A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Kaufland Romania SCS
2022-06-03
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (1) b) GDPR
Art. 32 (2), (4) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Kaufland România SCS. The controller had reported two data breaches to the DPA pursuant to Art. 33 GDPR.
An employee who processed a complaint had not followed the internal procedure for handling complaints, allowing a security guard to view and misuse the complainant's data.
In addition, the controller had mistakenly forwarded the data in a customer order form to an unauthorized third party. This led to the disclosure of personal data (first name, last name, e-mail address, telephone number) of the affected Kaufland customer.
For this reason, the DPA found that the controller had not taken appropriate technical and organizational measures to ensure the protection and security of personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2022-06-03
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-06-03
€360.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 360 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
LODEJU, S.L.
2022-06-03
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on the restaurant operator LODEJU, S.L.. The controller had installed video surveillance cameras in its premises which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-06-01
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera that was also capturing foreign private space of a neighbour and the public space.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
CORON ISLAND SLU
2022-05-31
€1,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 1,600 on CORON ISLAND SLU. A customer had filed a complaint with the DPA against the restaurant. The customer had asked for a bill in her name after a meal. However, the manager explained that an invoice could only be issued if the customer provided her telephone number. The DPA considered this to be a violation of the principle of data minimization.
UODO
Polish National Personal Data Protection Office
Health Care
Stołeczny Ośrodek dla Osób Nietrzeźwych
2022-05-31
€2,100.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
The Polish DPA has imposed a fine of EUR 2,100 on 'Stołeczny Ośrodek dla Osób Nietrzeźwych', a center for people suffering from alcoholism. During its investigation, the DPA found that video surveillance cameras were installed at the facility. The surveillance system recorded both images and sound of the residents. The facility justified the video surveillance system on the basis of purposes related to the safety and health of alcohol-impaired individuals. However, the DPA concluded that these purposes did not constitute a sufficient legal basis and that the center unlawfully processed the residents' personal data.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Sanitaria Locale Roma
2022-05-26
€46,000.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 6 (1) c), d) GDPR
Art. 6 (2), (3) GDPR
Art. 9 (1), (2), (4) GDPR
Art. 2-ter (1), (2) Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA has fined Azienda Sanitaria Locale Roma EUR 46,000.
The healthcare facility had published the names and health information of 1337 patients on its website. In most cases, this involved the health records of the data subjects, including medical documents, disability assessments, tests, technical reports, etc....
In this context, the DPA found that the healthcare institution had processed the data unlawfully as well as violated principle of data minimization.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Intesa Sanpaolo S.p.A
2022-05-26
€100,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), f) GDPR
Art. 6 GDPR
The Italian DPA has imposed a fine of EUR 100,000 on Intesa Sanpaolo S.p.A.. The bank had unlawfully disclosed data of the data subject to unauthorized third parties (the father of the data subject ). The data subject's father, a former employee of the bank, had been authorized to access his daughter's bank data until she reached the age of majority. However, the father had demanded access to his daughter's data, who in the meantime had already reached the age of majority. An employee of the bank suspected that the father still had authorization and for this reason passed on the daughter's data.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Turkish City
2022-05-26
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Italian DPA has fined the owner of the store 'Turkish City' EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR.
GARANTE
Italian Data Protection Authority
Employment
Afragola municipality
2022-05-26
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 12 (3), (4) GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 10,000 on Afragola municipality. A former employee of the municipality had filed a complaint with the DPA because the municipality had published his resume with personal data on the municipality's website, even though the employment relationship had ended. In addition, the former employee had filed a request to object to the disclosure of his personal data. However, the municipality had not responded to the request.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Region of Tuscany
2022-05-26
€16,000.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 6 (1) c) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
Art. 2-ter (1), (3) Codice della privacy
The Italian DPA has imposed a fine of EUR 16,000 on the Region of Tuscany. The region had published documents on its website containing information on professionals from the tourism sector who had applied for emergency aid in the context of the covid-19 pandemic. The documents showed, among other things, the name, address of the data subjects as well as the amount of aid granted.
GARANTE
Italian Data Protection Authority
Employment
Università Agraria di Nettuno
2022-05-26
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 4,000 on the Università Agraria di Nettuno. A former employee of the university had filed a complaint with the DPA due to the fact that the university published a document that contained his personal data. The document revealed information relating to a legal dispute between the data subject and the university. During its investigation, the DPA found that in the absence of a valid legal basis, the publication was unlawful.
