A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
PERSÓNUVERND
Icelandic data protection authority
Public Sector and Education
Icelandic Ministry of Industry and Innovation
2021-11-23
€51,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 28 GDPR
Art. 32 GDPR
The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf.
The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf.
The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal information and access to users' phones. As a result, the DPA launched investigations against the ministry and the company.
The DPA found that the ministry had violated the principle of legality and transparency.
Participating individuals were only required to agree to the General Terms of Use of the YAY app in order to participate in the voucher promotion. However, the DPA found that by doing so, the data subjects had not expressly consented to the processing of their personal data carried out as part of the promotion.
The DPA also found that the information provided about the actual processing of personal data was insufficient.
Moreover, neither the ministry nor YAY ehf. had implemented appropriate technical and organizational measures to ensure the security of the processing of personal data.
Also, due to a configuration error on the part of YAY, more data than necessary was processed, which is why the DPA found a violation of the principle of data minimization.
PERSÓNUVERND
Icelandic data protection authority
Industry and Commerce
YAY ehf.
2021-11-23
€27,200.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 28 GDPR
Art. 32 GDPR
The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf.
The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf.
The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal information and access to users' phones. As a result, the DPA launched investigations against the ministry and the company.
The DPA found that the ministry had violated the principle of legality and transparency.
Participating individuals were only required to agree to the General Terms of Use of the YAY app in order to participate in the voucher promotion. However, the DPA found that by doing so, the data subjects had not expressly consented to the processing of their personal data carried out as part of the promotion.
The DPA also found that the information provided about the actual processing of personal data was insufficient.
Moreover, neither the ministry nor YAY ehf. had implemented appropriate technical and organizational measures to ensure the security of the processing of personal data.
Also, due to a configuration error on the part of YAY, more data than necessary was processed, which is why the DPA found a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Real Estate
Neighborhood community
2021-11-22
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 1000 on a neighborhood community. The reason for this was that the information sign about a video surveillance system did not contain sufficient information as required by Art. 13 GDPR. The sign contained neither a reference to the data controller nor an address to contact if one wishes to exercise their data subjects rights.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2021-11-22
€3,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a company. The company had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ANIVERSALIA NETWORKS, S.L.
2021-11-22
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) fined ANIVERSALIA NETWORKS, S.L. EUR 2,000 due to the fact that the privacy policy on its website did not comply with the requirements of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Supermarket
2021-11-15
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Usage of CCTV camera without proper information.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-11-15
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on a private individual for the unauthorized installation of a video surveillance camera on their car. The car had been parked on a public street, and therefore the camera was also recording public space. The AEPD found that video surveillance of public space represented a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2021-11-15
€30,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine on Vodafone España SAU. A data subject had filed a complaint with the AEPD against the data controller. The data subject states that he had received invoices and debits on his bank account for the payment of Vodafone services that he had not booked himself. The data subject also stated that he had been asked to pay for these services by the debt collection company I.S.G.F. Informes Comerciales, S.L.. As it turned out, fraudsters had used the data subject's personal data to conclude a service contract. Vodafone had subsequently canceled the contract for the booked services. Due to a system error, however, the outstanding invoices had not been canceled, which is why they had been forwarded to the collection agency. The AEPD determined that this transmission was unlawful due to the non-existence of a valid contract. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2021-11-15
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine on Vodafone España SAU. An individual had filed a complaint with the DPA. The data subject claims to have received text messages from Vodafone in September 2020 informing him that he had debts from services he had ordered from Vodafone. The billing address listed in the text messages corresponded to that of an old house where the data subject had lived with his ex-partner in the past. Vodafone stated that a system error had led to this incident. This resulted in the data subject appearing as the holder of his former partner's customer account. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Vodafone România SA
2021-11-14
€2,900.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
Art. 3 (1) Law No. 506/2004
Art. 3 (3) a), b) Law No. 506/2004
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,900 on VODAFONE România S.A.. The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. In the period from November 2020 to June 2021, there had been unauthorized access to personal data of seventy data subjects (mailing of service contracts to wrong email addresses, unauthorized access by employees of the
controller to personal data of Vodafone customers without their request). The DPA found that the controller did not take appropriate technical and organizational measures to ensure the security of the processing of personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Company
2021-11-12
€1,500.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Usage of CCTV camera without proper information.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
AD735 DATA MEDIA ADVERTISING S.L.
