,000
Legal Public Sector Individual
Articles 5(1)(a), 12, and 14 of the GDPR
Public Authority
A legal entity in the public sector is fined €5,000 for transferring the personal data of the complainant to third parties without a valid legal basis and without informing the complainant of such further data processing.
6152
Greece
Hellenic Data Protection Authority (HDPA)
12/05/2021
EUR €
5,000
IEK Institute of Professional Training
Articles 5(1)(a)(b) + Article 15 + Article 12(3) + Article 17 of the GDPR
Education/Training
Aprivate Institute of Professional Training ('IEK') company €5,000 for unlawful data processing and an incorrect response to requests for access and erasure. In particular, the decision highlights that, following receipt of a promotional email, the complainant requested information on the legality of the IEK company's action in question, as well as the deletion of their personal data, to which the IEK company did not respond.
6153
Greece
Hellenic Data Protection Authority (HDPA)
25/05/2021
EUR €
10,000
DOPAKA Municipal Organisation of Preschool Education and Social Solidarity
Articles 5 + 6(1)(c) + Articles 12(3) (4), + 17(1)(d) of the GDPR
Education/Training
The Municipal Organisation of Preschool Education and Social Solidarity ('DOPAKA') of Moschato-Tavros municipality, is fined €10,000 for violations relating to processing personal data without a legal basis and its failure to comply with its obligation to delete personal data upon such request.
6154
Country
Authority/Source
Date
Industry
Country:
Authority/Source:
Date:
Currency:
Amount:
Against:
Legal Basis:
Industry:
Details:
Entry ID:
Details:
TRUST IS THE NEW CURRENCY ®
WORKFLOW FOR INDIVIDUAL MEMBERSHIPS NEW
[vckit_workflow animate=”yes” tutorial=”” line_color=”#1e73be” circle_border=”#dd3333″ circle_bg=”#ffffff” id=”vckit_id_105dcd49c24cdb3″][vckit_workflow_item image_float=”yes” tutorial=”” title=”STEP 1″ subtitle=”Watch the VIDEO PRESENTATION” image=”57294″]When you login, you will directed to your dashboard. That is where you will find the VIDEO PRESENTATION. You will also be able to access your dashboard at anytime via your personal dashboard link appear in the main menu bar located at the top of your screen.[/vckit_workflow_item][vckit_workflow_item tutorial=”” title=”STEP 2″ subtitle=”Read the INSTRUCTIONS” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item image_float=”yes” tutorial=”” title=”STEP 3″ subtitle=”Read the REMINDERS” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item tutorial=”” title=”STEP 4″ subtitle=”Read the NOTICES” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item image_float=”yes” tutorial=”” title=”STEP 5″ subtitle=”Complete your PCA POLICY audit” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item tutorial=”” title=”STEP 6″ subtitle=”Complete your PCA PERSONAL audit” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item image_float=”yes” tutorial=”” title=”STEP 7″ subtitle=”Complete your PCA COMPANY audit” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item tutorial=”” title=”STEP 8″ subtitle=”Complete your PCA PROJECTS audit” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][vckit_workflow_item image_float=”yes” tutorial=”” title=”STEP 9″ subtitle=”Complete your PCA THIRD PARTIES audit” image=”57294″]Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/vckit_workflow_item][/vckit_workflow]
UPDATE COMPLIANCE POLICY
Privacy policies get updated as required by each company or individual.
This module displays the updates made by you or as presented to you by your company to enter, relating to the policy you are required to display a link to on your social media sites and anywhere else where you have access to personal data of other individuals and where such data is used or may be used for commercial activities.
UNSUBSCRIBE
As a member of GDPA, you are provided with the option to unsubscribe from various subscriptions we have in place and will continue to develop. Using this audit will facilitate your request.
TRADING IN PERSONAL INFORMATION
A business is ’trading’ in personal information if they collect or disclose an individual’s personal information to someone else for a benefit, service or advantage. A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service.
For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain.
Examples include:
● Marketing Agencies
● Advertising Agencies
● Statistical Agencies
● Data Modelling Agencies
● Social Media Platforms
● Survey Sights
● Cloud Services
● Data Brokers
● Rental Lists
● Credit Reporting Agencies
● Financial Institutions
● Risk Mitigation Agencies
● Profiling Aggregators
● Political Parties
● National Security Agencies
● GPS Data Aggregators
● Biometric Aggregators
● Nanotechnology Aggregators
● Business Directory Brokers
● Artificial Intelligence
THIRD PARTY REGISTRY
Within minutes, register the Third Parties which have access directly or indirectly to the personal data your company holds including employees, members, customers etc…
Each Third Party you register will be linked to the corresponding TCID from your Third Party Compliance entries.
You will also find links to these sections via the AUDITS menu tab found at the top of your screen.
THIRD PARTY COMPLIANCE
Create your master Third Party Compliance processing agreements.
These Third Party Compliance agreements will save you countless hours of work when it comes to registering your third parties.
You will be simply place the applicable TCID to each registered third party entered via the Third Party Registry audit.
TASK MANAGER
This audit is designed so you can simply log, view and retrieve your personal tasks.
The ongoing development of the GDPA platform is not solely based on what we may come up with, it also constitutes your ideas.
Though we at GDPA have laid down the foundation of our platform, it’s ongoing growth is spurred on by individuals like you submitting what you would like to see added.
SOCIAL MEDIA MEMBERSHIP PRESENTATION
https://vimeo.com/323211386
SHARE YOUR KNOWLEDGE
[mkb-guestpost]
SFAD SOFTWARE APPLICATION
Software Application Security is the general practice of adding features or functionality to software to prevent a range of different threats such as denial of service attacks and other cyber attacks and data breaches or data theft situations.
Different types of application security such as firewalls, antivirus programs, encryption programs and other devices can help to ensure that unauthorized access is prevented. Companies also can identify sensitive data assets and protect them through specific application security processes tied to these data sets.
Software Application Security is aimed at protecting clients and users of software from of hacking and malicious intent.
Furthermore, Software Application Security is critical for mobile app stores, where hackers try to attach various kinds of malware to less vetted mobile applications.
SFAD SENIOR MANAGEMENT
The effectiveness of compliance starts with the actions undertaken by Senior Management. Although effective compliance starts with the board, it must be disseminated throughout your organization. Senior Management must demonstrate their understanding, commitment and respond quickly to compliance issues raised by data subjects internally and externally.
The components of Senior Management Compliance include establishing its compliance responsibilities, communicating those responsibilities to employees, ensuring business processes incorporate internal policies for meeting legal compliance requirements and review operations to ensure accountability for meeting assigned responsibilities and legal compliance requirements.
SFAD SECURITY POLICY
Security Policies assist you in designing, implementing, guiding, monitoring and managing security over an organization’s data.
It primarily focuses at securing and protecting logical data stored, consumed, and managed by an organization.
SFAD RISK ASSESSMENT
Risk assessments identify hazards that could negatively impact an organization’s ability to conduct business.
These assessments help identify these inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations.
SFAD PRIVACY BY DESIGN
Privacy by Design promotes privacy and data protection compliance, and helps you comply with data protection regulations.
Companies and organisations need to implement privacy and data protection throughout a project life-cycle, including when:
Building new IT systems to store or access personal data;
Needing to comply to regulatory or contractual requirements;
Developing internal policies or strategies with privacy implications;
Building websites, mobile apps, customer relation platforms etc…
Collaborating with an external party that involves data sharing; or
Existing data is used for new purposes.
SFAD PRIVACY
Privacy audit is to assess an organization’s privacy protection posture against any legislative/regulatory requirements or international best practices and to review compliance with the organization’s own privacy-related policies.
This involves evaluating procedures undertaken by an organization throughout the typical information life-cycle stages such as how information is created or received, distributed, used, maintained and eventually disposed.
SFAD PHYSICAL & ENVIRONMENTAL SECURITY
Physical & Environmental Security is defined as that which securely operates on an ongoing basis regardless of the persons in it.
It affects the actions and outcomes concerning the people within it, encompassing everything around us that provide our basic needs and opportunities for social and economic development.