GARANTE
Italian Data Protection Authority
Health Care
Azienda sanitaria universitaria Friuli Centrale
2022-05-26
€70,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
Art. 25 GDPR
Art. 32 GDPR
The Italian DPA imposed a fine of EUR 70,000 on the healthcare facility Azienda sanitaria universitaria Friuli Centrale. Employees of the healthcare facility had accessed patients' health data even though they were not involved in the treatment of the patients and such access was not required. During its investigation, the DPA found that the healthcare facility's IT platform allowed any employee to access patients' personal data, even if they did not actually treat certain patients. In addition, the DPA found that the health care facility's IT platform did not install systems that indenfied improper use of the personal data.
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
Art. 25 GDPR
Art. 32 GDPR
The Italian DPA imposed a fine of EUR 50,000 on the healthcare facility Azienda sanitaria universitaria Friuli Occidentale. Employees of the healthcare facility had accessed patients' health data even though they were not involved in the treatment of the patients and such access was not required. During its investigation, the DPA found that the healthcare facility's IT platform allowed any employee to access patients' personal data, even if they did not actually treat certain patients. In addition, the DPA found that the health care facility's IT platform did not install systems that indenfied improper use of the personal data.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
Roularta Media Group
2022-05-25
€50,000.00
Insufficient legal basis for data processing
Art. 5 (1) e) GDPR
Art. 5 (2) GDPR
Art. 6 (1) a) GDPR
Art. 7 (1), (3) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 24 GDPR
The Belgian DPA has imposed a fine of EUR 50,000 on Roularta Media Group. As part of its investigation, the DPA found that the cookie management on two websites operated by Roularta did not comply with the GDPR. In order to use cookies, controllers must obtain prior consent from the user, except in cases where the cookies are strictly necessary for website operation. The DPA found that consent to the processing of personal data through cookies on websites operated by Roularta was not valid, as not all necessary conditions were met. As such, about 60 cookies that were not required had been placed by the websites on visitors' devices even before they had given their consent. Roularta had also failed to sufficiently inform users about cookies. In addition, the boxes for consent to the placement of cookies by third parties were checked in advance, although users must always actively consent. In addition, the DPA found that users could not revoke their consent to cookie placement as easily as they had given it.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Direzione Didattica Statale 1° Circolo-Eboli
2022-04-28
€1,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-sexies Codice della privacy
The Italian DPA has imposed a fine of EUR 1,500 on the school 'Direzione Didattica Statale 1° Circolo-Eboli'. The educational institution had sent a document containing the names of all teachers and students, as well as health data of some students, to all teachers and parents, without distinguishing that teachers and parents receive only the information about students that concerns them.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Amiu S.p.A.
2022-04-28
€200,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 28 GDPR
Art. 37 GDPR
The Italian DPA has imposed a fine of EUR 200,000 on Amiu S.p.A.. The company operates the waste collection service for the city of Taranto and acted as a processor for this service. The company had installed several video surveillance cameras for the purpose of monitoring illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DPA found that Amiu did not have a valid legal basis to publish the images. It also found that the processing was not sufficiently regulated, contrary to the requirements of Art. 28 GDPR. Finally, the DPA found that Amiu had not appointed a data protection officer.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Tarento municipality
2022-04-28
€150,000.00
Insufficient fulfilment of information obligations
Art. 5 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 28 GDPR
Art. 35 GDPR
The Italian DPA has imposed a fine of EUR 150,000 on Tarento municipality. The company Amiu S.p.A had operated the local waste collection service on behalf of the municipality. The company had installed several video surveillance cameras with the permission of the municipality to monitor illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DPA also found that the municipality had not properly regulated the processing with Amiu S.p.A. In addition, the DPA found that the municipality had not provided sufficient information about the video surveillance cameras. The municipality also failed to conduct a data protection impact assessment regarding the installation of the cameras, which would have been necessary for such a large-scale systematic surveillance.
Cypriot Data Protection Commissioner
Public Sector and Education
Oroklini Municipal Council
2022
€2,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Cypriot DPA has fined the Oroklini Municipal Council EUR 2,000 for not properly cooperating with the DPA during an investigation.
Cypriot Data Protection Commissioner
Finance, Insurance and Consulting
Universal Life Insurance Public Co Ltd.
2022
€3,500.00
Insufficient data processing agreement
Art. 24 (1) GDPR
Art. 28 (1) GDPR
The Cypriot DPA has imposed a fine of EUR 3,500 on Universal Life Insurance Public Co Ltd. The processor of the data controller had suffered a data breach in which personal data of customers were mistakenly disclosed to other customers. During its investigation, the DPA found that the controller had failed to contractually regulate the relationship with its processor. The DPA concluded that the controller had contracted a processor without ensuring that the processor provided sufficient guarantees for the implementation of appropriate technical and organizational measures to protect personal data.
