background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
GRUPO NORCONSULTING, S.L.
2023-02-28
€15,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 17 GDPR
The Spanish DPA has imposed a fine of EUR 15,000 on GRUPO NORCONSULTING, S.L.. A data subject had filed a complaint against the controller with the DPA due to the controller's failure to properly comply with their request for access and erasure of their personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
EUROPYMES SERVICIOS INTEGRALES S.L.
2023-02-28
€800.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The Spanish Data Protection Authority has imposed a fine on EUROPYMES SERVICIOS INTEGRALES S.L.. The controller has not properly complied with the data subject's request for erasure of their personal data. The original fine of EUR 1000 was reduced to EUR 800 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SUPER 24H LOS ROSALES, S.L.
2023-02-21
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on SUPER 24H LOS ROSALES, S.L.. The controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,200 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the video surveillance.
AEPD
Spanish Data Protection Authority
Industry and Commerce
PLANET COSTA DORADA SOCIEDAD LIMITADA
2023-02-21
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 300 on PLANET COSTA DORADA SOCIEDAD LIMITADA. The controller had failed to provide a notice with information about video surveillance at its premises.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine of EUR 1,500 on a private individual. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients.
AEPD
Spanish Data Protection Authority
Industry and Commerce
HERON CITY VALENCIA MANAGEMENT S.L.
2023-02-21
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The Spanish DPA has imposed a fine of EUR 10,000 on HERON CITY VALENCIA MANAGEMENT S.L.. A data subject had complained to the DPA due to the controller's failure to comply with their request for access to the recordings of the video surveillance system in which the data subject appeared.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€300.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on a private individual. The individual had shared a document containing personal data of the data subject in a WhatsApp group without the data subject's consent. The original fine of EUR 500 was reduced to EUR 300 due to voluntary payment and admission of responsibility
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Medijobs Platform SRL
2023-02-08
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
The Romanian DPA has imposed a fine of EUR 5,000 on Medijobs Platform SRL. The controller had informed the DPA about a data breach according to Art. 33 GDPR. Unauthorized third parties had succeeded in accessing the IT infrastructure of the controller and had downloaded, deleted and transferred personal data of applicants such as name, e-mail address, professional history, marital status, etc.. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which ultimately also contributed to the data breach.
AEPD
Spanish Data Protection Authority
Real Estate
MIRACLE IBIZA S.L.
2023-02-03
€500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 500 on MIRACLE IBIZA S.L.. The controller had installed a video surveillance system that captured the front door of an individual's apartment. The DPA considered this to be a violation of the principle of data minimization pursuant to Art. 5 (1) c) GDPR.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
HOTEL VILLA SORO, S.L.
2023-02-03
€600.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on HOTEL VILLA SORO, S.L.. The controller had installed a video surveillance system without providing the required information according to Art. 13 GDPR. The original fine of EUR 1000 was reduced to EUR 600 due to voluntary payment and admission of responsibility.
Data Protection Authority of Ireland
Health Care
Centric Health Ltd.
2023-01-23
€460,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR
The Irish DPA has imposed a fine of EUR 460,000 on Centric Health Ltd.. The controller suffered a ransomware attack in which personal data such as name, date of birth and contact details were accessed, altered and destroyed without authorization. Data records of approximately 70,000 people were affected, of which 2,500 were permanently affected. The DPA's investigation found that the healthcare facility had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such an attack.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Sanitaria Locale di Brindisi
2023-01-11
€2,500.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
The Italian DPA has imposed a fine of EUR 2,500 on Azienda Sanitaria Locale di Brindisi. A data subject had filed a complaint with the DPA due to the health authority's failure to respond to a request for access to their personal data.