All processes and behaviors take place within specific physical environments. In this instance it has to do with your business.
SFAD ORGANIZATIONAL SECURITY
Organizational Security is a sustained, appropriate level of security in team communication and information management practices.
When more than one person works together to achieve a goal, they need to be able to communicate and manage information to get things done.
SFAD MOBILE DEVICES
Mobile Devices audit addresses the different approaches for managing mobile devices within a business or organization and identifying the impacts and outcomes which are focused on people, devices, applications/websites and data.
SFAD INFORMATION SYSTEMS
Information systems is the study of complementary networks of hardware and software that people and organizations use to collect, filter, process, create, and distribute data.
They comprise combinations of hardware, software, and telecommunications networks that people build and use to collect, create, and distribute useful data, typically in organizational settings.
Information systems are interrelated components working together to collect, process, store, and disseminate information to support decision making, coordination, control, analysis, and visualization in an organization.
SFAD INCIDENT EVENT & COMMUNICATIONS
Incident Event & Communications enables organizations to create and manage dialogue related to major business issues or incidents.
It allows the bringing together all involved users during these events and establish quick and easy communications within this group.
For example, a major issue occurs in regarding a data breach. The incident could potentially impact all users, so it is important to bring together key representatives and communicate quickly and effectively.
An incident communication plan addresses this process and assists in resolving the matter.
SFAD HUMAN RESOURCES
Human Resources is the function in an organization that deals with the people and issues related to people such as compensation and benefits, recruiting and hiring employees, on-boarding employees, performance management, training, and organization development and culture.
SFAD CORPORATE GOVERNANCE
Throughout all corners of the globe, compliance with the GDPR, or more accurately, compliance failures, has gained significant attention. Organisations need to respond to stakeholders’ concerns about personal data, and boards require self evaluation mechanisms addressing such concerns and meeting acceptable compliance standards.
Corporate Governance is the framework of rules and practices by which a board of directors ensures Accountability, Fairness, Independent Assurance, Leadership and Transparency in a Company’s relationship with its Stakeholder engagement (financiers, customers, management, employees, government, and the community).
SFAD COMPLIANCE
Compliance is a comprehensive review of an organization’s adherence to regulatory guidelines.
The outcomes evaluate the strength and thoroughness of compliance preparations, security policies, user access controls and risk management procedures over the course of a compliance audit.
What precisely is addressed varies depending on whether an organization is a public or private company, what types of data it handles, and if it transmits or stores sensitive financial data.
It gauges the overall risks to compliance and security and to determine whether the company is following internal guidelines.
The reports can be used by management teams to identify areas that require improvement.They measure company objectives against output and strategic risks.
SFAD COMMUNICATIONS & OPERATIONS
Communications & Operations is the sending and receiving of messages among interrelated individuals within a particular environment or setting to achieve individual and common goals.
Organizational communication is highly contextual and culturally dependent.
Individuals in organizations transmit messages via various methods including face-to face, written, video recorded, audio recorded and mediated channels.
SFAD CLOUD SECURITY
Cloud security is the protection of data stored online from theft, leakage and deletion.
Methods of providing cloud security include firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and avoiding public internet connections.
Major threats to cloud security include data breaches, data loss, account hijacking, service traffic hijacking, insecure application program interfaces (APIs), poor choice of cloud storage providers, and shared technology that can compromise cloud security. Distributed denial of service (DDoS) attacks are another threat to cloud security.
These attacks shut down a service by overwhelming it with data so that users cannot access their accounts, such as bank accounts or email accounts.
SFAD BUSINESS CONTINUITY & DISASTER RECOVERY
Business Continuity and Disaster Recovery (BC & DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.
BC & DR is divided into two different phases/components:
Business Continuity (BC): BC deals with the business operations side of BC & DR. It involves designing and creating policies and procedures that ensure that essential business functions/processes are available during and after a disaster. BC can include the replacement of staff, service availability issues, business impact analysis and change management.
Disaster Recovery (DR): DR is primarily focused on the IT side of BC & DR. It defines how an organization’s IT department will recover from a natural or artificial disaster. The processes within this phase can include server and network restoration, copying backup data and provisioning backup systems.
Typically, most medium and large enterprises have an integrated BC & DR plan or separate BC and DR plans for dealing with unforeseen natural or man-made disasters.
SFAD BIOMETRICS
While there are major benefits in using new technologies, organisations need to be aware of the potential challenges when utilizing biometric data in a fair, transparent and accountable manner.
Biometric horizontals, verticals and diagonals require to be addressed for their compliance with data privacy regulations.
SFAD ASSET MANAGEMENT
Asset Management refers to systematic approach to the governance and realization of value from the things that a group or entity is responsible for, over their whole life cycles.
It can apply both to tangible assets (assets with a physical form) and to intangible assets (assets with a non-physical formsuch as patents, trademarks, copyrights, goodwill and brand recognition).
SFAD ARTIFICIAL INTELLIGENCE
Artificial Intelligence (AI) is technology that gives machines the power to perform specific tasks that normally require human intelligence such as visual perception, speech recognition, decision making, learning, and language translation.
A compliance approach to AI strives to ensure that human values are central to the way in which AI systems are developed, deployed, used and monitored, by ensuring respect for fundamental rights, which are united by reference to a common foundation rooted in respect for human dignity, in which the data subjects enjoy a unique and inalienable protection status by entities engaging in Artificial Intelligence (AI).
SFAD ACCESS CONTROL
Access Control is a security technique that regulates who or what can view or use resources in a data drive environment, including digital and print.
It is a fundamental concept in security that minimizes risk to the business or organization.
SAAS xxx
SAAS SUBMIT AN IDEA
Do you have an idea on how we can improve our platform and service to you? Or maybe you have something in mind.
Reach out to us, we are always open to bright minds and ideas, and who knows where it can lead to.
SAAS SUBMIT A QUESTION
If you have a question, don’t hesitate to touch base with us.
We will do our best to provide you with the correct answer you require or steer you in the right direction.
Due to the influx of questions we receive on a daily basis, we will do our best to deliver our response to you within the shortest possible time-frame.
SAAS STEP GUIDE
Click SHOW ME HOW below each audit to view presentation.
COMPULSORY FIRST AUDITSCOMPULSORY FIRST AUDITS
step 1: PRIVACY POLICY
Complete the PRIVACY POLICY audit.
step 2: PERSONAL ANALYSIS
Complete the PERSONAL ANALYSIS audit.
step 3: GAP ANALYSIS
Complete the GAP ANALYSIS audit.
step 4: COMPACT AUDIT
Complete the COMPACT AUDIT audit.
step 5: LEGITIMATE INTEREST IMPACT ASSESSMENT
Complete the LIIA audit.
step 6: DATA PROTECTION IMPACT ASSESSMENT
Complete the DPIA audit.
PERSONAL AUDITSPERSONAL AUDITS
PERSONAL ANALYSIS
This audit is used to xxx.
PERSONAL BREACHES
This audit is used to xxx.
PERSONAL ACTIVITY
This audit is used to xxx.
PERSONAL DATA RECTIFICATION
This audit is used to xxx.
POST AN ARTICLE
This audit is used to xxx.
SUBMIT AN IDEA
This audit is used to xxx.
SUBMIT A QUESTION
This audit is used to xxx.
BUSINESS AUDITSBUSINESS AUDITS
GAP ANALYSIS
This audit is used to xxx.
LIIA
This audit is used to xxx.
DPIA
This audit is used to xxx.
DPIE
This audit is used to xxx.
COMPACT AUDIT
This audit is used to xxx.
FULL AUDIT
This audit is used to xxx.
PRIVACY POLICY
This audit is used to xxx.
DATA PROCESSOR AGREEMENTS
This audit is used to xxx.
DATA PROCESSOR BREACHES
This audit is used to xxx.
DATA BREACH ACTIVITY
This audit is used to xxx.
REGISTER A COMPLAINT
This audit is used to xxx.
EMPLOYMENT LISTING
This audit is used to xxx.