Cypriot Data Protection Commissioner
Industry and Commerce
PRINTAFORM Ltd.
2022
€3,750.00
Insufficient technical and organisational measures to ensure information security
Art. 28 (3) GDPR
Art. 32 (1) GDPR
The Cypriot DPA has imposed a fine of EUR 3,750 on PRINTAFORM Ltd. PRINTAFORM, which worked as a processor for Universal Life Insurance Public Co Ltd, had suffered a data breach in which personal data of customers was mistakenly disclosed to other customers. According to the DPA, the data breach was caused by PRINTAFORM's lack of technical and organizational measures to protect personal data.
Cypriot Data Protection Commissioner
Finance, Insurance and Consulting
Bank of Cyprus Public Company Ltd.
2022
€17,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 24 (1) GDPR
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 17,000 on Bank of Cyprus Public Company Ltd. In the context of a sale of credit facilities, the bank had inadvertently transferred data of customers whose credit facilities had not been sold to the buyer. The incidents affected approximately 11,673 records and 5,500 individuals. The DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data.
Cypriot Data Protection Commissioner
Transportation and Energy
Cyprus Electricity Authority
2022
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 24 (1) GDPR
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 17,000 on Bank of Cyprus Public Company Ltd. In the context of a sale of credit facilities, the bank had inadvertently transferred data of customers whose credit facilities had not been sold to the buyer. The incidents affected approximately 11,673 records and 5,500 individuals. The DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data.
Cypriot Data Protection Commissioner
Public Sector and Education
Cypriot Ministry of Defense
2022
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 5,000 on the Cypriot Ministry of Defense. The controller had suffered a cyber attack which, according to the DPA, had been caused due to a lack of technical and organizational measures for the protection of personal data and a lack of supervision of a processor.
Cypriot Data Protection Commissioner
Industry and Commerce
DW Dynamic Works LIMITED
2022
€7,500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 7,500 on DW Dynamic Works LIMITED. The controller operated as a processor for the Cypriot Ministry of Denfese. The minsitry had suffered a cyberattack which, according to the DPA, was caused, among other things, by Dynamic Works' lack of technical and organizational measures to protect personal data.
Data Protection Authority of Baden-Wuerttemberg
Health Care
Pharmacy
2022
€6,500.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The DPA of Baden-Württemberg imposed a fine of EUR 6,500 on a pharmacy. The pharmacy had disposed of a large number of personal documents, including diagnoses and medical prescriptions of data subjects, in trash containers that were accessible to other people.
Data Protection Authority of Baden-Wuerttemberg
Employment
Company
2022
€20,000.00
Unknown
Unknown
The DPA from Baden-Württemberg has imposed a fine of EUR 20,000 on a company. The company had developed a new office plan that took into account the vaccination status of its employees. For information purposes, the office plan showing the new occupancy was sent to the employees. Each employee was assigned a color (green, yellow or red) depending on their vaccination status. The DPA found that the color system allowed the disclosure of the vaccination status of all employees and was therefore unlawful.
Data Protection Authority of Baden-Wuerttemberg
Accomodation and Hospitalty
Restaurant
2022
€500.00
Unknown
Unknown
The DPA from Baden-Württemberg imposed a fine of EUR 500 on a restaurant. The owner had disposed of a large quantity of Covid contact forms in the forest.
Data Protection Authority of Baden-Wuerttemberg
Finance, Insurance and Consulting
Debt collection company
2022
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 14 (1), (2) GDPR
The DPA from Baden-Württemberg has imposed a fine on a debt collection company. The debt collection company had received investor information from an employee of an insolvent company, which it used to offer its services to assist the affected investors with insolvency claims. However, the DPA found that the company had processed the data without the required legal basis. In addition, the debt collection company failed to provide the data subjects with necessary information, such as the origin of their data.
CNIL
French Data Protection Authority
Media, Telecoms and Broadcasting
Google LLC
2021-12-31
€90,000,000.00
Insufficient legal basis for data processing
Art. 82 loi Informatique et Libertés
On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 90,000 on GOOGLE LLC.
The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com.
The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.
From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.
In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.
The CNIL also pointed to the fact that the authority had already alerted the GOOGLE companies to this breach in February 2021.
In addition to the fine, the CNIL issued an order requiring the company to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.
