background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
DATATILSYNET
Norwegian Supervisory Authority
Transportation and Energy
T. Stene Transport AS
2021-12-17
€3,900.00
Unknown
Unknown
The Norwegian DPA has fined T. Stene Transport AS EUR 3,900 due to an unfair credit check on a data subject.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
CLUB DEPORTIVO RITMO DE ANDALUCÍA
2021-12-17
€4,000.00
Insufficient fulfilment of information obligations
Art. 7 GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on CLUB DEPORTIVO RITMO DE ANDALUCÍA. The DPA criticized that the data protection notice of the controller did not comply with the requirements of the GDPR. Thus, the information required under Art. 13 GDPR was not sufficiently provided. In addition, the data protection notice did not provide an adequate opportunity to give consent to data processing.
GARANTE
Italian Data Protection Authority
Health Care
ASL Latina
2021-12-17
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) f) GDPR
Art. 6 GDPR
Art. 9 GDPR
The Italian DPA (Garante) fined ASL Latina EUR 10,000. The controller had mistakenly sent documents containing health data of the data subject to an uninvolved third party.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2021-12-16
€1,200.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 1,200 for failing to provide sufficient information about a video surveillance system installed at their property.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Municipality of Frederiksberg
2021-12-16
€13,450.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has fined the municipality of Frederiksberg EUR 13,450. On March 1, 2021, the municipality reported a data breach under Art. 33 GDPR. The municipality's dental care service had operated a system through which parents could access their children's dental care letters online. The municipality then extended this access to parents with joint custody. As a result, in several cases, parents gained access to information about the other parent and the child's address, even though the affected parent and child were registered with name and address protection. The DPA considered this to be a breach of the municipality's duty to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria S.A.
2021-12-16
€60,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria S.A.. A data subject filed a complaint with the DPA due to the fact that the controller repeatedly sent him SMS messages about non-payments, although he had no contractual relationship with the controller. The controller stated that the unsolicited SMS messages were sent due to human error on part of its employees. The original fine of EUR 100,000 was reduced to EUR 60,000 due to voluntary payment and admission of guilt.
APD
Belgian Data Protection Authority
Finance, Insurance and Consulting
Bank
2021-12-16
€75,000.00
Insufficient involvement of data protection officer
Art. 38 (6) GDPR
The Belgian DPA has imposed a fine of EUR 75,000 on a bank. The DPA identified a conflict of interest regarding the data protection officer. In addition to his work as data protection officer, he was also head of a department to which he had to report in his capacity as data protection officer. The DPA considered this to be a violation of Art. 38 (6) GDPR.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Enel Energia S.p.A
2021-12-16
€0.00
Insufficient legal basis for data processing
Art. 5 (1) a), d) GDPR
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 21 GDPR
Art. 24 GDPR
Art. 25 (1) GDPR
Art. 30 GDPR
Art. 31 GDPR
Art. 130 (1), (2), (4) Codice della privacy
Originial fine summary: The Italian DPA has fined Enel Energia S.p.A EUR 26.5 million for numerous breaches of the GDPR. Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA finds that the controller illegally processed the personal data of millions of users for telemarketing purposes. The DPA found, among other things, that data subjects received unsolicited promotional calls in the name of and on behalf of Enel Energia, in some cases even recorded calls. Some of the data subjects still received advertising calls, even though they had already requested Enel Energia to delete their personal data several times or had objected to their processing for advertising purposes. In particular, the DPA found that Enel Energia had not provided data subjects with the required and timely feedback on their requests to exercise their rights of access and opposition. In addition, the DPA found that the company had not sufficiently cooperated with the DPA during the investigation. For example, Enel Energia failed to respond to various inquiries from the DPA. In assessing the fine, the DPA considered the following factors aggravating: the seriousness of the violations, the duration and repetition of the violations, as well as the large number of persons affected and the negligence of the conduct. Update: The Court of Rome overturned the fine of EUR 26.5 million.
Deputy Data Protection Ombudsman
Industry and Commerce
Travel agency
2021-12-16
€6,500.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 17 GDPR
Art. 25 GDPR
Art. 32 GDPR
The Finnish DPA has imposed a fine of EUR 6,500 on a travel agency. A customer of the travel agency informed the DPA to suspect that the company might not process the data of its customers in a data protection compliant manner. During its investigation, the DPA found that the travel agency had not ensured secure processing of personal data. For example, visa application forms filled out by customers were publicly accessible on the travel agency's web server. The form contained, among other things, the name, contact details and passport number. In addition, the travel agency had not complied with a customer's request to delete their data from the systems.