DATA PROCESSOR AUDITSDATA PROCESSOR AUDITS
DATA PROCESSOR AGREEMENTS
This audit is used to xxx.
DATA PROCESSOR BREACHES
This audit is used to xxx.
SAAS REGISTER A COMPLAINT
This audit is used so you can lodge any data breaches that you come across by your competitors. Upon receipt, we will investigate your compliant and upon confirmation, they will be listed in our non-compliant database. Brand reputation for non-compliance does have a negative impact (aside of possible monetary penalties).
A Centrify study found that 65 percent of data breach victims lost trust in an organization as a result of the breach. IDC found that 80 percent of consumers in developed nations will defect from a business if their information is compromised in a security breach.
On top of lost trust, companies also need to worry about the networks of directly affected customers. An Interactions Marketing survey found that:
85 percent tell others about their experience
5 percent use social media to complain about their experience
20 percent comment directly on the retailer’s website
The magnitude of any data breach is far-reaching thanks to the internet. A company’s widespread negative reputation specifically from a breach can damage their overall reputation more than they realize. This can ultimately impact their bottom line. Security Magazine reported on a study that found:
52 percent of consumers would consider paying for the same products or services from a provider with better security
52 percent of consumers said security is an important or main consideration when purchasing products or services.
SAAS PRIVACY POLICY SOCIAL MEDIA
This Privacy Policy is to keep individuals informed of how you collect, use, share, secure and process their personal data on all your social media platforms.
You are required to inform your customers about why you are processing their data, for how long will you store it and how you use their data in plain and clear words.
Your policy is hosted on our servers and you are permitted to use your custom link branded page with your name and your qrcode, and place it anywhere you desire both online and offline, digital and print.
SAAS PRIVACY POLICY ONLINE & OFFLINE
This Privacy Policy is to keep individuals informed of how you collect, use, share, secure and process their personal data on all your platforms including any and all social media sites you are on.
You are required to inform your customers about why you are processing their data, for how long will you store it and how you use their data in plain and clear words.
Your policy is hosted on our servers and you are permitted to use your custom link branded page with your name and your qrcode, and place it anywhere you desire both online and offline, digital and print.
SAAS POST AN ARTICLE
At anytime you can post an article that you feel would be of interest to the wider audience.
The article has to have relevance with data protection and cyber security.
Upon submission, your article will be reviewed and if we find no issues with it, we will post it accordingly in our NEWS section.
If we do have an issue, we will reach out to you.
SAAS PERSONAL DATA RECTIFICATION
This audit gives you the right to have inaccurate personal data rectified and incomplete personal data completed.
Keep in mind that this will depend on the purposes for the processing and may involve providing a supplementary statement to the incomplete data.
SAAS PERSONAL BREACHES
You will use this audit to log your personal data breaches.
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. This includes unintentional information disclosure, data leak and also data spill, careless disposal of used computer equipment or data storage media and unhackable source.
Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data files, documents and sensitive information.
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
SAAS PERSONAL ANALYSIS
This Personal Analysis is directed at identifying if you require training and if you are not meeting the desired performance requirements or goals relating to data protection regulations you are directly responsible for.
SAAS PERSONAL ACTIVITY
This Personal Log is used to record your personal data handling activities.
Access logs, error logs, and security audit logs are now considered to hold personal information.
You must protect your position against any future breaches as proof of evidence.
SAAS LIIA: Legitimate Interest Impact Assessment
The Legitimate Interest Impact Assessment (LIIA) is designed to help you to decide whether or not the legitimate interests basis is likely to apply to your processing.
SAAS GAP ANALYSIS
The Gap Analysis assesses the extent of your organisation’s compliance with the GDPR (General Data Protection Regulation), and helps identify and prioritise the areas that it should urgently address.
SAAS FULL AUDIT
This Full Audit determines whether the organisation has implemented adequate policies and procedures to regulate the processing of personal data. Additionally, the review will ensure that monitoring of personal data processing is carried out by such policies and procedures and identifying and controlling the risks to mitigate data breaches.
It comprises approximately 1600 questions modulated across 17 primary business operational chapters:
Risk Management
Security Policy
Organizational Security
Asset Management
Human Resources Security
Physical and Environmental
Communications and Operations Management
Access Control
Information Systems Application Development and Maintenance
Incident Event and Communications Management
Business Continuity and Disaster Recovery
Compliance
Mobile
Privacy
Software Security
Cloud Security
Privacy by Design
SAAS EMPLOYMENT LISTING
This audit is used so you can list new career vacancies that require individuals to have a level of data protection skill sets on top of their primary responsibilities.
SAAS DPIE: Data Protection Impact Evaluation
A Data Protection Impact Evaluation (DPIE) is a process to help you identify and minimise the data protection risks on each new project and on existing projects which are not supported by a DPIE.
https://vimeo.com/323211386
SAAS DPIA: Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of your organization.
SAAS DATA PROCESSOR BREACHES
This audit is used to record your data processors non-compliance to the activities performed based on the personal data and instructions you have handed them.
You must log and protect your position as a data controller against any unforeseen data breaches made by your data processors.
SAAS DATA PROCESSOR AGREEMENTS
This audit is for the purpose in recording the activities and attaching the agreements between you and data processors.
The data processor or (processor) is a person or organization who deals with personal data as instructed by YOU the data controller or (controller) for specific purposes and services offered to the controller that involve personal data processing.
SAAS DATA BREACH ACTIVITY
This audit is used by to record any data breaches brought forward by individuals against you.
It permits you to manage and monitor such breaches, whilst maintaining a digital footprint of events and outcomes from start to finish.
SAAS COMPACT AUDIT
This Compact Audit determines whether the organisation has implemented adequate policies and procedures to regulate the processing of personal data. Additionally, the review will ensure that monitoring of personal data processing is carried out by such policies and procedures and identifying and controlling the risks to prevent data breaches.
It comprises 95 questions covering the following 17 primary business operational factors:
Risk Management
Security Policy
Organizational Security
Asset Management
Human Resources Security
Physical and Environmental
Communications and Operations Management
Access Control
Information Systems Application Development and Maintenance
Incident Event and Communications Management
Business Continuity and Disaster Recovery
Compliance
Mobile
Privacy
Software Security
Cloud Security
Privacy by Design
REPORT A BUG STATUS
wpDataTable with provided ID not found!
REGISTER A COMPLAINT
Use this audit to register a complaint which you have raised against a third party regarding your rights as a data subject. This can be an internal complaint or an external complaint.
GDPA will mediate your complaint where it complies with the data privacy regulations in effect.
Q: Will my membership with GDPA reduce my Insurance premium?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Will I get fined for non-compliance?
Let’s not kid ourselves, the biggest threat to organisations from GDPR is running the risk of massive fines.
In saying that, GDPR law is not about handing our fines, it’s about putting the rights of the individual first.
Before a fine is handed out, a serious of sanctions take place.
Whilst it may not be financial to begin with, it will definitely place a massive dent in the reputation of the offending party. When you lose the trust with your audience and/or your staff, it’s pretty much game over.
One thing is for certain, there is no room for complacency, not matter where in the world you are.
question sent in by Zachary.T from Singapore
Q: Why isn’t GDPR Registrar a free service?
As much as we would like to make it a free platform, it would be beyond our personal financial ability in doing so.
We researched extensively to find the fair price medium, one that will make it a value added incentive on your behalf and one that would maintain the costs in operating and evolving this site.
Bottom line is we have settled on a pricing model for the many and not for the few.
question sent in by Joyce.T from Ireland
Q: Why are your membership prices so low?
Knowledge has no price limit and yes we could quite easily charge more.
The reason we don’t is simple. This platform has been designed to offer the tools to the many and not the few. We believe our pricing structure is fair and affordable to everyone, without compromising on our objectives to our members and to our purpose of existence.
If you wish to shout our team a cup of coffee then we won’t say no. Simply spin the wheel below to see how many of our staff will enjoy your shout.
So you know, its €1 per shout.
[wof_wheel id=”2854″]
question sent in by Mo Chou from China
Q: Who does GDPR apply to?