Data Protection Authority of Ireland
Transportation and Energy
A&G Couriers Limited T/A Fastway Couriers (Ireland)
2022-12-30
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Irish DPA (DPC) has fined A&G Couriers Limited T/A Fastway Couriers (Ireland) EUR 15,000. During a changeover of its IT systems, the controller had suffered a cyberattack in which unauthorized third parties gained access to personal data. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such an attack.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Scuola Statale Secondaria di I^ grado 'Bianco-Pascol'
2022-12-15
€3,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 2-ter Codice della privacy
Art. 2-sexies Codice della privacy
The Italian DPA has imposed a fine of EUR 3,000 on the school 'Scuola Statale Secondaria di I^ grado 'Bianco-Pascoli', di Fasano (BR)'. The educational institution had published a document, containing personal health data of some students, in the school's electronic register. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and thus acted unlawfully. In addition, the school failed to respond to requests for information in a timely manner.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
PIONIER (law firm)
2022-11-30
€9,600.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 9 GDPR
The Polish DPA has imposed a fine of EUR 9,600 on the law firm PIONIER. The law firm mainly represents victims of traffic accidents in proceedings against insurance companies and other entities. In this context, it supports its clients in claims for damages as well as claims for reimbursement of medical treatment costs. During its investigation, the DPA found that the law firm processed personal data, including health data, of potential clients without a valid legal basis. The law firm obtained personal data of potential clients based on press releases as well as social media reports. This allowed it to contact potential clients and offer them its services. During an initial conversation, they asked them for their verbal consent to process their personal data up until the conclusion of a contract. However, the DPA found that the consent should have been given in a way that it could still be proven at a later stage (e.g., through a register of consents).
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Private individual
2022-11-24
€1,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 32 GDPR
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 1,000 on a private individual. Two individuals had filed a complaint with the DPA due to the fact that the controller had published personal data of them and their families in their dissertation. The individuals had participated in treatments conducted by the controller, but they had not consented to the publication of their data in the dissertation in an unanonymized form.
GARANTE
Italian Data Protection Authority
Health Care
Ordine dei Medici Chirurghi e degli Odontoiatri della Provincia di Cagliari
2022-11-24
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 3,000 on the Board of Surgeons and Dentists of the Province of Cagliari. The controller had disclosed data of a doctor to third parties without a valid legal basis.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
News service
2022-11-15
€5,200.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 7 (2), 4) GDPR
Art. 12 GDPR
The Hungarian DPA imposed a fine of EUR 5,200 on a news service. A customer had complained to the DPA about subscribing to a newsletter to receive a daily news digest, however, they had also received direct marketing messages. During its investigation, the DPA found that the processing of the data subjects' personal data for direct marketing purposes was unlawful. As the controller had not sufficiently informed the data subjects of their rights, the DPA found that the data subjects' consent to receive the newsletter was not valid as a legal basis for the processing of the data for marketing purposes due to the insufficient information provided.
GARANTE
Italian Data Protection Authority
Health Care
Poliambulatorio Radiologico 'il Sorriso' S.r.l.
2022-11-10
€15,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 13 GDPR
Art. 37 GDPR
The Italian DPA has imposed a fine of EUR 15,000 on Poliambulatorio Radiologico 'il Sorriso' S.r.l.. A patient had filed a complaint with the DPA for not receiving sufficient information regarding the processing of their personal data. Among other things, the controller had not provided information about the data protection officer and the type of data being processed. The DPA also found that the controller had failed to provide the contact details of their data protection officer to the DPA.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Veneto region
2022-10-06
€100,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 100,000 on the Veneto Region. The DPA had received a complaint from dozens of medical and nursing staff. During its investigation, the DPA found that the Region, in the context of Covid-19 containment measures, had provided lists of information on unvaccinated employees to various healthcare facilities and the physicians in charge there. The DPA found that the Region did not have a valid legal basis for such systematic disclosure of the lists to the physicians and that only the disclosure of the lists to the health authorities was covered by the legal decree in force at the time.
UODO
Polish National Personal Data Protection Office
Not assigned
Unknown
2022-08-31
€1,450.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) a), e) GDPR
The Polish DPA (UODO) has fined a data controller EUR 1,450 for failing to provide information requested by the DPA during an investigation.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
TIMSHEL Sp. z o.o.
2022-08-30
€6,800.00
Insufficient cooperation with supervisory authority
Art. 58 (1) e) GDPR
The Polish DPA (UODO) has fined TIMSHEL Sp. z o.o. EUR 6,800 for failing to provide information requested by the DPA during an investigation
GARANTE
Italian Data Protection Authority
Industry and Commerce
Mister Brick S.a.s.
