A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
HDPA
Hellenic Data Protection Authority
Industry and Commerce
Clearview Al Inc.
2022-07-13
€20,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 27 GDPR
The Hellenic DPA has imposed a fine of EUR 20,000,000 on Clearview AI Inc. The non-profit organization 'Homos Digitalis' had filed a complaint with the DPA on behalf of the data subject. The company holds a database of more than 20 billion facial images (including those of greek residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such as image tags and geolocation. In the course of its investigation the DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis. Also, the DPA found that the company had not provided the data subject with access to their personal data and thus violating Art. 15 GDPR. Furthermore, Cleaview had violated the principle of transparency by failing to adequately inform users about the processing of their data.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
DKV Seguros y Reaseguros, S.A.E.
2022-07-13
€132,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Art. 33 GDPR
The Spanish DPA has imposed a fine on DKV Seguros y Reaseguros, S.A.E.. An individual had filed a complaint with the DPA after receiving multiple e-mails from the controller containing information from an unknown person. The controller had sent 51 emails with medical certificates containing the names, surnames and data on medical tests of the data subjects to the wrong recipient. The complainant had alerted the controller to the wrong mailing several times, but the controller did not respond until it learned of the complaint to the DPA. The controller had not reported the data breach to the DPA.
In the course of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure a level of data protection security appropriate to the risk. The original fine of EUR 220,000 was reduced to EUR 132,000 due to voluntary payment and admission of responsibility.
Information Commissioner of Isle of Man
Health Care
Manx Care Ltd
2022-07-13
€202,000.00
Non-compliance with general data processing principles
Art. 5 (1) c), f) GDPR
Art. 5 (2) GDPR
Art. 24 GDPR
Art. 25 GDPR
Art. 32 GDPR
Art. 34 GDPR
Art. 58 GDPR
The DPA of Isle of Man has imposed a fine of EUR 202,000 on Manx Care Ltd. Manx Care had emailed an unsecured attachment containing a patient's confidential health information to more than 1870 recipients. The DPA had subsequently issued an enforcement notice against Manx Care. However, Manx Care had failed to comply with the DPA's orders. As a result, the DPA came to the decision to impose a fine on the company. The DPA primarily found that the company had failed to implement appropriate technical and organizational measures to protect personal data. Also, the DPA found that the company had violated the principle of data minimization according to Art. 5 (1) c) GDPR by sending the patient's data to persons not related to the patient's care. Finally, the DPA found that the company had not informed the data subject of the data breach.
AEPD
Spanish Data Protection Authority
Transportation and Energy
FREE SUN ENERGY S.L.
2022-07-12
€6,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on FREE SUN ENERGY S.L.. A customer of the company had filed a complaint with the DPA because instead of receiving their invoice, they had received that of another customer containing that customer's personal data. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
JOYPAZAR, S.A.
2022-07-12
€1,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of 1,600 on JOYPAZAR, S.A.. The company had installed video surveillance cameras which, among other things, also covered a public playground. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SMART ELECTRIC SOLUTIONS, S.L.
2022-07-12
€800.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 800 on SMART ELECTRIC SOLUTIONS, S.L.. The company had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Physician
2022-07-08
€1,500.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) GDPR
Art. 12 (2) GDPR
Art. 13 (1) GDPR
The Hungarian DPA has imposed a fine of EUR 1,500 on a physician. A patient had asked the doctor to send her complete medical records, such as imaging records as well as consent forms regarding her maternity care. However, the physician had not complied with this request.
CNIL
French Data Protection Authority
Transportation and Energy
UBEEQO INTERNATIONAL
2022-07-07
€175,000.00
Non-compliance with general data processing principles
Art. 5 (1) c), e) GDPR
Art. 12 GDPR
The French DPA (CNIL) has fined the company UBEEQO INTERNATIONAL EUR 175,000.
The vehicle rental company had collected geolocation data on rented vehicles at every 500 meters. The company stated that they had collected the data to monitor the condition of the fleet, to locate the vehicle in case of theft, and to assist customers in case of an accident, among other reasons. However, the DPA found that none of these purposes justified the collection of geolocation data in such detail. For this reason, the DPA found a violation of the principle of data minimization pursuant to Art. 5 (1) c) GDPR.
