A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
DATATILSYNET
Danish Data Protection Authority
Health Care
Danish Cancer Society
2021-09-29
€107,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has fined the Danish Cancer Society EUR 107,000 for failing to comply with the requirements of the GDPR regarding appropriate security measures.
The Danish Cancer Society had reported four data breaches according to Art. 33 GDPR to the DPA. Two of these involved computer thefts, two phishing attacks - and all four were due to the Danish Cancer Foundation's failure to implement technical and organizational measures to ensure a level of security appropriate to the risk to data subjects.
A similar personal data breach already occurred in August 2018, when the Foundation fell victim to phishing and spoofing hacking attacks. In this context, the Danish Cancer Society stated that it should increase protection through multifactor authentication, however, this was not implemented.
The data of at least 1,448 individuals was compromised, and in several cases it involved sensitive personal health data, including medical history.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Territorial Administration of the Government of Genoa
2021-09-29
€11,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) Art. 6 (2) GDPR
Art. 6 (3) b) GDPR GDPR
Art. 2-ter (1), (3) Codice della privacy
The Italian DPA has imposed a fine of EUR 11,000 on the Territorial Administration of the Government of Genoa. The department had published a file on its website that contained a table listing information on the lawyers of two companies and their adult cohabiting family members (about a hundred people in total). In the course of its investigation, the DPA found that the department had published the information without a valid legal basis.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Bar owner
2021-09-28
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
The Spanish DPA (AEPD) has fined a bar owner EUR 3,000. A data subject had filed a complaint with the DPA. He had suffered an accident in the bar which was recorded by the surveillance cameras. The controller states that he had installed the surveillance cameras for security purposes. At a later date, the video was distributed via WhatsApp and published in a digital newspaper. The data subject claims to be personally affected in his reputation by the publication of the video. The DPA concludes that the publication of the images was not related to the purpose of the video surveillance and that the controller therefore violated Art. 5 (1) b) GDPR.
DSB
Austrian Data Protection Authority
Transportation and Energy
Austrian Post
2021-09-28
€9,500,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (2) GDPR
The Austrian DPA imposed a fine of EUR 9.5 million on the Austrian Post on September 28, 2021. The main accusation is that, in addition to the contact options used by Austrian Post via mail, web contact form and customer service, data protection-related inquiries should also be allowed via e-mail. According to the newspaper 'Der Standard', the Austrian Post had only introduced a contact form for data protection inquiries, in order to automate the process of inquiries and to obtain all information necessary for processing the inquiries.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Ferde AS
2021-09-27
€496,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 28 (3) GDPR
Art. 32 (2) GDPR
Art. 44 GDPR
The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000.
Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China.
As part of its operations, Ferde is responsible for registering passages at toll booths. The registration is usually done by a chip in the car. If the chip in the car is not properly registered or the car does not have a chip, a photo of the car's license plate is taken.
These images are then sent to an automatic optical character recognition system to digitally read the license plate. In cases where the image quality is not good enough for automatic interpretation, the image is transmitted for manual processing. Ferde contracted Unitel Bratseth Services (UBS), which also has employees in China, for this task.
After its investigations, the DPA concluded that Ferde AS had violated a number of basic obligations of the GDPR for a period of 1-2 years.
For one thing, Ferde had not conducted a risk assessment before processing personal data and before using manual image processing by the processor. However, this would have been necessary to assess the risks associated with the transfer and to determine whether further security measures may be required.
In addition, the DPA found that Ferde had not entered into a proper processor contract regarding the processing of UBS.As a result, the transfer of the personal data in question to China took place without a valid legal basis.
In determining the amount of the fine, the DPA took into account the aggravating factor that a large amount of personal data was affected by the violation. On the other hand, the fact that no material or immaterial damage to the affected parties could be proven had a mitigating effect.