2022-08-05
€1,000.00
Insufficient legal basis for data processing
Art. 5 (2) GDPR
Art. 6 (1) a) GDPR
Art. 12 (3) GDPR
Art. 15 GDPR
Art. 24 GDPR
The Italian DPA has imposed a fine of EUR 1,000 on Mister Brick S.a.s.. An individual had filed a complaint with the DPA against the controller for having received unsolicited marketing messages from the controller. During its investigation, the DPA found that the controller did not have a legal basis to process the data subject's data. Moreover, the controller failed to respond to a request of the data subject to exercise their rights in a timely manner.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-07-22
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 10,000 on a company. The company had installed a video surveillance system for the purpose of protecting company property and staff. However, the cameras also constantly captured parts of employee's work areas, a break room, a meeting room and a neighbor property. The DPA states that the controller violated the principle of data minimization under Art. 5 (1) c) GDPR due to the excessive CCTV. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing data subjects about the video surveillance.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Store owner
2022-05-26
€2,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has fined the owner of the store 'Turkish City' EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Monte Sant'Angelo
2022-04-28
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) e) GDPR
Art. 17 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 3,000 on Comune di Monte Sant'Angelo. A person who had participated in a selection procedure had filed a complaint with the DPA due to the fact that the municipality had published a list of candidates and their results in the selection procedure on its website. In its investigation, the DPA found that the municipality did not have a valid legal basis to publish the results and the personal data of the applicants. In addition, the DPA found that the controller failed to comply with the data subject's request for deletion of their personal data.
GARANTE
Italian Data Protection Authority
Accomodation and Hospitalty
Rebirth s.r.l.
2022-04-07
€15,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
Art. 114 Codice della privacy
Art. 157 Codice della privacy
The Italian DPA has fined Rebirth s.r.l. EUR 15,000. The controller had installed 14 surveillance cameras in a café it operated without, however, informing about the video surveillance.
GARANTE
Italian Data Protection Authority
Health Care
Tecnomed Trento s.r.l.
2022-04-07
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 13 GDPR
Art. 29 GDPR
Art. 32 GDPR
Art. 114 Codice della privacy
The Italian DPA has fined Tecnomed Trento s.r.l. EUR 10,000. The controller had operated several video surveillance cameras in its premises, some of them without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. The DPA also found that three individuals with shared credentials had authorized access to the recorded images. The DPA concluded that this circumstance was not appropriate to guarantee the confidentiality of the information processed by the video surveillance system, in particular it does not allow to check who carried out certain processing operations.
UODO
Polish National Personal Data Protection Office
Not assigned
Unknown
2022-03-23
€490.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) e) GDPR
The Polish DPA (UODO) has fined a data controller EUR 490 for failing to provide information requested by the DPA during an investigation.
Cypriot Data Protection Commissioner
Health Care
Physician
2022
€1,500.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Cypriot DPA has imposed a fine of EUR 1,500 on a physician. The DPA had conducted an investigation against the physician for the unlawful operation of a video surveillance system. For investigative purposes the DPA had requested information from the physician, which the physician did not provide to the DPA. For this reason, the DPA found that the physician had violated Art. 31 GDPR due to lack of cooperation with the DPA.
Cypriot Data Protection Commissioner
Individuals and Private Associations
Cyprus Judo Federation
2022
€5,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Cypriot DPA has imposed a fine on the Cyprus Judo Federation. The father of a member had filed a complaint with the DPA because the judo coach of his minor son had published photographic and audiovisual material on a social media platform without his prior consent. During the course of the investigation, the trainer did not sufficiently cooperate with the DPA, which therefore imposed a fine of EUR 5,000 for a violation of Art. 31 GDPR.
Cypriot Data Protection Commissioner
Transportation and Energy
Hermes Airport Ltd.
2022
€6,000.00
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 6,000 on Hermes Airport Ltd. The controller had suffered a cyber attack which, according to the DPA, had been caused due to a lack of technical and organizational measures for the protection of personal data and a lack of supervision of a processor.
Cypriot Data Protection Commissioner
Industry and Commerce
DW Dynamic Works LIMITED
2022
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 5,000 on DW Dynamic Works LIMITED. The controller operated as a processor for Hermes Airport Ltd.. Hermes had suffered a cyberattack which, according to the DPA, was caused, among other things, by Dynamic Works' lack of technical and organizational measures to protect personal data.
UODO
Polish National Personal Data Protection Office
Not assigned
Unknown
Unknown
€960.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The Polish DPA (UODO) has fined a data controller EUR 1,450 for failing to provide information requested by the DPA during an investigation.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-05-25
€600.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine of EUR 600 on a private individual for failing to comply with an order issued by the DPA.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-05-25
€480.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine on a private individual. The controller had installed a video surveillance camera which also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-05-24
€10,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has fined a private individual EUR 10,000 for publishing a picture and address of another person on a website without their consent.
AEPD
Spanish Data Protection Authority
Health Care
NORDETIA CLINICS IBERIA, S.L.