The DPA also found that the company had stored the vehicle data for an excessively long period of time. The data was kept for the duration of the business relationship with a customer and then for another three years after the termination of the vehicle rental. In addition, personal data of users who had been inactive for more than eight years were still stored in the company's databases.
The CNIL found that this long retention constituted a violation of Art. 5 (1) e) GDPR.
Finally, the DPA found that users were not adequately informed during the registration process on the company portal, and that the company thus violated Art. 12 GDPR.
AEPD
Spanish Data Protection Authority
Real Estate
FINCAS ARENYS SL
2022-07-07
€1,800.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on FINCAS ARENYS SL. An individual had filed a complaint with the DPA. The individual had contacted the real estate company in order to rent a property. In doing so, the company had requested certain documents for the rental without, however, informing the data subject about the processing of their personal data as part of the rental process. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of responsibility.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
E Software Concept SRL
2022-07-07
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
Art. 58 (1) a), e) GDPR
The Romanian DPA has imposed a fine of EUR 4,000 on E Software Concept SRL. The company had uploaded certain documents on its website that were publicly accessible. Among other things, the documents included invoices and transport documents. These documents contained numerous personal data such as name, surname, sender and recipient address, telephone number, user names and passwords as well as e-mail addresses. During its investigation, the DPA found that the public disclosure had occurred as a result of the company's failure to implement adequate technical and organizational measures to protect personal data. The DPA also found that the company had failed to comply with requests for information from the DPA during the investigation.
GARANTE
Italian Data Protection Authority
Health Care
Senseonics Inc.
2022-07-07
€45,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), f) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 27 GDPR
The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients.
The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of the data subjects via the e-mails.
In the course of its investigation, the DPA also identified other privacy violations involving the glucose monitoring system produced by the company.
By downloading the monitoring app, users were required to accept both the contractual terms of use and the content of the privacy policy with a single 'click.'
This did not allow them to separately give their consent to the individual processing operations, including the processing of health data.
Further, the DPA found that the company had violated the principles of fairness and transparency by providing users with confusing and sometimes erroneous information regarding the processing of personal data.
In addition, the company failed to designate its representative in the European Union as the contact person for all data protection issues.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Intesa Sanpaolo Vita S.p.a.
2022-07-07
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
The Italian DPA has fined Intesa Sanpaolo Vita S.p.a. EUR 20,000. The data subject, who had taken out a life insurance policy with the controller, had filed a complaint with the DPA against the controller for the unauthorized disclosure of their personal data. In the course of its investigation, the DPA found that the controller had disclosed personal data, such as first name, last name and information about the policy, to third parties without authorization. The unauthorized disclosure had occurred due to an employee's error.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-07-06
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject stated that, unauthorized third parties had gained access to her Vodafone account and had concluded a new contract in their name, as well as purchased an iPhone 12. The DPA notes that the controller had not adequately verified whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
ASOCIACIÓN DE AFICIONADOS Y PEQUEÑOS ACCIONISTAS UNIDAD HERCULANA
2022-07-06
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on ASOCIACIÓN DE AFICIONADOS Y PEQUEÑOS ACCIONISTAS UNIDAD HERCULANA for the lack of a privacy policy on its website, in violation of Art. 13 GDPR.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Głównego Geodetę Kraju
2022-07-06
€12,450.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Polish DPA has imposed a fine of EUR 12,450 on the public cartography institute Głównego Geodetę Kraju. The institute had suffered a data breach in which numerous land register numbers were visible on the institute's website for more than 48 hours. The land register number allows a number of owners' data to be determined, including their first and last names, the names of their parents and the address of the property. The institute had failed to report the breach to the DPA, with the result that it learned of the incident through media reports. The institute also failed to inform the data subjects of the incident. For this reason, the DPA found that the controller violated Article 33 (1) GDPR and Article 34 (1) GDPR.