Data Protection Authority of Hamburg
Transportation and Energy
Vattenfall Europe Sales GmbH
2021-09-24
€900,000.00
Insufficient data processing agreement
Art. 12 GDPR
Art. 13 GDPR
The DPA from Hamburg has imposed a fine of EUR 900,000 on Vattenfall Europe Sales GmbH. The fine is related to data matching, which the controller had carried out in the period from August 2018 to December 2019 in the course of contract inquiries for special contracts. The special contracts served to attract new customers and were accompanied by bonus payments for the customers. The controller compared personal data of prospective customers who had submitted an inquiry for a special contract with contracts concluded by existing customers. If this revealed that an applicant had already signed a contract with the controller, then switched to another supplier and now wanted to sign a contract again, the controller could reject the application for the special contract if necessary. This was intended to prevent 'bonus shopping', which is not lucrative for the companies. However, the controller had not properly informed the customers that such comparisons would be made. The DPA considered this to be a violation of the company's transparency and information obligations. Around 500,000 people were affected.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2021-09-24
€3,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a company. The company had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
Ultra-Technology AS
2021-09-21
€12,500.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Norwegian Data Protection Authority has imposed a fine of EUR 12,500 on Ultra-Technology AS.
Background of the fine is a complaint from a data subject who was credit-checked without any customer relationship or other affiliation to Ultra-Technology AS.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Istituto Comprensivo - IC Cosenza III “V. Negroni”
2021-09-21
€2,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 2,000 on Istituto Comprensivo - IC Cosenza III “V. Negroni”. The educational institution had published a document, which also contained personal health data of some teachers, on an online platform for the teaching staff. The document contained information on benefits linked to the health status of teachers who were entitled to such benefits. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully.
AEPD
Spanish Data Protection Authority
Health Care
CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L.
2021-09-20
€18,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) has imposed a fine on CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L.. The data subject filed a complaint with the AEPD. He had requested an MRI scan of his knee due to an accident at work. In addition, he had contacted his insurance company in order to obtain a sick leave. The insurance company then contacted the controller, who transmitted the data subject's medical records. In doing so, the controller also provided the insurer with the report of a previous MRI scan of the knee that the data subject had undergone due to an event outside of work. In its evaluation, the insurer thus also referred to the MRI report outside working hours and attributed the data subject's incapacity to work to this event. In consequence, no sick leave was granted to the data subject. The DPA considered the disclosure of the earlier MRI report to the insurance company to be a violation of the principle of integrity and confidentiality.
The original fine of EUR 30,000 was reduced to EUR 18,000 due to the voluntary payment and admission of guilt.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Høylandet Municipality
2021-09-20
€40,200.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
The Norwegian DPA has imposed a fine of EUR 40,200 on the municipality of Høylandet. The latter had reported a data breach to the DPA in accordance with Art. 33 GDPR. An employee gained access to several image files (bitmap) when she had to create new letter templates and insert an image logo from the file.
The image files that the employee had access to contained sensitive information about individuals who had no connection with the municipality of Høylandet. The information included health data among others. The DPA found that the municipality had not implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects. Instead, the municipality stated that it had simply asked employees using the relevant computer program to avoid opening bitmap files that were not created by the municipality. The error has meanwhile been corrected and the municipality has introduced a new internal control system.
DATATILSYNET
Norwegian Supervisory Authority
Health Care
ST. OLAVS HOSPITAL HF
2021-09-20
€75,600.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Norwegian DPA has fined St. Olav's Hospital in the amount of EUR 75,600. The hospital suffered three data leaks in accordance with Art. 33 the GDPR. The first incident had occurred between January 13, 2011, and January 27, 2020, at the hospital's cardiology department following an upgrade for a new treatment-oriented health registry for the cardiology laboratory.
In connection with the upgrade, a test server was used on which treatment reports were temporarily cached and then copied to the new system. However, the reports in the test server were not deleted. Moreover, another error occurred, which allowed all authenticated employees to access the reports. About 21,000 reports were affected.
The second breach occurred in the period from May 17, 2015 to January 28, 2020, when reports from medical devices (pulse oximeters for long-term measurement of oxygen saturation and pulse) were stored in a file area accessible to any employee with an authenticated and active account.
The third breach occurred in the period from January 01, 2018 to December 09, 2019. Passwords for various databases were stored in plain text in a file on the hospital's server. Employees with an active hospital system account were able to first connect to the server viaRemote Desktop and then search for a file with a password in the database.
The DPA found that the hospital had failed to establish effective access controls.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Syddanmark Region
2021-09-17
€67,200.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA imposed a fine of EUR 67,200 on Syddanmark Region.