Deputy Data Protection Ombudsman
Finance, Insurance and Consulting
Motor insurance center
2021-12-16
€52,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 25 (2) GDPR
The Finnish DPA has fined a motor insurance center EUR 52,000. The controller had excessively requested patient data from within the healthcare system for the purpose of processing claims. However, much of the data was not necessary to process the claims. For example, the DPA found that the motor vehicle insurance center had also collected patient visit notes to determine whether the health care provider had billed for visits that were not related to the examination or treatment of injuries caused by the accident. The DPA notes that the Finnish Motor Insurance Act does not justify direct access to all patient data, but that the information requested must be necessary for the processing of the claim. For this reason, the authority recognized a violation of the principles of legality and transparency as well as data minimization in practice.
GARANTE
Italian Data Protection Authority
Health Care
Centro di Medicina preventiva s.r.l.
2021-12-16
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 25 GDPR
Art. 32 GDPR
Art. 37 GDPR
The Italian DPA (Garante) has fined Centro di Medicina preventiva s.r.l. EUR 10,000. The controller reported a database under Art. 33 GDPR in connection with a cyberattack by a hacker group. During the cyberattack, the hacker managed to gain access to a list of patient data. The hacker then published this list that contained personal data, including sensitive data, of patients and radio-diagnostic tests on Twitter. The DPA found that the controller had not implemented appropriate technical and organizational measures to ensure the security of the personal data. For example, the medical center's server disclosed the requested personal data during a query without verifying the identity and credentials of the requester, allowing unauthenticated connections to reach from outside the medical center.
GARANTE
Italian Data Protection Authority
Employment
Corradi s.r.l.
2021-12-16
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), e) GDPR
Art. 13 GDPR
Art. 157 Codice della privacy
The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Ubi Banca spa
2021-12-16
€100,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
The Italian DPA has imposed a fine of EUR 100,000 on Ubi Banca spa (now Intesa Sanpaolo spa). A data subject had filed a complaint with the DPA for receiving a letter from the controller, with the envelope stating 'anomalous credit Chieti'. However, the letter did not contain payment reminders but only information about the transparency of banking and financial services. For this reason, the DPA found that the controller had violated the principles of lawfulness and transparency as well as the principle of data minimization. After all, the term on the envelope could enable third parties to obtain information about the recipient's financial situation, regardless of the contents in the envelope.
GARANTE
Italian Data Protection Authority
Industry and Commerce
FCA Italy s.p.a.
2021-12-16
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
The Italian DPA has fined FCA Italy s.p.a. EUR 20,000. A former customer of the controller had asked the controller to provide him with the transcripts of telephone conversations between him and the customer service he had previously contacted regarding a malfunction of the instruments of one of his vehicles, as well as the documents relating to this case. However, the controller did not comply with this request.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Università Telematica Internazionale Uninettuno
2021-12-16
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Italian DPA has imposed a fine of EUR 1,000 on Università Telematica Internazionale Uninettuno. A professor had filed a complaint with the DPA against the educational institution. The professor had applied for a position at the university and submitted his CV for this purpose. The university then published it without blacking out certain personal data that concerned his personal sphere. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Employment
IZA OBRAS Y PROMOCIONES, S.A.
2021-12-14
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has fined IZA OBRAS Y PROMOCIONES, S.A. EUR 50,000. An employee had filed a complaint with the DPA against the company, alleging that the controller had unauthorizedly disclosed his personal data to another company from which it had received a construction order. The data subject was working as a construction manager on the project, but was absent from work for a period of time due to illness. The controller therefore informed its client and additionally disclosed the data subject's email address and certain health information. The DPA determined that the disclosure of this data would not have been necessary and that the controller had therefore violated the principle of data minimization.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
SC Nobiotic Pharma SRL
2021-12-13
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
Failure to provide requested information to the Romanian DPA within the required timeframe in violation of Art. 58 GDPR.