CNIL
French Data Protection Authority
Media, Telecoms and Broadcasting
Google Ireland Ltd.
2021-12-31
€60,000,000.00
Insufficient legal basis for data processing
Art. 82 loi Informatique et Libertés
On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000 on Google Ireland Ltd.
The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com.
The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.
From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.
In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.
The CNIL also pointed to the fact that the authority had already alerted the GOOGLE companies to this breach in February 2021.
In addition to the fine, the CNIL issued an order requiring the company to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.
CNIL
French Data Protection Authority
Media, Telecoms and Broadcasting
Facebook Ireland Ltd.
2021-12-31
€60,000,000.00
Insufficient legal basis for data processing
Art. 82 loi Informatique et Libertés
On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000 on Facebook Ireland Ltd.
The CNIL received several complaints regarding the manner in which cookies could be refused on the website of Facebook.com.
The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather, several clicks were required to reject all cookies, in contrast to a single click to accept them.
From this, the CNIL concluded that users would accept the deposit of cookies out of convenience with more frequency. It considered that the design of the cookie deposit interferes with the freedom of consent of Internet users and constitutes a violation of Art. 82 of the French Law on Informatics and Freedoms.
In determining the fine, the fact that a large number of people were affected was taken into account in an aggravating manner. In addition, the CNIL took into account the significant profits that the companies were able to make from the advertising revenue generated indirectly from the data collected through cookies.
The CNIL also pointed to the fact that the authority had already alerted the the company to this breach in February 2021.
In addition to the fine, the CNIL issued an order requiring the companies to provide Internet users in France with a way to reject cookies as easily as they can accept them, within three months of being notified of the decision. Otherwise, companies would face the payment of a penalty of EUR 100,000 per day of delay.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
PLUS REAL ADVERTISEMENT
2021-12-31
€25,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 14 GDPR
Art. 11 Law 3471/2006
The Hellenic DPA has imposed a fine of EUR 25,000 on PLUS REAL ADVERTISEMENT. The controller had conducted advertising calls without the consent of the data subjects. In addition, it did not properly inform the data subjects about the processing of their personal data, thereby violating its information obligations.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
INFO COMMUNICATION SERVICES
2021-12-31
€30,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 14 GDPR
Art. 11 Law 3471/2006
The Hellenic DPA has imposed a fine of EUR 30,000 on INFO COMMUNICATION SERVICES. The controller had conducted advertising calls without the consent of the data subjects. In addition, it did not properly inform the data subjects about the processing of their personal data, thereby violating its information obligations.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
Greek Ministry of Tourism
2021-12-29
€75,000.00
Insufficient technical and organisational measures to ensure information security
Art. 13 GDPR
Art. 32 GDPR
Art. 33 GDPR
Art. 37 GDPR
The Hellenic DPA has imposed a fine of EUR 75,000 on the Greek Ministry of Tourism. A data breach had occurred at the authority. According to the DPA, an attempt by a citizen to enter his or her credentials on the authority's online platform resulted in the display of someone else's credentials, including full name, tax number, social security number, postal address, phone number, email address, and fields indicating a disability. The DPA found that the ministry failed to implement adequate technical and organizational measures to secure personal data.
The ministry failed to report the incident to the DPA. The DPA considered this to be a violation of Article 33 of the GDPR.
The DPA's investigation also found that the Ministry of Tourism had not appointed a data protection officer, even though an email address of the authority's data protection officer was provided on the above-mentioned platform for communication with users of the platform. This email address, as it turned out, was not active.
AEPD
Spanish Data Protection Authority
Industry and Commerce
VENTANAS MAKE YOURSELF, S.L.
2021-12-28
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The corporate website did not present a privacy policy on its main page.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
REAL CLUB NÁUTICO DE RIBADEO
2021-12-28
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on REAL CLUB NÁUTICO DE RIBADEO. The controller had uploaded links to court decisions containing personal data of the data subject on its website and Facebook page.
CNIL
French Data Protection Authority
Finance, Insurance and Consulting
SLIMPAY
2021-12-28
€180,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 GDPR
Art. 32 GDPR
Art. 34 GDPR
The French DPA (CNIL) has imposed a fine of EUR 180,000 on the payment institution SLIMPAY.
In 2015, SLIMPAY conducted an internal research project in which it processed personal data in its databases. When the research project ended in July 2016, the data remained stored on a server, without any security measures and freely accessible on the Internet. The data breach affected about 12 million people.