GDPR applies to anyone that applies, handles, processes, and/or monitors personal data of residents (full-time or temporary including foreign tourists) within the European Union, no matter where in the world this activity is conducted from.
Furthermore, it matters not whether you hold onto the data for 1 minute or 10 years.
question sent in by Andrea.F from Australia
Q: Who do GDPR privacy protocols apply to?
GDPR protocols apply to all forms of relationships where in concerns European Union Residents (full-time or temporary including foreign tourists).
The types of relationship fall under 3 categories:
✍ B2B (business to business) where third party relationships are involved in the processing of personal data.
✍ B2C (business to consumer) where you are required to demonstrate responsibility towards personal data.
✍ B2E (business to employee) where the data you hold on current, past and prospective employees is managed within the boundaries of GDPR protocols.
question sent in by John.K from Belgium
Q: Who can I email?
To clear the air and any confusion, you can email both B2B (Business to Business)and B2C (Business to Consumer) based on the following parameters:
B2B (Business to Business) in 5 steps
Make sure the business you are targeting is relevant to your email.
Define your legitimate interest when emailing them.
Allow them to unsubscribe easily and/or to opt-out of future emails.
Keep your database clean and up to date.
Make sure the business email is not a personal name, example:
wrong: john@businessname.com (unless you have prior consent)
wrong: mary@businessname.com (unless you have prior consent)
right: info@businessname.com
right: support@businessname.com
right: contact@businessname.com
right: enquiry@businessname.com
right: hr@businessname.com
right: marketing@businessname.com
right: ceo@businessname.com
etc…
B2C (Business to Consumer) in 5 steps
Don’t pressure or confuse individuals to grant you consent by making it a pre-requisite for signing up to your site and/or service. Keep it simple and let them decide.
Adjust your lead generation and consent forms, permitting the users to opt-in freely, be specific, keep it simple, and easy to understand.
When collecting data for multiple marketing channels (sms, postal mail, email…) give the user the option to pick which channels they wish to receive communications from you. Provide separate options for each channel.
Be clear with your audience should the information you collect from them is likely to be shared with 3rd parties.
Allow them to unsubscribe easily and/or to opt-out of future emails.
question sent in by Nicole.D from Greece
Q: What rights will individuals have under privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: What responsibilities will companies have under the privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: What personal information can I ask for?
As a data subject(that’s how you are referred to), GDPR presents you with 8 rights to which you can make a specific request and be assured that your personal data is not being misused for purposes other than the legitimate purpose for which it was originally provided by you to the entity.
A data subject has 8 legal rights of request, including:
1: Right to Object: The right to object to the processing of ♀ or ♂ personal data.
2: Right to be Forgotten: The right to ask for the deletion of ♀ or ♂ data, also referred to as the “right to erasure”.
3: Right to Access: The right to get access to ♀ or ♂ personal data that is being processed.
4: Right to Withdraw Consent: The right to withdraw a previously given consent for processing of ♀ or ♂ personal data for a purpose.
5: Right to Object to Automated Processing: The right to object to a decision based on automated processing including Machine Learning and Artificial Intelligence of ♀ or ♂ personal data.
6: Right to Rectification: The right to ask for modifications to ♀ or ♂ personal data in case the data subject believes that this personal data is not up to date or accurate.
7: Right to Data Portability: The right to ask for the transfer of ♀ or ♂ personal data in a machine-readable electronic format.
8: Right to Information: The right to ask a company for information about what ♀ or ♂ personal data is being processed and the reasoning for such processing.
This right given to you by GDPR is referred to as DSAR(Data Subject Access Request).
A DSAR can be made by an individual or an individual’s appointed representative. Such requests are made in writing and mailed to the entities registered GDPR Postal address and/or via Email.
Important to note that the violating entity must have a registered address within the EU to receive GDPR mail (irrelevant if the request is sent by post or via email).
question sent in by Angela.S from Greece
Q: What is the process for me to demonstrate that I comply with privacy laws such as the GDPR and how do I notify all my suppliers, customers, employees and stakeholders that I am complaint ?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: What is pseudonymization?
It’s when digitally stored data (information entered via a computer, mobile device, laptop, etc…) is encrypted in such a way where it makes it impossible for unauthorized people to trace it back to an individual.
The 5 key methods used to achieve pseudonymization are:
♒ Encryption (involving the rendering of the original data as unreadable and which cannot be rendered readable without an encryption key)
♒ Tokenization (involving the substitution of sensitive data elements with a non-sensitive elements, that hold no extrinsic or exploitable meaning or value)
♒ Blurring (involving obfuscation just like media outlets rendering the faces of anonymous sources unrecognizable)
♒ Masking (involving the masking of data where it still permits you to identify the data “example a credit card: XXXX XXXX XXXX 1964” without identifying the individual )
♒ Scrambling (involving a combination or obfuscation of alpha/numeric characters)
question sent in by Vincent.X from Sweden
Q: What is Personal Data?
Personal Data is any information relating to an identified or identifiable natural person (otherwise referred to as a ‘data subject’).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, locationdata, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Here is an extensive list of Personal Data:
✍ Activity on the site
✍ Age
✍ Arrest records
✍ Bank account
✍ Bankruptcies
✍ Bio-metric identifiers
✍ Birth certificate
✍ Browser
✍ Browsing history (elsewhere online)
✍ Car insurance records
✍ Cell/Mobile phone
✍ Chat history (elsewhere online)
✍ Children’s names
✍ City of birth
✍ Cloud storage files
✍ Contacts list
✍ Cookies
✍ Credit card number
✍ Credit report
✍ Criminal offenses & convictions
✍ Current employer
✍ Current home address
✍ Current income
✍ Current location (physical)
✍ Daily life activities
✍ Date of birth
✍ Debit card number
✍ Device ID / MAC address
✍ Digital fingerprint
✍ Donations to organizations
✍ Driver’s license / state ID
✍ Education history
✍ Email records
✍ Employment history
✍ Event attendance
✍ Eye color
✍ Face photographs
✍ Facial geometry
✍ Family health history
✍ Fingerprints
✍ First name
✍ Friends’ names
✍ Gender
✍ Genetic information
✍ Hair color
✍ Handwriting
✍ Health insurance records
✍ Height
✍ Home phone
✍ Home value
✍ Homeowner status
✍ HR issues & disciplinary actions
✍ Income history
✍ Investment records
✍ IP address
✍ ISP (internet service provider)
✍ Judgements
✍ Language preference
✍ Last name
✍ Length of current residence
✍ Liens
✍ Life insurance records
✍ Likes & ratings
✍ Loan records
✍ Location history (physical)
✍ Maiden name
✍ Marital status
✍ Media preferences
✍ Medical card number
✍ Medical records
✍ Messages on the site
✍ Nationality
✍ Number of people in household
✍ Occupation
✍ Operating system
✍ Other financial statements
✍ Other identifying photographs
✍ Other names used
✍ Pardons
✍ Parents’ names
✍ Passport information
✍ Password
✍ Performance evaluations
✍ Personal email address
✍ Pets & animals
✍ Phone call records
✍ Photo location data
✍ Physical or mental disability
✍ PIN number
✍ Political affiliations & opinions
✍ Political party affiliation
✍ Postal activity
✍ Power of attorney
✍ Prescriptions
✍ Previous addresses
✍ Professional license records
✍ Property records
✍ Racial & ethnic origin
✍ Recreational license records
✍ Reference interviews
✍ Religion & philosophical beliefs
✍ Retina scan
✍ Schools attended
✍ Search history (elsewhere)
✍ Search history on the site
✍ Security question & answer
✍ Sexual orientation
✍ Sexual partners
✍ Shopping & purchase history (elsewhere online)
✍ Shopping & purchase history (offline)
✍ Shopping & purchase history (on the site)
✍ Siblings’ names
✍ Signature
✍ Social media accounts
✍ Social media posts & history
✍ Social security / social insurance number
✍ Spouse name
✍ Surveys (online)
✍ Surveys (offline)
✍ Tax file number
✍ Tax returns
✍ Text message history
✍ Third-party login
✍ Topics of interest
✍ Trade union membership
✍ Username
✍ Vehicle registration records
✍ Veteran status
✍ Video footage
✍ Voice recording
✍ Voice signature
✍ Voter registration records
✍ Website
✍ Weight
✍ Work address
✍ Work email address
✍ Work phone
✍ Writing sample (electronic)
list compiled by TIM BOUCHER
question sent in by Fei Hung from China
Q: What is GDPRs global reach?