On March 9, 2020, the DPA received a notification from Syddanmark Region regarding a personal data breach according to Art. 33 GDPR. The Syddanmark Region states that since May 2011, a PowerPoint presentation was available on its website that had been created at Odense University Hospital for training purposes and contained charts with personal data - including health information and ID card number details - of 3,915 patients.
The region used a screening tool to periodically check for inadvertent postings of personal identity numbers on its website. However, the screening tool was unable to scan the underlying data in PowerPoint presentations.
In this context, the DPA found that the region had not implemented appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
In assessing whether a fine should be imposed, the DPA took into aggravating consideration the fact that Syddanmark Region processes large amounts of personal data, including health data - which is of a sensitive nature.
Cypriot Data Protection Commissioner
Health Care
Mediterranean Hospital of Cyprus
2021-09-17
€10,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) a) GDPR
The Cypriot DPA has fined Mediterranean Hospital of Cyprus EUR 10,000 for failing to provide information requested by the DPA during an investigation.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Favrskov municipality
2021-09-16
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has imposed a fine of EUR 10,000 on Favrskov municipality.
On August 19, 2020, the DPA received a notification from Favrskov Municipality of a personal data breach under Art. 33 GDPR. The notification stated that during a break-in at the municipality's premises, a laptop was stolen which contained a program that provided an overview of the municipality's care facilities and thus information on the names and personal identity numbers of approximately 100 individuals with physical or mental disabilities.
The computer hard drive in question was not encrypted and the program in question, which contained confidential and sensitive personal data, was not equipped with security measures.
In reviewing the case, the DPO found that Favrskov Municipality had not ensured the encryption of the hard drives of the municipality's laptops for a long period of time prior to August 12, 2020, resulting in an inadequate level of security.
The DPA considered this to be a violation of Art. 32 GDPR, as the municipality had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.
AEPD
Spanish Data Protection Authority
Employment
Frigorifica Botana S.L.
2021-09-16
€4,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Frigorifica Botana S.L.. The main activity of Frigorífica Botana is freezing, storing and processing seafood. Based on a complaint against the controller, the AEPD had initiated investigations against it. The controller had installed a video surveillance system (audio and video) that captured, among other things, parts of a conference room. In this context, the DPA found that the controller had violated the principle of data minimization by processing data without a valid reason and without informing the data subjects about the video surveillance in advance.
GARANTE
Italian Data Protection Authority
Real Estate
La Prima S.r.l.
2021-09-16
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 24 GDPR
Art. 25 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the real estate portal La Prima S.r.l.. A data subject had filed a complaint against the controller with the DPA. She complained about receiving a contact request on Linkedin by an employee of La Prima, which aimed to offer real estate services related to a specific property owned by the data subject. The controller had obtained the information regarding the data subject's ownership of the property from an openly accessible public register. At no time had the data subject consented to such a contact request. The controller had argued during the DPA's investigation that consent for others to contact her could be inferred from the fact that she had a public profile. However, the DPA noted that the exchange of information via a social network should only allow for what is specified in the relevant terms of use. The DPA clarified that the platform is intended to enable the exchange of contact information in order to make job offers. In contrast, it is not intended that users use the platform to send messages to other users in order to sell services. Moreover, it is irrelevant whether a user profile is public or not. Consequently, the DPA concluded that the controller had processed the data unlawfully.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Ciechi Ardizzone Gioeni di Catania
2021-09-16
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
Art. 35 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the Ciechi Ardizzone Gioeni di Catania residential home for blind people. A visitor to the residence filed a complaint with the DPA. He based this on an installed video surveillance system in the accommodation. The video surveillance system recorded, among other things, the corridor connecting the accommodation with the communal showers. Moreover, the footage was not only recorded but also displayed in real time on the monitors of the concierge staff, creating the risk that the images could also be inadvertently seen by visitors or suppliers. During the course of the investigation, the institution's administration justified the installation of the video surveillance system by citing the need to prevent theft and ensure the health of residents by preventing unauthorized access during the pandemic period.