2021-11-12
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
Failure to provide requested information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR.
AP
Dutch Supervisory Authority for Data Protection
Transportation and Energy
Transavia
2021-11-12
€400,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2) GDPR
The Dutch DPA has fined airline Transavia EUR 400,000.
In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia's systems through two accounts held by the company's IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 367 cases, the data included medical information of people who had requested, for example, wheelchair transportation or additional services because they were blind or deaf. The DPA noted that a lack of security measures allowed the hacker to access the systems. Thus, it was possible to access the airline's systems simply by entering the password. The systems did not incorporate multi-factor authentication. Furthermore, the access rights of the accounts were not limited to necessary systems, allowing the hacker to use them to gain access to multiple Transavia systems. The DPA found that Transavia had breached its duty to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.
Cypriot Data Protection Commissioner
Industry and Commerce
WS WiSpear Systems Ltd
2021-11-12
€925,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
The Cypriot DPA has imposed a fine of EUR 925,000 on WS WiSpear Systems Ltd.
The company had collected various data from individuals (Media Access Control addresses and International Mobile Subscriber Identity data) without their knowledge as part of tests and presentations of technologies. In this context, the DPA found a violation of the principle of legality, objectivity and transparency.
CNPD
National Commission for Data Protection
Employment
Unknown
2021-11-09
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,500 on a company. The company had installed a video surveillance system to ensure that their customers would not have to wait when their front desk staff was not present.
However, the cameras also constantly captured parts of two employee's work areas. The DPA states that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR, by not properly informing its employees and third parties about the video surveillance.
CNIL
French Data Protection Authority
Transportation and Energy
Régie autonome des transports parisiens
2021-11-04
€400,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 5 (1) e) GDPR
Art. 5 (2) GDPR
Art. 32 GDPR
The French DPA (CNIL) imposed a fine of EUR 400,000 on RATP (the operator of the public transport system in Paris). In May 2020, a trade union filed a complaint with the CNIL alleging that the number of strike days exercised by staff were included in files used to prepare promotion decisions. The CNIL then conducted investigations in several RATP bus centers. These led to confirmation of this practice in three RATP bus centers. The CNIL indicated that files for evaluating performance and promotion prospects should only contain data necessary for evaluating employees.In particular, it was sufficient to indicate the total number of days of absence without the need to go into detail and distinguish the days associated with the exercise of the right to strike. It found that the use of data on the number of days staff members were on strike was not necessary for these purposes, and that the RATP thus violated the principle of data minimization set forth in Article 5 (1) (c) GDPR. In addition, the DPA found that the RATP had excessively retained many of its employees' data. Indeed, the RATP kept files on the evaluation of staff members for more than three years after the promotion commission, although their retention was only required for 18 months after the holding of these commissions. Further, CNIL found that RATP did not adequately differentiate between staff authorization levels, allowing more staff than necessary to access certain data. For this reason, CNIL concluded that RATP failed in its duty to implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
IKEA ROMÂNIA SA
2021-11-01
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,000 on IKEA ROMÂNIA SA. The controller had sent a notification to the DPA about a personal data breach under Art. 33 GDPR. Accordingly, the controller had organized a drawing contest in which children of IKEA Family members could participate. Participants uploaded their own drawings to an online platform along with entry forms containing their personal data and that of their parents, including their consent. In order to vote for the best drawing, the children's drawings were posted on the online platform and by accident along with it the personal data included in the participation forms.