DATATILSYNET
Norwegian Supervisory Authority
Media, Telecoms and Broadcasting
Grindr LLC
2021-12-13
€6,300,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 9 (1) GDPR
The Norwegian DPA has fined Grindr LLC EUR 6.3 million. Grindr is a location-based social networking app designed for gay, bi, trans and queer people. In 2020, the Norwegian Consumer Protection Authority filed a complaint against Grindr with the Norwegian DPA, alleging that the portal had shared information about users' GPS location, IP address, cell phone advertising ID, age and gender with several third parties for marketing purposes. Under GDPR, consent is required for the sharing of this personal data. However, during its investigation, the DPA found that the consent collected by Grindr was not valid. Users had to accept the privacy policy in order to use the app, but were not explicitly asked whether they would consent to their data being shared with third parties for marketing purposes. In addition, the information about the disclosure of personal data was not clear or accessible enough for users. The DPA points out that this type of data may identify a Grindr user as a member of a sexual minority. Grindr users would sometimes want to use the app anonymously without, for example, giving their full name or uploading a photo of themselves. With the sexual orientation of the users, a special category of personal data, which is subject to a particularly high level of protection, was therefore also affected. The DPA therefore considers the infringement to be a particularly serious case that justifies a deterrent high fine. Business models based on behavior-based marketing are widespread in the digital economy, making it important that the fines for GDPR violations are deterrent.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Elektro & Automasjon Systemer AS
2021-12-13
€20,000.00
Insufficient legal basis for data processing
Art. 6 (1) f) GDPR
The Norwegian DPA (Datatilsynet) fined Elektro & Automasjon Systemer AS EUR 20,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Warsaw University of Technology
2021-12-09
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 24 (1) GDPR
Art. 25 (1) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA (UODO) has fined Warsaw University of Technology EUR 10,000. The university had reported a data breach to the authority pursuant to Art. 33 GDPR. One of the university's organizational units used an application created by university staff to register for courses and access teaching history, assessment of exam results and billing of fees. In early January 2020, an unauthorized person had downloaded a database from the application that contained personal data of students and faculty (over 5,000 individuals). In its investigation, the DPA found that the Unvierstät had failed to implement appropriate technical and organizational measures that ensured the security of personal data . The DPA also found that the university had not conducted a formal risk assessment.
Data Protection Authority of Ireland
Public Sector and Education
Limerick City and County Council
2021-12-09
€110,000.00
Insufficient fulfilment of data subjects rights
Art. 13 GDPR
Art. 12 GPDR
Art. 15 GDPR
The Irish DPA has fined Limerick City and County Council EUR 110,000. As part of an investigation, the DPA conducted an audit of the processing of personal data by the council or on its behalf using video surveillance systems, automatic license plate recognition, body-worn cameras and other technologies that can be used to monitor individuals. In doing so, it found that the Council had violated a number of data protection laws in its use of the technologies. However, the fine was issued due to GDPR violations. The DPA found that the Council violated Art. 13 GDPR in relation to the processing of data by traffic cameras. The Council had failed to provide information on the identity of the data controller, the contact details of the data protection officer, the purposes of the processing and the bodies from which further information required under Art. 13 GDPR may be obtained. In addition, the Council failed to provide this information in an easily accessible manner such as on signs near the cameras. Further, the DPA concluded that the Council failed to post a video surveillance policy in an clear and plain language as well as in an easily accessible area of the Council's website. The DPA thus found an infringement of Art. 12 GDPR. Lastly, the Council has denied requests for access to personal data processed by surveillance cameras used in traffic management. For this reason, the DPA found that the Council violated Art. 15 GDPR.
APD
Belgian Data Protection Authority
Not assigned
Unknown
2021-12-08
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 14 (1), (2), (3) GDPR
Art. 15 GDPR
Art. 17 (1) c) GDPR
Art. 21 (2) GDPR
The Belgian DPA has imposed a fine of EUR 10,000 against a company. The data subject had repeatedly received mail with advertising content from a company, although he had objected to the processing of his personal data and requested the deletion of his data. However, the company did not respond to inquiries from the data protection authority in this regard. In addition, the company had not sufficiently informed the data subject about the processing of his personal data.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
One Way Private Company
2021-12-08
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 (3) c) GDPR
Art. 32 (2), (4) GDPR
Art. 11 (1) Νόμος 3471/2006
The Hellenic DPA has imposed a fine of EUR 30,000 on One Way Private Company. The DPA received 17 complaints regarding illegal telephone calls for the purpose of advertising. The DPA found that due to an error in the controller's application, telephone calls were made to subscribers included in the list for protection against unsolicited telephone advertising 'Register 11'. The DPA concluded that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
NBQ Technology, S.A.U.