The impact of GDPR is global.
GDPR is a legal chapter established by the European Union and affects directly any entity worldwide that that applies, handles, processes, and/or monitors personal data of residents (full-time or temporary including foreign tourists)within the European Union, no matter where in the world this activity is conducted from. Simply put, you cannot hide from it or avoid it.
Currently, over 23,000,000 companies worldwide in 191 countries conduct some form of business activity which involves European Union residents. Chances are you’re one of these companies.
Here are the 3 key questions you need to immediately ask yourself:
Do you have a registered mailing address within the European Union for all your GDPR related matters?
Do you have someone with exceptional GDPR knowledge and data protection experience within the European Union to be your first line of contact regarding GDPR related matters?
Have you taken the first basic steps towards GDPR compliance?
If you answered NO to any one of the 3 questions then we can assist you. GDPR Registrar is designed to provide the platform for entities such as yourself to commit to compliance and to be registered & represented within the European Union as required by law.
Biometrics is the measurement and statistical analysis of people’s unique physical and behavioral characteristics. The technology is mainly used for identification and access control, or for identifying individuals who are under surveillance.
The basic premise of biometric authentication is that every person can be accurately identified by his or her intrinsic physical or behavioral traits.
Biometric identifiers are divided into 2 categories, Behavioral and Physiological.
♀♂Behavioral characteristics are related to the pattern of behavior of a person, including but not limited to typing rhythm, gait, and voice, otherwise referred to as behaviometrics.
♀♂Physiological characteristics are related to the shape of the body, including but not limited to fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odor and/or scent.
Examples of biometrics include token-based identification systems, such as a driver’s license or passport, and knowledge-based identification systems, such as a password or personal identification number.
Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods; however, the collection of biometric identifiers raises privacy concerns about the ultimate use of this information.
question sent in by Marylin.S from Canada
Q: What information can’t I ask for?
You don’t have the right to make a request and gain access to the information of a 3rd party individual, unless you have been properly appointed as the authorized representative of the original individual seeking access to their information.
The entity receiving your request requires:
sufficient evidence on your behalf to verify the identity of the data subject making such a request and
sufficient details on your behalf so it can locate your request.
If the responsible person refuses your Data Subject Access Request on behalf of the entity, they must clearly set out in writing the reasons for the rejection.
If you are not satisfied with the outcome of your request, then you have the right to ask the entity for the details to their independent DPO (Data Protection Officer) to review your case.
question sent in by Frank.A from UK
Q: What if we cannot afford the costs to comply?
One thing people forget, and we wish to make this very clear, especially for small to medium size businesses. GDPR is not designed to put you out of business!!!
GDPR requires you to DEMONSTRATE that you are committed in working towards being compliant.
Don’t act from a position of fear, that’s the biggest and most costly mistake you’ll make.
We’re not going to lie to you, once you have gone through the plan, you will most likely become a registered member with us and/or with another quality organization for reasons that will become clear to you.
question sent in by Mario.D from Italy
Q: What does GDPR mean for social media strategies?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: What does GDPR and privacy laws mean for property marketers?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: What do you need to do if you own or manage property?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: What do you do with my information?
We use your information in fulfilling our obligations to you as a member and as permitted to us via GDPR Article 6 “Lawfulness of Processing”, where the processing shall be lawful only if and to the extent that at least one of the following applies:
✍ the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
✍ processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
✍ processing is necessary for compliance with a legal obligation to which the controller is subject;
✍ processing is necessary in order to protect the vital interests of the data subject or of another natural person;
✍ processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
✍ processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (shall not apply to processing carried out by public authorities in the performance of their tasks.)
We don’t abuse, take unlawful advantage or compromise your trust when you provide your information to us, and as such:
☑ We don’t share your information with 3rd parties, unless it is required to complete your request. (One example is when you file a complaint against a third party via our platform, we may be required to share your information with relevant 3rd parties to address your DSAR complaint.)
☑ We don’t sell your information to 3rd parties, period!
☑ We don’t ask or gather irrelevant information from you just for the hell of it.
☑ We don’t hold onto your credit-card information and will never ask for your credit card details. (All payments made by you to us will be via Paypal or Stripe gateways or Direct Bank Transfer.)
☑ We don’t make deliberate errors, therefore if you find something on our site not to be right, feel free to tell us and we’ll address it.
☑ We don’t proclaim to be perfect, though perfection is something we continually strive for.
☑ We don’t display your personal name on our site publicly unless you have given us explicit consent.
☑ We don’t share your details with co-workers within our organization unless they have a legitimate interest within their role.
☑ We don’t store your information on physical servers outside of the European Union.
☑ We don’t spam!
☑ We don’t work with entities that do not comply to GDPR Regulations.
question sent in by Elizabeth.B from UK
Q: What do we need to understand about GDPR?
As someone that handles personal data of residents (full-time or temporary including foreign tourists) within the European Union, you need to:
☑ Fully understand on how you use your data.
☑ Make certain that you’re incorporating GDPR into your data management.
☑ Conduct a thorough evaluation of your current & future data requirements.
☑ Assess the capabilities in managing such data.
☑ Be prepared to execute major changes in how you manage your data.
question sent in by David.M from Hong Kong
Q: What do I need to keep in mind about GDPR?
The top 12 key factors to keep in mind about GDPR protocols regrading European Union Residents (EURs) (full-time or temporary including foreign tourists) within the European Union, no matter where in the world this activity is conducted from include:
☑ Handling data on EURs.
☑ Offering goods and/or services to EURs.
☑ Monitoring and/or tracking the activities of EURs.
☑ Conducting any form of business or commercial activities with EURs.
☑ How serious you are about doing the right thing with EURs data.
☑ How you store EURs data.
☑ How you process EURs data.
☑ How you access EURs data.
☑ How you transfer EURs data.
☑ How you disclose EURs data.
☑ How you interact with EURs data.
☑ How you react to an infringement on EURs data.
question sent in by Patricia.Z from Hong Kong
Q: What are the principles of GDPR based on?
The principles are based on entities being responsible in considering what accountability they may or may not need to comply with. This is strictly based on the unique and specific circumstances of their activities and how they utilize the data they receive.
Each entities principles of compliance will differ according to interpretation and circumstances. The core principle is being able to demonstrate that you are committed to GDPR Compliance and are being proactive in achieving this target, whilst being able to demonstrate it when required.
Taking this approach will direct you in the right direction towards compliance.
question sent in by Frances.R from USA
Q: What are cookies?
Cookies are small pieces of data stored on a user’s device which allow websites to perform specified actions or preferences.
Cookies are divided 5 categories:
☀ Targeted Cookies: Used to deliver multiple types of targeted digital ads. They store your user data and behavioral information, allowing advertising services to target you within specified audience groups according to variables including but not limited to: ✍age ✍gender ✍location ✍personal interests ✍website habits ✍search engine habits ✍social media habits, just to name a few.
☀ Necessary Cookies: Used by a website to deliver you the information and services they offer in a secure and optimized manner. In most cases, you must accept these “necessary cookies” to be able to make use of their online systems.
☀ Functional Cookies: They are essential for a website to work, for example: ✍making sure that you don’t have to keep logging into the website each time you visit a different page ✍keeping track of your shopping cart on the website ✍making sure the online live support maintains contact with you, especially when navigating the site.
☀ Performance Cookies: Used for internal purposes to help the website in providing you with a better user experience. The cookies help the operators of the website to better understand how it’s used by visitors, shoppers and members. From this information they can improve the way the site works and deliver better content to you. One example is when they use an external company such as Google to perform such an analysis via their services. In this instance, they may set third party cookies to enable this to function correctly.
☀ Undefined Cookies: This is something of a hit and miss scenario as undefined cookies can come from a number of factors including your personal settings on your device.