2023-05-24
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Spanish DPA has fined NORDETIA CLINICS IBERIA, S.L. EUR 3,000 for failing to provide information requested by the DPA during an investigation.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Global Baby Brand SRL
2023-05-23
€1,000.00
Insufficient legal basis for data processing
Art. 7 GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Global Baby Brand SRL. A person had filed a complaint with the DPA alleging that the controller had sent commercial SMS messages without their consent. In the course of its investigation, the DPA found that the controller could not prove that it had processed the data subject's telephone number for marketing purposes with the data subject's valid consent.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
AUTOMOBILE BAVARIA SRL
2023-05-18
€18,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
Art. 32 (2) GDPR
Art. 25 (1) GDPR
The Romanian DPA has imposed a fine of EUR 18,000 on AUTOMOBILE BAVARIA SRL. The data controller had notified the authority of a data breach pursuant to Art. 33 GDPR. Unknown parties had managed to unauthorizedly disclose personal data such as name, telephone number, residence, etc. of 290 customers on the controller's website. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which allowed such an incident to occur.
AEPD
Spanish Data Protection Authority
Public Sector and Education
WILLOUGHBY COLLEGE, S.A
2023-05-17
€900.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Spanish DPA has fined WILLOUGHBY COLLEGE, S.A. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and acknowledgement of guilt.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Compania Națională Poșta Română S.A.
2023-05-16
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 6 (1) GDPR
The Romanian DPA has imposed a fine of EUR 5,000 on the Romanian Post (Compania Națională Poșta Română S.A.). During its investigation, the DPA found that the controller had processed personal data of employees without a valid legal basis.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Meta Platforms Ireland Limited
2023-05-12
€1,200,000,000.00
Insufficient legal basis for data processing
Art. 46 (1) GDPR
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) also do not provide sufficient protection. Meta based its data transfers on the SCCs and additional own safeguards. However, during its investigation, the DPC determined that these additional measures did not compensate for the inadequate protections provided by U.S. law. Following the investigation, the DPC submitted a draft decision to other concerned supervisory authorities pursuant to Art. 60 GDPR. In response, the DPC received objections from supervisory authorities, which led to a dispute resolution procedure before the European Data Protection Board (EDPB). In its decision, the EDPB asked the DPC to amend the proposed fine and adapt it to the seriousness of the data protection breach. The DPC also ordered to cease any future transfer of personal data to the U.S., as well as to cease storage, within six months, of data already transferred to the U.S. Meta has announced that it will appeal the ruling and seek a suspension of the orders in court.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A.
2023-05-12
€1,500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 1,500 on the insurance company NN Pensii Societate de Administrare a unui Fond de Pensii Administrat Privat S.A.. The controller had notified the authority of a data breach pursuant to Art. 33 GDPR. The controller had made a number of technical changes to its systems that allowed some website visitors to access personal data of other individuals. This led to the unauthorized access of personal data such as name, ID card number, email, etc. of two individuals. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which facilitated such an incident.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
NN Asigurări de Viață S.A.
2023-05-12
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 1,00 on the insurance company NN Asigurări de Viață S.A.. The controller had notified the authority of a data breach pursuant to Art. 33 GDPR. The controller had made a number of technical changes to its systems that allowed some website visitors to access personal data of other individuals. This led to the unauthorized access of personal data such as name, ID card number, email, etc. of two individuals. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which facilitated such an incident.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Libra Internet Bank SA
2023-05-11
€11,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (2), (4) GDPR
Art. 15 (3) GDPR
The Romanian DPA has imposed a fine of EUR 11,000 on Libra Internet Bank SA. An individual had filed a complaint against the bank due to the bank's failure to fully comply with their request for information. In the course of its investigation, the DPA additionally found that the bank did not provide the data subject with information on the possibility of filing a complaint with the DPA. Furthermore, the bank was unable to demonstrate that it facilitated the exercise of data subject rights.
CNIL
French Data Protection Authority
Industry and Commerce
Clearview AI
2023-05-10
€5,200,000.00
Insufficient cooperation with supervisory authority
Unknown
The French DPA has fined Clearview AI EUR 5.2 million. The DPA had imposed a fine of EUR 20 million on the company in 2022 for unlawfully collecting personal data. In addition to the fine, the DPA ordered the company to make its processing of personal data compliant with data protection laws within two months. However, the company did not provide evidence of compliance within this period.