The DPA found that the institute thereby violated the principles of lawfulness, transparency and data minimization. The fact that, as claimed by the institute, the passage of the guests to the shower rooms was filmed only occasionally and for a short duration, and that the quality of the recordings was not 'perfectly clear,' does not resolve the unlawfulness of the recordings. Also, the DPA noted that some procedural precautions - such as scheduling time windows to turn off the cameras to allow guests to visit the shower rooms without being filmed, or temporarily ensuring the security of the locations through alternative measures, such as the use of security personnel - may allow the institute to pursue the purpose of the video surveillance in an equally effective manner and avoid unjustifiably restricting the freedoms of the data subjects.
Furthermore, the DPA found that the institute had not properly fulfilled its duty to inform. The institute had only provided the data subjects with detailed information about the video surveillance system on the bulletin board after the investigation had begun. However, this type of information is not suitable for visually impaired people. The institute should have provided the residents with a pre-recorded audio message that could be played back if necessary.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Bocconi University
2021-09-16
€200,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), e) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 35 GDPR
Art. 44 GDPR
Art. 46 GDPR
Art. Art. 2-sexies Codice della Privacy
The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible to take the exams live and in person as usual. The software was able to monitor the behavior of the students through video recordings and snapshots taken at random intervals. In addition, the exam was audio-visually recorded and a photograph was taken of each examinee at the beginning of the exam. At the end of the exam, the system processed the video, inserted warning signals regarding possible indications of incorrect behavior, and, among other things, assigned a so-called 'review priority' so that the examiner could subsequently assess whether an unauthorized act had been committed during the exam. In its investigation the DPA found that students were not properly informed of the processing of their personal data involved in the use of Respondus. For instance they were not informed that they would be audiovisually recorded and that the images would subsequently be processed. In addition, students were not provided with information regarding specific retention periods for personal data. Nor had they received sufficient information about the fact that their personal data would be transferred to the United States; instead, they were only informed in general terms that personal data would be processed both within and outside the territory of the European Union. Furthermore, the DPA found that the little information the students had received was presented in a fragmented and disorganized manner in various documents. The DPA considered this to be a violation of the principles of lawfulness, fairness and transparency. The DPA also found that the university had processed the personal data without a valid legal basis. Thus, consent to the processing of personal data was a prerequisite to participate in the exams in the first place. As an alternative to online exams, the option of an in-person exam was proposed. However, in the light of the pandemic, this also meant an increased health risk. Students were also concerned that refusing to take the online exams would negatively impact their grades. Consequently, the DPA concluded that the students' consent could not be considered voluntary. Further, the DPA found that the university retained the data for 12 months, although this would not have been necessary for the purpose of ensuring that the exams were properly carried out.
Eventually, the DPA found violations related to the transfer of data to Respondus. The processing agreement between the University and Respondus was based on the data protection agreement between the EU and the USA, known as the Privacy Shield, although it had been declared invalid by the Schrems II ruling of the Court of Justice of the European Union (CJEU). For this reason, the DPA found that the university transferred personal data to a third country, even though this transfer was not in compliance with the conditions set forth in Chapter V of the GDPR.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Sky Italia S.r.l.
2021-09-16
€3,296,326.00
Insufficient legal basis for data processing
Art. 5 (1), (2) GDPR
Art. 6 (1) GDPR
Art. 7 GDPR
Art. 12 (2) GDPR
Art. 14 GDPR
Art. 21 GDPR
Art. 28 GDPR
Art. 29 GDPR
The Italian DPA (Garante) has fined Sky Italia S.r.l. EUR 3,296,326 for illegal telemarketing.
The DPA's decision followed a complex investigation launched after dozens of reports and complaints from people who claimed that they received unsolicited promotional calls and promotional SMS both from Sky Italia directly and through call centers of other companies.
In this regard, the DPA found that the promotional calls were made without adequately informing the users (such as about the origin of the personal data transmitted to Sky Italia). Thus, data subjects would have had the opportunity to contact the company that collected the data and object to the processing. Only after obtaining consent, Sky would then have been allowed to proceed with the commercial offers.
Sky used lists of data it had acquired from other companies for these promotional purposes. Contrary to Sky Italia's view, the consent to the disclosure of data to third parties given by the data subjects to the companies from which Sky Italia had acquired the lists did not authorize Sky Italia to use the data for its own promotional purposes.