2021-12-07
€24,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U.. A data subject filed a complaint with the DPA against the company after they had denied him a financial transaction due to alleged outstanding payments on a loan. As it turned out, an identity thief had obtained the data subject's data without authorization and applied for a loan from the data controller under pretense of the data subject's identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the borrower but to the data subject, the AEPD found that the controller had no legal basis for processing the data. The processing was therefore unlawful and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 40,000 was reduced to EUR 24,000 due to the immediate payment and the admission of guilt.
Deputy Data Protection Ombudsman
Health Care
Psykoterapiakeskus Vastaamo
2021-12-07
€608,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker could be identified. The most likely cause of the medical database leak was an unprotected port on the database where the root user account of the database was not password protected. The patient database server was open to the Internet without firewall protection during the period between November 26, 2017, and March 13, 2019. For this reason, the DPA determined that the personal data were not adequately protected against unauthorized and unlawful processing or accidental loss, destruction, or damage, and that the controller had not implemented basic measures for the secure processing of personal data. As part of its investigation, the DPA also determined that the controller must have known as early as March 2019 that data in the patient information system had been lost and could have been compromised by an external attacker. Vastaamo should have immediately reported the security breach to both the DPA and its patients. However, Vastaamo was significantly late in meeting this obligation. The fine is composed proportionately of EUR 145, 600 for the breach of Art. 33 (1) GDPR, EUR 145, 600 for the breach of Art. 34 (1) GDPR and EUR 316, 800 for the breach of Art. 5 (1) f) GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Telekom Romania Communications SA
2021-12-06
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) d), f) GDPR
Art. 5 (2) GDPR
Art. 17 GDPR
The Romanian DPA (ANSPDCP) imposed a fine of EUR 6,000 on Telekom Romania Communications SA. A data subject had complained that the controller had sent invoices and messages to his email address informing him of another person's payment arrears. During the investigation, the DPA found that the controller had collected and processed certain personal data in error, resulting in the unlawful disclosure of the personal data. At the same time, the DPA found that the controller had not taken the necessary measures to comply with the data subject's request for deletion of his personal data. The fine is composed proportionally EUR 5,000 for a breach of Art. 5 (1) d), f) GDPR, Art. 5 (2) GDPR and EUR 1,000 for a breach of Art. 17 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2021-12-03
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Lawyer
2021-12-03
€843.00
Insufficient legal basis for data processing
Art. 5 (1) a), b) GDPR
Art. 6 (1) GDPR
Art. 9 (1) GDPR
The Hungarian DPA imposed a fine of EUR 843 on a lawyer for having unauthorizedly disclosed documents containing personal data of his client in the course of criminal proceedings.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Ica s.r.l.
2021-12-02
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA (Garante) has fined ICA s.r.l. EUR 30,000. The municipality of Collegno had implemented a system developed by ICA through which citizens could pay fines for traffic violations. However, due to a lack of security precautions, it was theoretically possible for unauthorized persons to access personal data stored via the program. For this reason, the DPA found that ICA had failed to implement appropriate technical and organizational measures providing a level of security commensurate with the risk posed to the data subject.
Data Protection Authority of Ireland
Public Sector and Education
Irish Teacher Council
2021-12-02
€60,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) GDPR
Art. 32 (1) GDPR
Art. 33 GDPR
The Irish DPA has imposed a fine of EUR 60,000 on the Irish Teaching Council. The Council notified the DPA of a data breach under Art. 33 of the GDPR. Accordingly, two employees of the Council accessed a phishing email that allowed them to set up an automatic forwarding system from their email accounts to a malicious email account. As a result, 323 emails were forwarded to the unauthorized external email address between February 17, 2020 and March 6, 2020. The emails contained the personal data of 9,735 data subjects and the sensitive personal data of one data subject. The DPA therefore found that the Council had failed to implement appropriate technical and organizational measures to ensure a level of protection for data subjects' personal data commensurate with the risk. In addition, the DPA found that the Council failed to report the data breach in a timely manner.