UODO
Polish National Personal Data Protection Office
Health Care
University Hospital of the Medical University of Warsaw
2022-07-06
€2,120.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
Art. 34 GDPR
The Polish DPA has imposed a fine of EUR 2,120 on the University Hospital of the Medical University of Warsaw. The university hospital had suffered a data breach in which a patient had received a referral from a doctor that contained, among other things, personal data (name, address, etc.) of another patient. The DPA found that neither the doctor nor the hospital informed the patient or the DPA about the data breach.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-07-05
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the video surveillance and thus violated Art. 13 GDPR. The fine is made up of EUR 300 for a violation of Art. 5 (1) c) GDPR and EUR 300 for a violation of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2022-07-01
€500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 500 for the unauthorized installation of a video surveillance camera on their property. The cameras recorded public space and a neighboring property. The AEPD therefore found that such video surveillance constituted a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2022-07-01
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 300 for the unauthorized installation of a video surveillance camera on their property. The cameras recorded public space and a neighboring property. The AEPD therefore found that such video surveillance constituted a violation of the principle of data minimization.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Continental Automotive Romania SRL
2022-06-30
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 (1) d) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Continental Automotive Romania SRL.
The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR.
The controller had discovered 135 unauthorized and improperly configured surveillance cameras on its premises, which, among other things, captured images of employees in the production area. These cameras were connected to unofficial and unprotected camera systems. For this reason, the DPA found that the controller had not taken appropriate technical and organizational measures to ensure the security of employees' personal data.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-06-30
€1,400.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 13 GDPR
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, optimal fleet management and optimize the workflow, among other things. Some of the location data collected by the controller was stored for a year. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of storage limitation. In addition, the DPA found that the controller had not sufficiently informed the data subjects about the processing of the location data and had thus violated its information obligations pursuant to Art. 13 GDPR.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-06-30
€1,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 (1), (7) GDPR
Art. 13 GDPR
The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company. The company had installed a video surveillance system that recorded both employees and third parties. During its investigation, the DPA found that the company had breached its information obligations under Art. 12 GDPR and Art. 13 GDPR.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-06-30
€1,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 (1), (7) GDPR
Art. 13 GDPR
The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company. The company had installed a video surveillance system that recorded both employees and third parties. During its investigation, the DPA found that the company had breached its information obligations under Art. 12 GDPR and Art. 13 GDPR.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Federazione Italiana Sommelier, Albergatori e Ristoratori
2022-06-30
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 6 (1) GDPR
The Italian DPA has imposed a fine of EUR 5,000 on Federazione Italiana Sommelier, Albergatori e Ristoratori. The federation had sent a protocol containing personal data of a member to all other members. The protocol revealed information about a disciplinary measure against the member concerned, although the measure was not yet legally binding and was later revoked. In addition, the disciplinary measure continued to be published on a cloud platform even after the measure was revoked.
HDPA
Hellenic Data Protection Authority
Health Care
Pediatric psychologist
2022-06-29
€3,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Hellenic DPA has fined a pediatric psychologist EUR 3,000. The psychologist had not properly cooperated with the DPA during an investigation.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Company
2022-06-28
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a company. The company had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
FLY FUT, S.L.
2022-06-28
€3,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine against FLY FUT, S.L., a company specialized in drone footage at soccer matches in the amount of EUR 3,000. A father had filed a complaint with the DPA because the company had filmed his underage daughter playing soccer during a match at a local club without his consent. For this reason, the DPA found that the controller had processed the daughter's data without a valid legal basis.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2022-06-24
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a store owner EUR 180 for failing to provide information signs about CCTV surveillance in the establishment.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
Parliamentary election candidate
2022-06-24
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 11 Law 3471/2006
The Hellenic DPA has imposed a fine of EUR 2,000 on a parliamentary election candidate.
A data subject had filed a complaint with the DPA because of receiving unsolicited election advertising via SMS from the politician.
The data subject had given the politician, who was a minister before the election, their own contact details, but not for the purpose of election advertising. The politician had therefore processed the data for a purpose other than that agreed, without the data subject having consented to this or having been informed about it.