In addition, Sky failed to verify the list of individuals who had objected to being contacted for advertising purposes before making the advertising calls. As a result, several data subjects had received advertising calls despite their explicit objection. Further, the DPA found that Sky had failed to properly appoint the suppliers of the lists as data processors.
In determining the amount of the fine, the DPA took into aggravating consideration that the violations involved 'systemic' conduct that was rooted in the company's operations as well as the fact that Sky should have acquired sufficient experience and competence to make fundamental decisions in compliance with data protection regulations due to its ongoing contacts with the authority and its long-standing presence in the market.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Montalbano Jonico
2021-09-16
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
Art. 9 (1), (2), (4) GDPR
Art. 2-ter (1), (3) Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the municipality of Montalbano Jonico. An individual had filed a complaint against the municipality with the DPA. He complained that a document was publicly available on the municipality's website, which contained personal data about himself and his father. Under the 'Documents and Data' section of the website, the files of the municipality could be viewed. In this context, it was possible to access a decision on a settlement for the overcoming and removal of architectural barriers in their home by filling out the corresponding search form. The decision clearly contained personal data and information in the text and subject line, such as the name of the complainant and his dependent father, with a reference to his situation as a disabled person. The text of the decision also contained the complainant's date of birth and place of residence, as well as information about the settlement sum. The DPA considered the the publication with indication of the data to be a violation of the principle of data minimization.
GARANTE
Italian Data Protection Authority
Health Care
Farpa s.r.l.
2021-09-16
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 13 GDPR
Art. 88 GDPR
Art. 114 Codice della privacy
The Italian DPA has imposed a fine of EUR 1,000 on Farpa s.r.l.. The company had installed video surveillance systems in social facilities it operates, however, their specific use was not authorized. The DPA found that the video surveillance system had different features than those approved and was installed in a different position than approved. Also, the DPA found that the company had not sufficiently informed the data subjects (guests and relatives of the facility) about the video surveillance.
CNIL
French Data Protection Authority
Individuals and Private Associations
Société nouvelle de l’annuaire français
2021-09-15
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 16 GDPR
Art. 17 GDPR
Art. 30 GDPR
Art. 31 GDPR
The French DPA (CNIL) has fined Société nouvelle de l'annuaire français (SNAF) EUR 3,000. SNAF operates the website annuairefrancais.fr, which lists French companies based on data published by the French Statistical Office.
Between 2018 and 2019, the CNIL received sixteen complaints indicating problems in requesting the erasure and rectification of personal data.
In response, the CNIL requested SNAF to comply with the requests within two months, which SNAF failed to do.
As a result, the CNIL imposed the fine on SNAF, mainly for non-compliance with the rights of rectification and erasure of the data subjects and for lack of cooperation with the CNIL.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-09-14
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing. The data subject stated that two telephone lines were registered in his name, for each of which charges were made. However, the data subject had never concluded contracts with the company for either of these lines. Rather, the contracts in question were concluded by fraudsters using the data subject's personal data. Nevertheless, the personal data was entered into the company's information systems without any verification as to whether the contracts had been lawfully and actually concluded by the data subject. The contracts were concluded even though they were not signed and the information provided by the fraudster, such as the address or date of birth, did not match those on the data subject's ID card. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-09-14
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing.The data subject stated that several telephone lines were registered in his name. However, the data subject had never signed contracts with the company for any of these lines. Rather, the contracts in question were concluded by fraudsters using the data subject's personal data. Nevertheless, the personal data was entered into the company's information systems without any verification as to whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-09-14
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject stated that, unauthorized third parties had gained access to her Vodafone account and had booked the Vodafone Unlimited package in her name, as well as purchased an iPhone 11 Pro Max in installments. The DPA notes that the controller had not adequately verified whether the contracts had been lawfully and actually concluded by the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-09-14
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. The data subject stated that unauthorized third parties gained access to his Vodafone account and signed three mobile phone contracts in his name. The DPA found that Vodafone had failed to verify whether the contracts were lawful and actually concluded by the data subject. The contracts were concluded even though they were not signed and the information provided by the fraudster, such as address or date of birth, did not match those of the data subject. The original fine of EUR 70,000 was reduced to EUR 56,000 due to the voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-09-14
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. for insufficient legal basis for data processing. The data subject stated that he received a call from Vodafone in which the latter requested him to pay for three telephone lines.