GARANTE
Italian Data Protection Authority
Health Care
Società Med Store Saronno s.r.l.
2021-12-02
€7,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA (Garante) has fined Società Med Store Saronno s.r.l. EUR 7,000. The nursing home notified the DPA of a data breach pursuant to Art. 33 GDPR. The facility had suffered a cyber attack by a hacker who gained access to personal data and published it. This included publishing radiological images of patients on his Twitter account. The DPA's investigation revealed that the home had only secured the data with simple passwords. For this reason, the DPA found that the home had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.
GARANTE
Italian Data Protection Authority
Health Care
Casa di cura Fondazione Gaetano e Piera Borghi s.r.l.
2021-12-02
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA (Garante) has fined Casa di cura Fondazione Gaetano e Piera Borghi s.r.l. EUR 30,000. The nursing home notified the DPA of a data breach pursuant to Art. 33 GDPR. The facility had suffered a cyber attack by a hacker who gained access to personal data and published it. This included publishing radiological images of patients on his Twitter account. The DPA's investigation revealed that the home had only secured the data with simple passwords. For this reason, the DPA found that the home had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.
GARANTE
Italian Data Protection Authority
Health Care
Azienda USL di Parma
2021-12-02
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) fined Azienda USL di Parma EUR 5,000. A patient filed a complaint with the DPA because she had mistakenly received two reports of diagnostic tests on two other patients in her medical record.
CNPD
National Commission for Data Protection
Employment
Unknown
2021-12-01
€6,800.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 6,800 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area, the smoking area that employees frequently used and parts of the public space. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its employees and third parties about the video surveillance.
UODO
Polish National Personal Data Protection Office
Industry and Commerce
Pactum Poland Sp. z o.o.
2021-12-01
€4,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) e) GDPR
Fine for not answering requests for further information of the supervisory authority in due time following a data breach.
AEPD
Spanish Data Protection Authority
Real Estate
Neighborhood community
2021-11-30
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a neighborhood community. The controller had installed video cameras on their private property in such a way that they could capture images of the public space and the neighbor's private property. The AEPD considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Public Sector and Education
ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE
2021-11-30
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 17 (1) GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has fined ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE in the amount of EUR 5,000. A data subject had indicated that he had objected to further newsletter subscription and had requested the controller to delete all of his data. However, he continued to receive advertisements from the data controller.
AEPD
Spanish Data Protection Authority
Transportation and Energy
DAVISER SERVICIOS, S.L.
2021-11-30
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 20,000 on DAVISER SERVICIOS, S.L.. The company had been processing biometric data (fingerprints) of employees for access to certain rooms, although less intrusive means (such as key cards) could have been used to protect the privacy of the data subjects. The AEPD found that the controller had violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Public Sector and Education
ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE
2021-11-30
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 17 (1) GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has fined ASOCIACIÓN ESPAÑOLA PARA LA ENSEÑANZA ONLINE in the amount of EUR 5,000. A data subject had indicated that he had objected to further newsletter subscription and had requested the controller to delete all of his data. However, he continued to receive advertisements from the data controller.
AEPD
Spanish Data Protection Authority
Industry and Commerce
TIGERS MARKET, S.L.
2021-11-29
€4,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 LOPDGDD
The Spanish DPA (AEPD) imposed a fine of EUR 4,000 on TIGERS MARKET, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Restaurant owner
2021-11-29
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a restaurant owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment.
VDAI
Lithuanian Data Protection Authority
Industry and Commerce
UAB Prime Leasing
2021-11-29
€110,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company's customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been published on the website of the hacking forum RaidForums.com. This included data such as names, addresses, phone numbers, email addresses, personal identification numbers, driver's license numbers, type of payment card and the last four digits of the card number of the data subjects. The DPA's investigation revealed that the published data originated from an unsecured backup copy of a database. The DPA found that the data breach occurred due to the company's failure to comply with its obligation to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects. The company had, for example, failed to appoint a person with appropriate competence to be responsible for security and risk management. It had also failed to ensure that accesses to database files were logged and evaluated. In addition, the company had stored the database unencrypted, so that a person with technical knowledge could have had full access to the data in the file after downloading it. The personal codes in the database were furthermore stored unprotected and the passwords in the database were only encrypted with an encryption algorithm that was considered insecure.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Valoris Center S.R.L.