The data subject thereupon requested the deletion of their data as well as the ceasing of the SMS sending. However, the politician did not comply with this request and the SMS continued to be sent.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A.
2022-06-23
€30,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
RADIO TELEVISION MADRID, S.A.
2022-06-23
€30,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on RADIO TELEVISION MADRID, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.
CNIL
French Data Protection Authority
Transportation and Energy
TotalEnergies Electricité et Gaz France
2022-06-23
€1,000,000.00
Insufficient fulfilment of data subjects rights
Art. 14 GDPR
Art. 15 GDPR
Art. 21 GDPR
The French DPA has imposed a fine of EUR 1,000,000 on TotalEnergies Electricité et Gaz France.
As part of its investigation, the DPA found that the controller had violated its information obligations under Art. 14 GDPR by failing to provide data subjects with sufficient information during telephone contact about the processing of their personal data for advertising purposes. In addition, the company did not comply with the data subjects' requests to object to the processing of their personal data for advertising purposes. Furthermore, the controller did not respond to requests from data subjects in a timely manner, contrary to its obligation under Art. 12 GDPR.
DATATILSYNET
Danish Data Protection Authority
Media, Telecoms and Broadcasting
Gyldendal A/S
2022-06-22
€134,000.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
The Danish DPA has fined publisher Gyldendal A/S EUR 134,000.
During its investigation, the DPA found that the company had kept the data of approximately 685,000 unsubscribed members of Gyldendal's book clubs longer than necessary.
Instead of deleting the data of the deregistered book club members, Gyldendal kept the data in a database. The data of approximately 395,000 of the former members affected were kept for more than 10 years. In addition, the DPA found that Gyldendal did not have a procedure or guidelines for data deletion.
CNPD
National Commission for Data Protection
Employment
Company
2022-06-22
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 3,000 on a company. The company had installed a video surveillance system for the purpose of protecting company property and staff. However, the cameras also constantly captured parts of employee's work areas. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its employees about the video surveillance.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
SC Interactions Marketing SRL
2022-06-20
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on SC Interactions Marketing SRL. The controller had sent advertising messages by e-mail to several people on behalf of another company. One of the recipients had filed a complaint with the DPA due to the fact that the controller had sent the advertising messages in an open distribution list, making the email addresses of all recipients visible to the other recipients.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Real Estate
Asociația de Proprietari Aviației Park
2022-06-20
€7,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c), e) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
The Romanian DPA has fined Asociația de Proprietari Aviației Park, operator of a residential facility, EUR 7,000.
The controller had processed personal data (surname, first name, ID number and series, destination, arrival time, departure time, remarks) of delivery persons and/or couriers without a valid legal basis. In addition, the DPA found that the controller did not sufficiently inform the data subjects about the processing of their personal data.
Furthermore, the DPA found that the controller did not establish a retention period for the personal data processed by a video surveillance system and kept them longer than necessary.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
WIND Ελλάς Τηλεπικοινωνίες ΑΕΒΕ
2022-06-20
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The Hellenic DPA has fined WIND Ελλάς Τηλεπικοινωνίες ΑΕΒΕ EUR 2,000.
A customer of the company had sent an email requesting access to the footage recorded by the store's cameras on which they appeared.
The data subject never received a response to this request. Only when the authority asked for a response did the controller reply that the data subject's request could not be fulfilled because the recorded material had been deleted.
The DPA considered this to be a violation of Art. 15 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Company
2022-06-17
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a company EUR 1,000 for failing to provide information signs about CCTV surveillance in its premises.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
SA Rossel & Cie
2022-06-16
€50,000.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
Art. 7 (1) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
Art. 14 GDPR
The Belgian DPA has imposed a fine of EUR 50,000 on the media company SA Rossel & Cie. During its investigation, the DPA found GDPR violations on three websites operated by the company. For instance, the company had placed cookies that were not required without the consent of the website visitors. Also, the company considered visiting other websites as consent for further cookie placement on these pages. In addition, the boxes for the consent of third-party cookies were already pre-ticked. Furthermore, the cookie policy was incomplete and difficult to access for the visitor. Finally, the DPA found that the company was placing new cookies despite users revoking their cookie consent.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
SCOTCH CORNER BAR
2022-06-16
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 58 (2) GDPR
The Spanish DPA has fined the bar operator SCOTCH CORNER BAR EUR 1,000. The controller had installed a CCTV which also covered parts of the public space. Furthermore the controller failed to provide the DPA with information that was requested.