In the call, he explained to Vodafone that the said lines had neither been ordered nor authorized by him, so he asked to send him the invoices. On the invoices, the data subject recognized that the telephone and account numbers did not match its own. During its investigation, the DPA found that an unauthorized third party had concluded the contracts for the lines in the name of the data subject. In addition, the DPA found that Vodafone failed to verify the identity of the person who concluded the contract and to take the necessary precautions to ensure that these incidents do not occur. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Industry and Commerce
GESTIONES AUTO LOW COST S. L.
2021-09-13
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on GESTIONES AUTO LOW COST S. L. due to the fact that the company's website did not contain a privacy policy.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Hairdressing salon
2021-09-13
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a hairdressing salon. The controller had installed video surveillance cameras and had not properly informed the data subjects about the processing of the data by the cameras.
AEPD
Spanish Data Protection Authority
Not assigned
Website operator
2021-09-13
€9,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 9,000 on the controller of a website. A person had filed a complaint with the DPA due to the fact that the controller had published his first and last name as well as a screenshot of his Linkedin profile on his website. The controller had neither obtained the data subject's consent for this, nor had he informed him about the processing of his personal data. The DPA considered this to be a violation of Art. 6 GDPR and Art. 13 GDPR.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Midtjylland Region
2021-09-08
€53,800.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has imposed a fine of EUR 53,800 on Midtjylland Region.
On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been given key cards that allowed them to access all three buildings of the lifestyle center, regardless of whether the user was required to access them.
In addition, passersby were able to take a look at the covers of some of the records -which showed personal data such as identity numbers and names - through a window in the building.
In this context, the DPA found that the Midtjylland Region had not taken adequate security measures for the storage of personal data.
In addition, the region had not established sufficient guidelines for access restrictions when creating key cards, and had not conducted adequate periodic testing, assessment, and evaluation of the security measures taken.
In evaluating the question of whether a fine should be imposed, the Danish DPA took into account, as an aggravating factor, that the region processed large amounts of sensitive data, such as health data.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Vodafone Ireland Limited
2021-09-07
€1,400.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
The Irish DPA has fined Vodafone Ireland Limited EUR 1,400. Vodafone had in several cases sent marketing SMS and emails and made telephone calls without the consent of the data subjects. Despite several revocations by the data subjects, they continued to receive unsolicited advertising. In one case, a former customer had contacted Vodafone seven times and asked not to receive any more advertising calls on his cell phone. Despite his request, he continued to receive advertising calls. In another case, a customer received an advertising call on his cell phone number and informed Vodafone during the conversation that he did not want to receive any more advertising calls. Despite his request, Vodafone made twelve more marketing calls to his cell phone. In another case, the data subject filled out a form clearly stating his wish not to receive marketing calls from Vodafone. However, the employee who processed the request failed to register the customer's marketing preferences. As a result, the customer subsequently received fourteen more unsolicited commercial messages - seven emails and seven text messages.
Cypriot Data Protection Commissioner
Individuals and Private Associations
APOEL FC
2021-09-06
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 40,000 on the soccer club APOEL FC. Due to a lack of security measures in the club's ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the club failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined AC Omonia and Hellenic Technical Enterprises Ltd. for the same violations.
Cypriot Data Protection Commissioner
Individuals and Private Associations
AC Omonia
2021-09-06
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 40,000 on the soccer club AC Omonia. Due to a lack of security measures in the club's ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the club failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined APOEL FC and Hellenic Technical Enterprises Ltd. for the same violations.
Cypriot Data Protection Commissioner
Industry and Commerce
Hellenic Technical Enterprises Ltd.
2021-09-06
€25,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 25,000 on Hellenic Technical Enterprises Ltd.. The controller hat designed the ticket sales system of the soccer clubs AC Omonia and APOEL FC. Due to a lack of security measures in the ticket sales system, it was possible for an unauthorized person to access and disclose personal data of fans on the club's website. This data involved the name, the fan card number and the ID number of the data subjects. The DPA concluded that the controller failed to implement adequate technical and organizational security measures. In separate proceedings, the DPA fined APOEL FC and AC Omonia for the same violations.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
AMPUDIA DIAZ, S.L.