At the time of the investigation, it was determined that the security incident had resulted in the unauthorized disclosure of personal data of IKEA Family members (surname, first name and age of minors, as well as surname, first name, city, country, email, IKEA Family membership number and the signature of the parents) on the online platform accessible only to IKEA Family members in Romania. The incident affected 114 people, half of whom were minors.
The DPA found that the controller had thus breached its obligation under Art. 32 (1) b), (2) GDPR to implement technical and organizational measures that ensure a level of security appropriate to the risk for the data subjects.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
S.P.E.E.H. Hidroelectrica S.A.
2021-11-01
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on S.P.E.H. Hidroelectrica S.A.. The controller had notified the DPA of several breaches of personal data protection under Art. 33 of the GDPR. The data breach led to the data of 325 individuals being accessed unlawfully or passed on to the wrong recipients. The DPA considered this to be a breach by the controller of its obligation under Art. 32 (1) b), (2) GDPR to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk represented by the processing.
In addition, the DPA found that the controller had processed personal data of three customers after they had exercised their right to erase their data and revoked their consent to the processing. The processing was therefore carried out without a valid legal basis.
The DPA imposed a fine of EUR 5,000 for a breach of Art. 32 (1) b), (2) GDPR.
For a violation of Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR, the DPA further issued a warning.
GARANTE
Italian Data Protection Authority
Industry and Commerce
OTTO s.r.l.
2021-10-28
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 2,000 on OTTO s.r.l.. During an administrative inspection of a store managed by OTTO, the police found that a video surveillance system with three cameras was installed in the store. However, it found that the controller had not provided sufficient information on the presence of the CCTV. The DPA considered this to be a violation of Art. 13 GDPR.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-10-27
€15,400.00
Insufficient involvement of data protection officer
Art. 38 (1), (3) GDPR
Art. 39 (1) a), b) GDPR
The Luxembourg DPA has imposed a fine of EUR 15,400 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters related to the protection of personal data. In addition, contrary to the requirements of the GDPR, the data protection officer did not report directly to the highest management level; instead, there were two levels of hierarchy in between.
Also, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was performing their duties appropriately.
CNPD
National Commission for Data Protection
Not assigned
Company
2021-10-27
€18,700.00
Insufficient involvement of data protection officer
Art. 37 (7) GDPR
Art. 38 (1), (3) GDPR
Art. 39 (1) b) GDPR
The DPA of Luxembourg has imposed a fine of EUR 18,700 on a company. During its investigation, the DPA first found that the controller's public website did not include direct contact details for the DPO. Furthermore, the DPO was not sufficiently involved in all data protection matters. For example, they only participated in internal meetings by invitation. Moreover, there were several hierarchical intermediaries between the DPO and the highest management level of the controller, not granting them sufficient autonomy. Also, in the absence of formalized procedures, the DPO was not able to sufficiently monitor the consistency of data processing practices.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-10-26
€64,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject had filed a complaint against the data controller. The data subject stated that telephone lines were registered in his name for which there were also outstanding payments. However, the data subject had never concluded contracts with the company for any of these lines. Rather, the contracts in question were concluded by fraudsters using the personal data of the data subject. Still, the personal data was entered into the company's information systems without any verification as to whether the contracts were lawful and actually concluded by the data subject. The original fine of EUR 80,000 was reduced to EUR 64,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.
2021-10-26
€16,000.00
Non-compliance with general data processing principles
Art. 35 GDPR
The Spanish DPA (AEPD) has imposed a fine on SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.. The company had installed five terminals with a fingerprint control system to record its employees' working hours. In doing so, the company had failed to conduct a data protection impact assessment. The AEPD found a violation of Art. 35 GDPR for this reason. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
VODAFONE SERVICIOS, S.L.U.
2021-10-26
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine on VODAFONE SERVICIOS, S.L.U.. A data subject filed a complaint with the DPA against the controller. The data subject is a client of the controller. When he checked his bills on the official website 'MY VODAFONE' last December, he found that he had four outstanding bills, but he could not access them. He had also received a number of requests to pay them. He was informed that there was a parallel account at Vodafone with details that partly corresponded to those of him. As it turned out, fraudsters had concluded a mobile phone contract using the personal data of the data subject. However, the personal data had been entered into the company's information systems without any verification that the contract was lawful and had actually been concluded by the data subject. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
VODAFONE SERVICIOS, S.L.U.