GARANTE
Italian Data Protection Authority
Employment
Unicredit S.p.A.
2022-06-16
€70,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
The Italian DPA has fined Unicredit S.p.A. EUR 70,000. An employee had filed a complaint with the DPA claiming that their right to access their personal data had not been sufficiently respected. The company required a specific form to be filled out in order to gain access to personal data. During its investigation, the DPA found that the requirement to fill out the form made it disproportionately difficult to exercise the right of access.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Federazione Italiana Nuoto
2022-06-16
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3), (4) GDPR
Art. 15 GDPR
The Italian DPA (Garante) fined Federazione Italiana Nuoto
EUR 2,000 for failing to respond to the data subject's request for access to their data in a timely manner.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Deutsche Bank S.p.A.
2022-06-16
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
Failure to respond to the data subject's request for access to their data in a timely manner.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
S.C. Wine Point S.R.L.
2022-06-15
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on S.C. Wine Point S.R.L.. A data subject had filed a complaint with the DPA for having received an advertising e-mail from the controller, which contained a distribution list in which the e-mail addresses of 810 other persons, as well as their own, were visible to the other recipients. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to ensure the confidentiality of the personal data processed.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-06-09
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera that was also capturing foreign private space of a neighbour and the public space.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-06-09
€10,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has fined a private individual EUR 10,000. The individual had created a humiliating and discriminatory video of three siblings based on their skin color, and shared it on her Instagram profile as well as on WhatsApp.
ICO
Information Commissioner
Public Sector and Education
Tavistock & Portman NHS Foundation Trust
2022-06-09
€91,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The UK DPA (ICO) has fined the Tavistock and Portman NHS Foundation Trust EUR 91,000. The Tavistock and Portman NHS Foundation Trust is a mental health specialist trust located in London.
In early September 2019, the trust wanted to run a contest asking patients at the adult gender identity clinic to provide artwork to decorate a renovated clinic building. For this, two emails were inadvertently sent with an open distribution list (one to 912 recipients and the second to 869 recipients).
It was clear from the content of the email that all recipients were patients of the clinic. The trust immediately recognized the error and unsuccessfully attempted to recall the emails.
As part of its investigation, the IOC determined that the trust had no technical or organizational measures in place to prevent or mitigate this highly predictable human error. The ICO rated the harm to affected individuals as high given that information about the affected individuals' relationship with a gender identity clinic is very sensitive personal information.
Due to immediate implementation of security measures and extensive cooperation with the ICO, the fine was reduced from EUR 910,000 to EUR 91,00.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Cribis Credit Management s.r.l.
2022-06-09
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
The Italian DPA has fined Cribis Credit Management s.r.l. EUR 10,000. The company had inadvertently sent an e-mail about late payments on a subscription to the head of the data subject. This allowed the head to gain access to their employee's personal data such as name, surname and payment status information.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Wens Experience SRL
2022-06-08
€1,500.00
Insufficient data processing agreement
Art. 28 (2) GDPR
The Romanian DPA has imposed a fine of EUR 1,500 on Wens Experience SRL.
In the course of its investigation, the DPA found that Wens Experience, in the course of acting as a processor on behalf of the controller, had engaged another processor to process employee data without having obtained prior authorization from the controller.
This constitutes a violation of Art. 28 (2) GDPR.
UODO
Polish National Personal Data Protection Office
Industry and Commerce
Esselmann Technika Pojazdowa Sp. z o.o. Sp. k.
2022-06-06
€3,500.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The Polish DPA has fined Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. EUR 3,500. The controller had suffered a data breach during which a certificate of employment containing personal data of an employee got lost. The controller failed to report this data breach to the DPA and thus violated Art. 33 GDPR.