You can always run a check as to what cookies a website uses via online tools such as COOKIE METRIX or COOKIEBOT
question sent in by Mandy.Y from Cyprus
Q: My business collects personal information through electronic platfoms such as text messages. Do I need to comply with privacy laws such as GDPR
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Is photography subject to GDPR regulations?
Yes, photography is subject to the GDPR regulations.
You’ll need to have a privacy policy in place and you’ll need to make sure it’s in line with GDPR.
Make sure you have the privacy policy linked to your online pages, including website/s and social pages.
question sent in by Joshua.H from Germany
Q: Is GDPR just a fad?
Once upon a time there were only 2 things certain in life & now there are 3.
The sooner you come to grips with GDPR, the better of you’ll be in the long run.
Define your policies for GDPR compliance
Define your processes for GDPR compliance.
Define your stakeholders for GDPR compliance.
Discover what data you need to protect and manage.
Control the access to your data.
Centralize your data across your organization.
Following these six steps will place you in good standing with GDPR protocols, setting your path towards a bright future with your audience.
Forget bitcoin, trust is the new currency of the future!
question sent in by Beth.V from UK
Q: If my EU representative is based in the UK will I be compliant after Brexit or do I need to nominate a representative outside the UK
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: If I’m just a social network user do I need to comply with privacy laws and what are the consequences if I don’t?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: If I have an Instagram account do I need to comply with data protection privacy laws
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: If I have a facebook business page do I need to be GDPR compliant?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m just a sole trader who employs contractors from time to time. Do I need to comply with privacy regulations such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m a trades person and often take before and after shots of the work I do. Do I need to comply with privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m a marketer who advertises products and services and receives enquiries. Do I need to comply with privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m a consumer, how do I know that my personal information is protected?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m a business that wants to comply and implement data privacy and protection best practice and I don’t know how to do it. Who will help me do this
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m a business that buys and sells products and services on Ebay. Do I need to comply with privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I’m a business in Australia that orders parts and services from Europe. Do I need to comply with privacy laws such as the GDPR ?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I have a You tube account, Im a you tube user, post videos, music and other information. Do I need to comply with Privacy Regulations such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: I have a data base of past customers and enquiries. Can I keep this data base on file?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: How will GDPR and other Privacy laws affect Property managers and Agents?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: How long can someone hold onto my data for?
When it’s for contractual reasons, for example you purchased a product, service, made a donation and actions of similar nature, it generally ranges about 6-7 years.
It’s always good to reach out to the entity to clarify this for you. You’ll find that the majority of companies will be more than happy to answer your question. Keep in mind that they have 30 days to respond to you.
If they don’t, then you can file an official complaint via our online form FILE A COMPLAINT. This service is also part of our free membership.
Here is a great infograph from Erik Underwood c/o TechRepublic, with interesting insights into why your data is being collected.
question sent in by Anna.A from Spain
Q: How does someone get fined outside of the EU?
Article 27 of the GDPR is the first line of defense. It requires companies without operations in the EU to appoint an EU representative. If that doesn’t happen, non-EU companies will be perused via local enforcement actions within their country via mutual legal assistance treaties (MLAT), and private prosecutions under similar local laws.
question sent in by Claire.M from Taiwan
Q: How does GDPR affect social media advertising
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: How do I process and file personal information that I receive over Text messages in order to be compliant with privacy laws such as the GDPR
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Does SMS marketing need to comply with privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Does my Australian business need to be GDPR compliant?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Do non EU entities have to comply to GDPR?
Yes, Non EU Entities have to comply the moment they apply, handle, process, and/or monitor personal data of residents (full-time or temporary including foreign tourists) within the European Union.
Furthermore, it matters not whether you hold onto the data for 1 minute or 10 years.
question sent in by John.K from Taiwan
Q: Do I need to train my staff?
The logical answer is yes you do, as they are your controllers and processors of the information you receive. Furthermore it matters not whether you are a small family business or a large organization,
The purpose of a certification is to develop a code-of-conduct for your staff to follow, which in return helps them understand the requirements and actions needed in being compliant.
Richard Branson said it best: “Customers come second, employees first. It’s a philosophy that brings unexpected benefits to both the company and its clients.”
question sent in by Konstantinos.M from Greece
Q: Do I have rights under the privacy act when I use social networking sites?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Do all organization now need to appoint a Data Protection Officer in order to comply with Privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Can I keep my customers details on file once our transaction has completed?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Can I get insurance against Data breaches?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Can I cancel my membership at any time
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Can a Controller or Processor be fined?
The short answer is yes.
In saying that, a monetary fine is only one of the corrective measures included in the GDPR to apply pressure on controllers and processors to comply with the regulation.
Not all violations will result in a monetary fines, and not all fines will be based on the maximum amount, though rest assured it won’t be pocket change either.
A monetary fine is the last step in a long process designed to address the scope of an infringement by a Controller and/or Processor, concurrently assessing on how the organization allowed the infringement to happen in the first place and to monitor what steps have been taken to address the violation and any further violations.
question sent in by Victoria.F from Germany
Q: As an employee or contractor what rights do I have under privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: As a career working in the aged care, disability and child support sector. Do I need to comply with privacy laws such as the GDPR?
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Q: Are Photographs, videos & audio considered personal data
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
PROJECT REGISTRY
Within minutes, register the Projects which collect and/or work with directly or indirectly personal data, including employees, members, customers etc…
Each Project you register will be linked to the corresponding PCID from your Project Compliance entries.
You will also find links to these sections via the AUDITS menu tab found at the top of your screen.
PROJECT REGISTRY
Data Privacy Regulations require you to demonstrate legitimate interest in how you handle personal data. This audit is designed to make it quick and efficient, without having to spend hours by simply recording the base project parameters and then linking it to the applicable PROJECT COMPLIANCEaudit.
When you use personal data for a new project or task, for example;
Social Media Campaigns,
Sales and/or Promotions,
Sharing with 3rd Parties,
Request by 3rd Parties,
via
Company Platforms/Vehicles/Devices,
Personal Platforms/Vehicles/Devices,
both in digital or physical format, irrelevant if you are performing the task from within your place of employment or not (eg: home, in the field etc…), you will record it in this audit.
The reason being, with the plethora of tasks you perform in your day to day activities, it will be near impossible to demonstrate compliance should;
a breach is found in your project/task and/or
a breach is brought forward by a data subject or third party.
PROJECT COMPLIANCE
Create your master Project Compliance entry.
These Project Compliance entries will save you countless hours of work when it comes to registering your new projects using personal data.
You will be simply place the applicable PCID to each registered project entered via the Project Registry audit.
Do not ignore your obligation towards compliance as the penalties can be severe, not only for the company but also for you the individual.
Any entity engaged in commercial activity, individual or company, for profit or not for profit, where the personal data of an individual or individuals is involved both on-site or off-site must demonstrate compliance with data privacy regulations.
There is no room for complacency, it’s that simple.
The tutorial directory is extremely easy to use and retrieve what you are looking for across the whole site. It’s our modern approach to a 21st century sitemap that will make learning to use this site a breese.
Firstly you are offered 6 master filtering options. You can choose to commence filtering in whichever order you desire. According to you previous selection, that balance of the filters will list any corresponding options and so on… To reset the filters simply press the “CLEAR FILTERS” button directly below the 6 filtering options.
One final thing, you can also search via a keyword using the “SEARCH” field directly below the “CLEAR FILTERS” button.
4: Complete your Public Compliance Policy: GDPA-S4-P055
5: Thereafter follow the path in P01 CRITICAL LEVEL 2 & P01 CRITICAL LEVEL 3.
Each AUDIT is explained herein and within the audit. Simply answer the questions as they are presented to you so you can commence demonstrating your path to compliance, that’s the most important factor of all. The rest will fall into place in accordance with the decisions and actions you take to bring yourself in line on any compliance shortfalls.
How often an item is to be addressed by the user or by GDPA.