During its investigation, the CNIL found that the company had failed to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk to data subjects. Thus, the server access was not subject to any security measures, so that it was possible to access it via the Internet between November 2015 and February 2020
In addition, the DPA found that the company had failed to inform the data subjects about the data breach.
The CNIL also found that in several cases, contracts the company had concluded with processors were inadequately drafted, as they did not include certain envisaged clauses obliging the processors to process personal data in accordance with the requirements of the GDPR.
CNIL
French Data Protection Authority
Media, Telecoms and Broadcasting
FREE MOBILE
2021-12-28
€300,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 21 GDPR
Art. 25 GDPR
Art. 32 GDPR
The French DPA (CNIL) has imposed a fine of EUR 300,000 on FREEE MOBILE.
The CNIL had received numerous complaints regarding the company's failure to comply with data subjects' rights.
During its investigation, the CNIL found that the company had failed to respond to data subjects' requests in a timely manner. In addition, the company failed to comply with the data subjects' right to object, as it continued to send advertisements to the data subjects despite them having exercised their right to object.
In addition, the CNIL found that the company had failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. For example, it had sent users passwords by email in clear text.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Call shop manager
2021-12-28
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on the manager of a call shop. In the context of a job vacancy, the manager had set up a stand where applicants could submit their application documents for a fee of one euro. In this context, the manager did not properly inform the data subjects about the processing of their personal data as required by Art. 13 GDPR.
Deputy Data Protection Ombudsman
Health Care
Medical clinic
2021-12-26
€5,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 (1), (2), (3), (4) GDPR
Art. 13 (1), (2) GDPR
Art. 15 (1), (3) GDPR
Art. 25 GDPR
The Finnish DPA has fined a medical clinic EUR 5,000.
A customer of the clinic had complained to the DPA that he had not received access to his medical records from the clinic following a request for information.
In addition, the clinic failed to adequately inform its clients about the processing of personal data. Specifically, the DPA points out that the clinic did not inform its clients about the extent to which it was acting as a data controller for patient data generated by its activities.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
LA OFICINA BAR
2021-12-23
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined LA OFICINA BAR. The bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Sfam España General s.l.
2021-12-22
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Sfam España General s.l.. A data subject had filed a complaint with the DPA against the controller for charging her several services that she had not ordered.
AEPD
Spanish Data Protection Authority
Industry and Commerce
HUBSIDE IBÉRICA S.L.
2021-12-22
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 HUBSIDE IBÉRICA S.L.. A data subject had filed a complaint with the DPA against the controller for charging her several services that she had not ordered.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
FUNDACION ESPANOLA DE MEDICINA ESTETICA Y LONGEVIDAD
2021-12-21
€2,000.00
Insufficient fulfilment of information obligations
Art. 7 GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on FUNDACION ESPANOLA DE MEDICINA ESTETICA Y LONGEVIDAD. The DPA criticized that the data protection notice of the controller did not comply with the requirements of the GDPR. Thus, the information required under Art. 13 GDPR was not sufficiently provided. In addition, the data protection notice did not provide an adequate opportunity to give consent to data processing.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2021-12-21
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 6,000 on a private individual. The person had shared a video on Twitter showing images of a sexual assault by a man on a woman. The purpose of sharing the video was to draw attention to domestic violence against women. The DPA considers the sharing to be unlawful. Even though the person may have had a legitimate interest in sharing the video, the victim's right to privacy prevails.
CNPD
Portuguese Data Protection Authority
Public Sector and Education
Lisbon City Council
2021-12-21
€1,250,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c), e) GDPR
Art. 6 GDPR
Art. 9 (1) a) GDPR
Art. 13 (1), (2) GDPR
Art. 35 (3) GDPR
The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018.
The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of the demonstrations. The data revealed, among other things, the political opinion , religious or philosophical beliefs or sexual orientation of the data subjects. The DPA found that the transfer of the data would not have been necessary for the entities to properly perform their public tasks. Thus, the processing took place without a sufficient legal basis. In addition, the DPA found that the municipality had carried out the processing without informing the data subjects, without establishing a policy for the retention of their personal data, and without conducting a data protection impact assessment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2021-12-17
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 2,000. The data controller had installed video cameras in such a way that they could record images of the public space and the entrance to a residential building. The AEPD considered this a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Online retailer
2021-12-17
€2,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on an online retailer. The data subject bought a product from the controller's online store via eBay and paid with Paypal. However, he received the order via Amazon. Since the data subject had not consented to the transfer of his data to Amazon, the DPA concluded that the controller had processed the data unlawfully.