2021-11-26
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (1) b) GDPR
Art. 32 (4) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Valoris Center S.R.L.. The controller notified the DPA of a data breach pursuant to Art. 33 GDPR. A call center employee of the controller had accidentally sent a customer an Excel file containing data from other customers of the controller. In the course of the investigation, it was determined that this breach resulted in the unauthorized disclosure of or access to personal data such as email address, username, user ID, phone number, customer name, customer code, customer PIN, with a total of 11169 natural persons affected by the incident. The DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.
AP
Dutch Supervisory Authority for Data Protection
Public Sector and Education
Dutch Minister of Finance
2021-11-25
€2,750,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) e) GDPR
Art. 8 Wbp
The Dutch DPA (AP) has fined the Minister of Finance EUR 2,75 million. In the context of childcare benefit applications, tax offices had processed data on the dual nationality of applicants for several years. However, the DPA found that the data on dual nationality of Dutch citizens would not have been necessary when assessing an application for childcare benefits. The said data had also been processed for the purpose of combating organized fraud and for automatic classification in the authority's risk system. However, even for these purposes, the processing would not have been necessary. For this reason, the tax and customs administration should have deleted the data on dual nationality as early as January 2014. Nevertheless, as of May 2018, the dual citizenship data of a total of 1,4 million people were still registered in the systems of the tax and customs administration. The DPA therefore found that the data had been unlawfully processed due to the lack of a valid legal basis. Furthermore the DPA stated that the data subjects had been discriminated against on the basis of their nationality.
GARANTE
Italian Data Protection Authority
Health Care
Società H San Raffaele Resnati s.r.l.
2021-11-25
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 6,000 on Società H San Raffaele Resnati s.r.l. The DPA initiated an investigation against the health care provider after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from two other patients due to an error of an employee.
GARANTE
Italian Data Protection Authority
Industry and Commerce
B&T S.p.A.
2021-11-25
€400,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 21 GDPR
The Italian DPA has imposed a fine of EUR 400,000 on B&T S.p.A. Two data subjects had complained to the DPA about unsolicited SMS advertising. In addition, they stated that it was not possible for them to make use of their right to information and right to object. During the course of the investigation, Garante discovered that B&T had contracted a marketing company to send promotional SMS messages to potential customers. The marketing company had then engaged other providers, which in turn had acquired their databases from third parties. As it turned out, the other providers had obtained the data of the contacted persons from unchecked and illegal lists of foreign companies, some of whose information came from registrations on information portals or online sweepstakes. In this context, the DPA pointed out that companies commissioning advertising campaigns must always make sure that the companies commissioned to do so are working correctly and that consumer data is being used lawfully.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Aimon Srl
2021-11-25
€200,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
Art. 12 GDPR
Art. 21 GDPR
The Italian DPA has imposed a fine of EUR 200,000 on Aimon Srl. Two data subjects had complained about unsolicited SMS advertising from B&T S.p.A. to the DPA. In the course of the investigation, Garante discovered that B&T had contracted Aimon to send promotional SMS messages to potential customers. Aimon then contracted other providers, which in turn had purchased their databases from third parties. As it turned out, the other providers had obtained the data of the contacted individuals from unverified and illegal lists of foreign companies, some of whose information came from registrations on information portals or online gambling. The DPA found that Aimon had thus processed the data unlawfully.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
UNIÓN FINANCIERA ASTURIANA S.A. E.F.C.
2021-11-24
€9,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) fined UNIÓN FINANCIERA ASTURIANA S.A. E.F.C.. The controller had carried out a credit check on the data subject without any contractual basis for doing so. The original fine of EUR 15,000 was reduced to EUR 9,000 due to voluntary payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
FUENSANTA S.L.
2021-11-23
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The controller failed to provide information requested by the Spanish DPA (AEPD) for investigative purposes.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2021-11-23
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined Vodafone España S.A.U. EUR 40,000. An individual had filed a complaint against Vodafone with the DPA because her cell phone line was transferred to a third party without her consent and she was charged amounts from a third party phone line. The reason for this was a technical error in Vodafone's systems.