2021-10-26
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine on VODAFONE SERVICIOS, S.L.U.. A data subject has filed a complaint with the AEPD against the data controller. The data subject states that she received invoices and debits on her bank account for the payment of Vodafone services that she had not booked herself. The data subject also stated that she was receiving calls from the collection company Bureau Veritas asking her to pay for these services. As it turned out, fraudsters had used the data subject's personal data to conclude a service contract. However, the personal data had been entered into the company's information systems without any verification that the contract was lawful and had actually been concluded by the data subject. The original fine of EUR 50,000 was reduced to EUR 40,000 due to the voluntary payment.
KZLD
Bulgarian Commission for Personal Data Protection
Finance, Insurance and Consulting
Bank
2021-10-26
€380.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
The Bulgarian DPA has fined a bank EUR 380 for the unlawful transfer of personal data to third parties.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MERCEDES GERENCIA, S.L.
2021-10-25
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on MERCEDES GERENCIA, S.L.. The controller failed to respond to a request for information from the DPA in a timely manner.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Glove Technology SRL
2021-10-21
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 5,000 on Glove Technology SRL.
The controller had installed a video surveillance system that audiovisually monitored employees at their workplace and recorded conversations between them to be used against them. The DPA found that the controller had violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
2021-10-21
€3,000,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. An individual had filed a complaint against the controller. The reason was that Caixabank had requested information about him from a company although, the latter has not been a customer of Caixabank since 2014 and that he was included in an advertising campaign to offer him a pre-grant credit.
Caixabank had used individuals' data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis.
In doing so, the DPA found that the controller had not obtained effective consent from the data subjects. It is true that the data subjects had at one point given consent for their data to be processed by the entire CaixaBank Group. However, the controller had not adequately informed the data subjects about the data processing, including profiling. For example, the controller had only provided data subjects with general information about the various profiling processing operations, so data subjects could not know exactly what the processing they had consented to consisted of.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-10-19
€70,000.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has imposed a fine of EUR 70,000 on VODAFONE ESPAÑA, S.A.U.. A data subject had filed a complaint with the DPA for having received promotional emails from Vodafone without having expressly consented to this and without having had a prior contractual relationship. The data subject then objected to receiving future e-mails. Vodafone confirmed the objection. Nonetheless, the data subject received four advertising e-mails a few months later. The fine consists of EUR 50,000 for a violation of Art. 21 GDPR and EUR 20,000 for a violation of Art. 21 LSSI.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-10-19
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined Vodafone España, S.A.U. EUR 40,000. An individual had filed a complaint with the DPA against Vodafone for debiting his bank account in May 2020 for a Vodafone telephone line whose owner was not him but his ex-partner.
As it turned out, the complainant's ex-partner had concluded a contract with Vodafone in his name. She stated that she was authorized to do so, but did not provide any proof of this. The DPA found that Vodafone had unlawfully processed the complainant's data. Indeed, compliance with the principle of lawfulness in the processing of third party data requires that the controller is able to prove lawfulness.
AEPD
Spanish Data Protection Authority
Industry and Commerce
BEEPING FULFILMENT S.L.
2021-10-19
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined BEEPING FULFILMENT S.L. in the amount of EUR 2,000. The controller had not provided the required information about the purposes and characteristics, of the data processing in the privacy policy of a website it operates. The data protection authority considered this to be a violation of Art. 13 GDPR.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Østre Toten municipality
2021-10-18
€412,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web.
Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health status, as well as banking data of the municipality's residents and employees.
The DPA's investigation revealed that the municipality had fundamental deficiencies in the security of personal data and related internal controls.Among other things, the municipality had not used two-factor authentication when logging into systems, and lacked appropriate backup systems.