LIVE
HOURLY
DAILY
WEEKLY
MONTHLY
ANNUALLY
AS REQUIRED
NOT APPLICABLE
PERSONAL NOTES
This audit is designed for you to take down retrieve, edit and download personal notes without losing your track of thought, purpose or actions.
PERSONAL DATA RECTIFCATION
This audit is designed to assist you in requesting data that you have entered to be corrected by GDPA. You will use this feature when you cannot find the data to correct yourself.
PERSONAL DATA BREACH
This audit is designed to keep you compliant with Art. 33 of the GDPR and with local privacy regulations where applicable, where you must keep a record of any personal data breaches and ensure that you have robust breach detection, investigation and internal reporting procedures in place.
In the case of a personal data breach, the controller (that’s you) shall without undue delay and, where feasible and not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 and if the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Recording personal data breaches is a great way for a company to identify any shortfalls in their path to compliance and place the correct measures in place to mitigate a repeat of such breaches.
PERSONAL COMPLIANCE
Personal Data Protection Compliance is an ongoing process. This audit is designed to initially determine and thereafter keep track of your basic understanding with personal data regulations.
When you understand the purpose of data privacy, applying it in your day to day activities will result in greater productivity and the cementing of best practices in your activities for the greater benefit of the organisation and the public at large.
When fines and prosecutions are handed down, in many cases they are done so all the way to a personal level, therefore don’t compromise your position. Don’t permit complacency or influence to interfere with your duty and obligation towards following the protection of personal data in your possession and/or your daily workflows.
Choosing not to comply can even result in you and/or your company to cease trading. The cost goes beyond economic factors, therefore disobeying data privacy regulations is too high to avoid or ignore.
Direct Links allow you to link directly to your website or social media pages.
Simply enter your link, for example:
✍ Website: https://yourwebsitename.com/
✍ Facebook: https://facebook.com/yourname/
✍ Facebook Page: https://facebook.com/yourpagename
✍ Facebook Group: https://facebook.com/groups/yourgroupname/ ✍ Instagram: https://instagram.com/yourname/
✍ Twitter: https://twitter.com/yourname/
… you get the idea.
This is a major incentive for you, and will assist you in greater engagement.
If a visitor recognizes a partner link whilst on an partner ’s site, they’ll know the partner will earn a commission if they click that link and make a purchase. In some instances, a partner link may make a visitor skeptical and they won’t click the link. A potential customer turned off by a partner link could mean a missed sale.
By using Direct Links, visitors will be completely unaware of any partner links, greatly increasing the chance of clicking a link to GDPA and going on to complete a purchase and you gaining your commission.
Partner referral URLs can include a campaign parameter to help you track and monitor the performance of your partner links.
You can name your campaigns when generating a partner referral link, or manually append a campaign name to a partner referral link. When using the generator, the campaign name will be automatically appended to your partner referral link. Here are a couple of examples of what the referral partner referral link looks like with a campaign parameter added:
You may wish to use campaigns to place specific partner links in specific marketing channels – such as in an email, on a particular social media platform, or on your own website or social media pages.
The campaigns created by you are visible in the Statistics tab when you are logged in. This tab also shows the following campaign data:
The number of visits through a specific campaign referral link.
How many unique referral links have been used for that campaign.
Whether the conversion was successful (a referral was generated).
And what the conversion rate is for that particular campaign.
Some examples of campaign names you might use are: “Winter Email”, “Twitter January”, “Facebook Compliance”, “Summer Promo”, and so on. This could be aligned with the marketing material we provide you with, or a sale or promotion you have scheduled.
A shorter, simpler campaign name usually works best. Think of it like a coupon code – a campaign name between 15 and 25 characters can effectively describe a date, product, and channel for where a specific campaign link is being shared.
Additionally, some social media channels have a limited amount of characters available. The more characters you use in your partner referral link, the less space you have to market our platform and services.
Using this campaign parameter will allow you to identify where you should focus your marketing efforts for maximum sales and referrals.
GDPA’s referral program rewards you for sharing our links over your social networks and e-mails. A typical referral scenario is where three of your friends sign up to our platform via your referral links.
This section provides a quick visual indicator for different referral statuses, without needing to use several separate graphs, so you can easily get an immediate snapshot of comparative data.
Any partner payment is generated within our platform where it is logged and shown on this screen and where you can view information about each payout made to you by GDPA.
Any shipping costs and applicable taxes are excluded from payout calculations.
GDPA uses cookies to track visits derived from partners generated referral links.
When a customer clicks on an partner’s referral link, and these cookies are successfully generated, a visit will appear in Partners Visits screen. The cookies will then remain in the browser throughout the purchase or conversion process to track the correct partner so a referral can be generated for that partner.
The cookies will also remain in the customer’s browser for a period of time or until the customer clears their cookies. The default cookie expiration is 7 days.
Creatives are pre-made banners and assets that Partners can use to easily promote GDPA.
Instead of requiring you to create your own banner images or partner URLs, we make it easy for you by setting up a list of pre-made banner images of various sizes, or text links, that they can simply add to their own websites or email newsletters.
When a customer clicks on an partner’s referral URL and makes a purchase from our website, they are instantly linked to you the Partner.
When the customer returns to make another purchase on our website, the linked partner will receive a commission, even if they visit our website without using the partner’s referral link. A customer can only be linked to one partner at a time.
If the customer makes a guest purchase (logged out) their email address is used to look up the linked partner. If the customer is a user on our site, and is logged in when they purchase, their already stored email address is used.
Additionally, if the customer ever uses a different email address whilst purchasing (logged in) or changes their email address from their existing profile, the new email address is also stored with the linked partner. This ensures that if the customer ever makes a purchase while logged out, the linked partner will still receive commission on the sale.
1: Enter the email where your payment will be linked to.
2: Select if you wish to be notified on each new referral.
3: Instead of using your Username, enter your own custom link code (slug). You can choose between an alphanumeric (letters and numbers) or alphabetic code (letters only). Note: Custom codes can be all lowercase, all uppercase, or sentence case (a mix of both lowercase and uppercase) letters. The maximum length is 60 characters as per code.
NEW COMPLIANCE POLICY
Data Subject Access Rights is law as defined in Chapter 3 Articles 12-23 of the GDPR and it affects just about everyone around the world that has a website, social media page and/or business where any individual from the European Union can get in touch with or connect with.
Your own compliance policy configured with the unencumbered right of access for individuals. The process is simple and straight forward and comes with a policy support line for the public that we attend to on your behalf 24/7.
1: Select the TYPE of policy, enter a few basic details and you are done.
Data Subject Rights Compliance Policy (where you have an existing privacy policy and only add the link to your GDPA Compliance Policy) VIEW DEMO
or
Full Compliance Policy (where you don’t have a compliance policy and commence with GDPA’s default Member Compliance Policy) VIEW DEMO
2: Once submitted, your policy will be assessed by a team member.
3: With all being in order, you will receive an email with your policy link and your own policy QRCODE.
4: Place the link and/or the QRCODE anywhere visibly required to demonstrate your compliance with privacy laws. You would place it on your website, social media pages, business cards, invoices, receipts, brochures, billboards, outgoing emails, newsletters, anywhere required to display your compliance policy.
5: You can submit edits to your compliance policy at anytime.
Even if you happen not to be exposed to European Citizens, the evolving privacy laws within your state or country are extending greater rights to individuals. Therefore it makes common sense to do it right from the beginning. It’s all about TRUST!
GDPA audits are independent units that are part of the total structure of data privacy regulatory compliance.
The audits presented will assist you in demonstrating compliance with data privacy regulations.
PRIMARY AUDITSpresent you with the key compliance units. You will complete this section annually or as frequently as you deem necessary. The audits cover 6 major elements and form the foundation of your compliance.
PRIMARY ENTRIES is where you can view, filter, search, edit and download reports on your logged entries.
PRIMARY STATISTICS is where you can see the unit statistics on a question by question basis. This information is an amalgamation of all users that have completed this unit without the disclosure of their personal data.
REGISTRY AUDITS are related to the Primary Audits where applicable. It’s where you quickly log a Project, Third Party or Human Resource and link it to your applicable Primary Audit.
REGISTRY ENTRIES is where you can view, filter, search, edit and download reports on your logged entries.
REGISTRY PRIMARY is the Primary Audit related to this unit.
FULL AUDIT AUDITS present you with the key compliance units. You will generally complete this section annually or as frequently as you deem necessary. The audits cover 21 major elements and form the foundation of your compliance on a micro level. Generally speaking this section is designed for companies that require micro compliance. Simply complete the units Based on your companies activities where personal data is involved.
FULL AUDIT ENTRIES is where you can view, filter, search, edit and download reports on your logged entries.
FULL AUDIT STATISTICS is where you can see the unit statistics on a question by question basis. This information is an amalgamation of all users that have completed this unit without the disclosure of their personal data.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
HUMAN RESOURCES REGISTRY
Register your employees which collect and/or work with directly or indirectly personal data, including employees, members, customers etc…
Each Employee you register will be linked to the corresponding HRID from your Human Resource Compliance entries.
You will also find links to these sections via the AUDITS menu tab found at the top of your screen.
HUMAN RESOURCES COMPLIANCE
Use this audit to create your default Human Resource Compliance. Thereafter when you enter an employee into the Human Resource Registry, simply enter the applicable Human Resource ID (HRID) to it. This way you will be able demonstrate compliance with all your employees.
HOW IT WORKS
1: SELECT YOUR MEMBERSHIP
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
1: SELECT YOUR MEMBERSHIP
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
1: SELECT YOUR MEMBERSHIP
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
HELP YOUR EMPLOYER
If you ever feel the need to reach out where your employer might require assistance, feel free to reach out and we will discuss the matter with them. You can choose to remain anonymous when making this request.
HEALTH SERVICES PROVIDER
An organisation that provides a health service and holds health information is covered by the Privacy Act 1988 (Privacy Act), even if they’re a small business or providing a health service is not their primary activity.
Some examples of a health service provider covered by the Privacy Act include:
● General Practitioners
● Medical Practitioners
● Blood Banks
● Tissue Banks
● Private Hospitals
● Day Procedure Centres
● Private Aged Care Facility
● Palliative Care Facility
● Pathology or Radiology Services
● Assisted Fertility Clinic
● IVF Clinic
● Dentists
● Pharmacist
● Gyms
● Weight Loss Clinics
● Health services provided in the non-government sector (such as a phone counselling service or drug and alcohol service)
● Disability service providers (where they handle health information)
● Online health services (such as counselling, advice, medicines), a telehealth business or a health mail order business
Global Data Protection Agency Presentation
https://vimeo.com/323211386
Global Data Protection Agency Presentation
https://vimeo.com/323211386
Global Data Protection Agency Presentation
https://vimeo.com/323211386
GDPA Step 3
Well done, you’re on your way. Continue making Privacy and Data Compliance a part of your daily core business and show your customers, suppliers and staff how serious you are. Your Trust platform will send reminders of tasks you need to complete in order to continue and maintain your compliance journey.
GDPA Step 2
Complete each audit that applies to you in the order it appears on your dashboard. Your answer to the questions and any evidence you provide, will enable the Trust platform to formulate your compliance status for each audit. It will also give you access to the resources and recommendations you need to boost your compliance.
GDPA Step 1
Choose the membership that suits you and get access to your very own compliance dashboard on our Trust platform. Download and display your Trust seal and prove to the world that you are using best practice in data protection.
GDPA SOCIAL MEMBERSHIP 1 SEAT
https://vimeo.com/368349079
SOCIAL MEMBERSHIP FEATURES
✔ 1 seat – user account ✚This membership is designed for any individual that operates their commercial activities including influencers via social media platforms including: Facebook, Instagram, Twitter, LinkedIn, Pinterest, YouTube, Whatsapp, Messenger, WeChat, Tik Tok, Sina Weibo, Tumblr, Baidu Snapchat, Viber, Vimeo etc…
✔ master dashboard 50 interactive options ✚GDPA’s Trust Platform supports you and your company to comply with global regulations, without limitations. Maintain complete visibility over all the information your company stores, controls and processes. Protect your data and the privacy of all individuals your business engages with. Reduce risk, improve competitiveness and build trust with the help of our Trust Platform. Assess your current status and take steps towards compliance using the Trust Platform.
✔ personal compliance dashboard 16 audits ✚Each audit is designed to address the related points of compliance in an easy to understand and simple engaging manner. The Personal Compliance Audits include: Data Access, Data Breach, Data Breach Assessment, Data Erasure, Data Opt-out, Data Portability, Data Rectification, Data Restriction, Help Your Employer, I Wish To Unsubscribe, Notes Manager, Personal Compliance, Project Registry, Register A Complaint, Submit An Idea and Task Manager.
✔ company compliance dashboard 13 audits ✚Each audit is designed to address the related points of compliance in an easy to understand and simple engaging manner. The Company Compliance Audits include: Company Compliance, Compliance Policy, Data Breach Assessment, Data Protection Impact Assessment, Data Protection Impact Evaluation, Employment Listing, Human Resources Compliance, Human Resources Registry, Legitimate Interest Compliance, Project Compliance, Project Registry, Third Party Compliance and Third Party Registry.
✔ full audit compliance dashboard 21 audits ✚Each audit is designed to address the related points of compliance in an easy to understand and simple engaging manner. The Full Audit Compliance Audits include: Access Control, Artificial Intelligence, Asset Management, Biometrics, Business Continuity, Cloud Security, Communications & Operations, Compliance, Human Resources, Incident Event & Communications, Information Systems, Mobile Devices, Organisational Security, Physical & Environmental, Privacy, Privacy By Design, Risk Assessment, Security Policy, Senior Management, Software Application and Stakeholders.
✔ european union based registered office & number ✚When you register with GDPA you will receive a registered mailing address and phone number based within the EU, in accordance with Article 27 of the GDPR.
✔ european union based gdpr representative ✚In accordance with Article 27 of the GDPR, many companies outside of the EU are required to nominate a GDPR representative in the EU. When you register with GDPA you will have easy 24/7 access to our representatives, avoiding the need for you to establish a physical presence in the EU. Your representative acts on your behalf in relation to your personal data processing activities as an EU based contact for data subjects and supervisory authorities.
✔ social media compliance policy ✚When dealing on a non-personal level with personal data, you are required to provide a compliance policy to your audience with the required engagement parameters. We take care of this for you and is part of your membership. You will be provided with your custom policy link and qrcode to place where its required without limitations and with no hidden charges for excessive usage by your audience.view sample policy
✔ hourly backups ✚GDPA employs industry best standards with the latest security and hourly backups of your valuable information. Standard industry practice of daily backups means clients can lose up to 24 hours of information during down times. GDPA safeguards its customers by providing hourly backups, meaning at worst, clients are at risk of losing 60 minutes of information, in the unlikely event of cloud down time.
✔ aes-256 bank/military grade encryption ✚Nothing is more important to us than the security of your information. Your personal identifiable data is encrypted with 256-bit AES bank/military grade encryption at rest in our databases. We have hardware firewalls, active and passive security, and other advanced features to prevent access to your data. Our site is built on Linux containers (LXC), and LXD to orchestrate complete isolation and apply the latest security features and updates, on top of Google Cloud Platform. This is a much more secure method than offered by most others. Because of the sheer scale of Google’s infrastructure, it enables our platform to simply absorb many DDoS attacks automatically. Our servers and content delivery network (CDN) support TLS 1.3, a new encryption protocol update that is both faster and more secure than TLS 1.2.
✔ membership transfer ✚Memberships are subject to transfer in the event of the sale of your company. A verification process will be performed by GDPA, in conjunction with the outgoing and incoming parties, to ensure the safe transfer of your information. GDPA will also transfer memberships between outgoing and incoming employees (excluding personal identifiable data of the outgoing individual), ensuring your company’s information is always up to date in accordance with Article 5 of the GDPR.
✔ 24/7/365 global access ✚Our Cloud Based Trust platform can be accessed by members anywhere, at any time. Your secure login enables you to access your sensitive information in real time from anywhere in the world.