ICO
Information Commissioner
Individuals and Private Associations
HIV Scotland
2021-10-18
€11,800.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1), (2) GDPR
The British DPA (ICO) has imposed a fine of EUR 11,800 on the non-profit organization HIV Scotland. The controller had sent an e-mail to 105 people, with e-mail addresses on the mailing list visible to all recipients. In the case of 65 of the e-mail addresses, persons could be identified by name. It was possible to draw conclusions about the individuals' HIV status or risk based on the personal data provided.The DPA found that the organization had failed to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. For example, the organization had conducted inadequate employee training and used improper methods for sending bulk e-mails via blind copy (bcc).
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Bank Millennium S.A
2021-10-14
€78,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Polish DPA (UODO) has imposed a fine of EUR 78,000 on Bank Millennium S.A..
The UODO had become aware of a data protection breach following a complaint against the bank. It turned out that correspondence sent by the bank through a courier service containing personal data such as first name, last name, PESEL number, home address, account numbers and identification numbers of customers, had been lost. In this regard, the UODO found that the bank had failed to report the incident to the DPA and provide adequate notice to the data subjects.
The Hellenic DPA has fined ΚΑΠΑ ΛΑΜΔΑ ΩΜΕΓΑ ΔΙΑΦΗΜΙΣΤΙΚΗ ΕΜΠΟΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ EUR 20,000. The company had in several cases carried out marketing calls without the consent of the data subjects. Despite several revocations by the data subjects, they continued to receive unsolicited advertising.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-10-13
€40,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A woman filed a complaint against the controller based on the fact that the controller had sent telephone bills belonging to a third party to her e-mail address. After bringing this to the attention of the controller, she received no response. Thereupon, she contacted the controller by telephone in this regard. However, none of the employees were able to help her with this concern. The DPA concluded that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR, and that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-10-13
€13,200.00
Insufficient involvement of data protection officer
Art. 38 (1) GDPR
Art. 39 (1) b) GDPR
The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller firstly failed to involve the data protection officer in all matters relating to the protection of personal data. Second, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-10-13
€18,000.00
Insufficient involvement of data protection officer
Art. 37 (7) GDPR
Art. 38 (1), (2) GDPR
Art. 39 (1) b) GDPR
The DPA from Luxembourg has imposed a fine of EUR 13,200 on a company. According to the DPA, the controller failed to involve the data protection officer in all matters relating to the protection of personal data. Also, the controller did not have a data protection control plan in place to demonstrate that the data protection officer was adequately performing its tasks. Furthermore, the controller failed to provide the data protection officer with the necessary resources to perform his duties. The DPA also noted that the controller's website did not contain a section dedicated to data protection and that the information notice on data protection was only available in English rather than in one of the official languages of Luxembourg.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MAF.COM ESQUI CLUB
2021-10-11
€10,000.00
Insufficient legal basis for data processing
Art. 7 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on MAF.COM ESQUI CLUB. The mother of an underage girl who had attended ski lessons with the controller filed a complaint with the DPA against the latter. The controller had published videos of the mother's daughter on its website and social media channels without her consent. The images were only disseminated with the consent of the father, who enrolled the girl in the ski course. The girl's parents were divorced at the time of the incident. The DPA found that the controller had failed to obtain consent from both parents and thus processed the images without a valid legal basis.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ORANGE ESPAGNE, S.A.U.
2021-10-08
€30,000.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
The Spanish DPA has imposed a fine on ORANGE ESPAGNE, S.A.U.. A data subject had filed a complaint with the DPA as she had received a total of 30 calls from Jazztel employees (subsidiary of Orange Espagne, S.A.U.) and text messages between 03/01/2021 and 03/03/2021 without ever having been a customer of the company. She then requested that her phone number be deleted from the company database. Although the controller confirmed the deletion of the data, she continued to receive calls and text messages from the controller. The original fine of EUR 50,000 was reduced to EUR 30,000 due to the admission of guilt and the voluntary payment.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Facebook Ireland Limited
2021-10-06
€NaN
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 (1) GDPR
Art. 13 (1) c) GDPR
The organization 'None of your business' (NOYB) published a draft decision of the Irish DPA (DPC) on October 13, 2021, which indicates that it proposes a fine between EUR 28 million and EUR 36 million against Facebook.
The draft primarily addresses the fact that Facebook has included details on data processing in its terms of service, thus relying on Art. 6 (1) b) rather than on consent pursuant to Art. 6 (1) a) GDPR.
Critics consider this a loophole used by Facebook to circumvent the stricter GDPR requirements of consent according to Art. 6 (1) a) GDPR.
However, the DPC emphasizes that the GDPR does not establish a hierarchy of legal bases that can be used to process personal data.
Yet, the DPC noted that Facebook failed to provide clear information about its legal basis for data processing and highlights that the information provided by Facebook is discontinuous and that users are referred to different documents and texts of the data policy and terms of service.
The DPC concludes its draft that Facebook has thus violated Art. 5 (1) a) GDPR, Art. 12 (1) GDPR and Art. 13 (1) c) GDPR.
The draft decision will now be forwarded to other European data protection authorities allowing them to comment on it.
CNPD
National Commission for Data Protection
Industry and Commerce
Unknown
2021-10-06
€5,300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg has imposed a fine of EUR 5,300 on a company. The company had installed 75 surveillance cameras on its premises as well as tracking devices in some of its vehicles used by employees to travel to customers. A few of these cameras covered, among other things, parts of a public street and a private neighboring property. During its investigation, the DPA also found that the cameras covered the employee cafeteria, allowing employees to be monitored outside of their working hours. The DPA found this to be a violation of the principle of data minimization. It also found that the controller had not sufficiently complied with its information obligations under Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
CLUB DEPORTIVO SANSUEÑA, S.L.
2021-10-05
€4,000.00
Insufficient legal basis for data processing
Art. 5 (1) e) GDPR
Art. 6 GDPR
Art. 32 (1) b), d) GDPR
The Spanish DPA (AEPD) has fined CLUB DEPORTIVO SANSUEÑA, S.L. EUR 4,000 for adding the cell phone number of a data subject to a WhatsApp group without the data subject's consent.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2021-10-04
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on the owner of a store. The controller had installed a video surveillance system that covered, among other things, a public street. Thereby, the DPA found that the controller had violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2021-10-04
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on the owner of a store. The controller had installed a video surveillance system, however, without having placed signs informing about the use of video surveillance.
AEPD
Spanish Data Protection Authority
Industry and Commerce
CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L.
2021-10-04
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has fined CALDERERIA Y SOLDADURA DE ESTRUCTURAS METALICAS, S.L. EUR 5,000 for unlawfully processing an individual's data. Previously, CYNGASA, S.L. had disclosed the data to the controller without the consent of the data subject. The data concerned included, among others, his first and last name and social security number. CYNGASA, S.L. received a fine in a separate proceeding as well.
The Hellenic DPA has imposed a fine of EUR 5,000 on the company PREMIUMMEDIA ΠΑΡΑΓΩΓΗ ΟΠΤΙΚΟ-ΑΚΟΥΣΤΙΚΩΝ ΕΡΓΩΝ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΙΑ. An individual had attempted to unsubscribe from the company's newsletter mailing list, but failed to do so. The failure to unsubscribe from the lists resulted from an internal technical error of the company.
AEPD
Spanish Data Protection Authority
Employment
CYNGASA, S.L.
2021-09-29
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on CYNGASA, S.L.. The data subject, when requesting a work report, discovered that the controller had disclosed his personal data to a third party company without his consent. The data involved included among others first and last name as well as his social security number.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ACONCAGUA JUEGOS S.A.
2021-09-29
€10,000.00
Insufficient involvement of data protection officer
Art. 37 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on ACONCAGUA JUEGOS S.A.. The controller had failed to appoint a data protection officer and thus violated Art. 37 GDPR.