2021-09-04
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on AMPUDIA DIAZ, S.L.. The controller had installed a video surveillance system in its premises, which recorded a public sidewalk among other things. This made it possible to record passers-by. The controller had not installed any signs informing about the video surveillance.
The DPA found that the controller had violated the principle of data minimization and its duty to inform. The fine consists of EUR 1,000 for a violation of Art. 5 (1) (c) GDPR and EUR 500 for a violation of Art. 13 GDPR.
HDPA
Hellenic Data Protection Authority
Employment
Rhodes Municipal Transport Company
2021-09-03
€8,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) c) GDPR
Art. 12 (3) GDPR
Art. 15 GDPR
The Hellenic DPA has imposed a fine of EUR 8,000 on the Rhodes Municipal Transport Company. A former employee had filed a complaint against the controller with the DPA. The former employee was in a legal dispute with the controller after the latter had reported him for alleged embezzlement. Against this background, he had asked the controller to send him, for his defense in the criminal proceedings, a copy of the video recordings recorded by the bus's video surveillance system on the day on which the incident in question allegedly occurred. However, the controller had never responded to his request.
The DPA considered this to be a violation of the data subject's right to information pursuant to Art. 12 (3) GDPR and Art. 15 GDPR.
Furthermore, the controller had provided the data subject with a certificate about his previous employment, which, in addition to the type and duration of employment, also contained the information that he had been dismissed due to a criminal offense. The DPA considers this to be a violation of the principle of proportionality pursuant to Art. 5 (1) c) GDPR.
The fine is composed proportionately of EUR 3,000 for a violation of Art. 5 (1) (c) GDPR and EUR 5,000 for a violation of Art. 12 (3) and Art. 15 GDPR.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
WhatsApp Ireland Ltd.
2021-09-02
€225,000,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp.
In the course of the investigation, the DPC found that WhatsApp had committed serious violations of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR with respect to the information provided to users.
Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other affected European supervisory authorities in December 2020. The DPC subsequently received objections from eight supervisory authorities. Due to lack of agreement, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR on June 3, 2021.
The European Data Protection Supervisor (EDPB), by its decision of July 28, 2021, then, required the DPC to reassess and increase its proposed fine based on a number of factors. The EDPS found a violation of the principle of transparency set forth in Article 5(1) a) of the GDPR in addition to the violations found by the DPC, and requested this to be reflected in the final amount of the fine.
Based on this, the DPC imposed the fine in the amount of EUR 225,000,000.
The fine is composed as follows:
EUR 90,000,000 for the violation of Art. 5 (1) a) GDPR;
EUR 30,000,000 for the violation of Art. 12 GDPR;
EUR 30,000,000 for the violation of Art. 13 GDPR; and
EUR 75,000,000 for the violation of Art. 14 GDPR.
With respect to Art. 12 GDPR and Art. 13 GDPR, the DPC found that WhatsApp had failed to provide information about the nature of the data collection 'in a concise, transparent, intelligible and easily accessible form, using clear and plain language.' This includes making the information easy for children to understand when it is addressed to them. For example, WhatsApp had distributed information about the relationship between WhatsApp and other Facebook companies and the sharing of data under that relationship through a variety of texts. Much of the information provided was of such general nature, moreover, that the DPC deemed it meaningless. Users often had to overcome multiple links to FAQs to get to the information they were looking for on WhatsApp's website. In this regard, the DPC stated that it would be unreasonable to expect users to search the WhatsApp website after failing to find sufficient information in the privacy statement itself.
With regard to Art. 14 GDPR, one of the issues was the impact of a user's consent allowing the messaging platform to have access to his or her contacts. As such, the company searched its users' contact information on their phones for phone numbers and other data, not only from other WhatsApp users, but also from contacts who do not even have a WhatsApp account. The DPC finds that this data had been processed unlawfully, as these contacts (especially those who do not have a WhatsApp account) had not received any information about this processing and therefore could not possibly have given their consent.
Given the seriousness and the far-reaching nature and impact of the breaches, the DPA concluded that there had also been a violation of the transparency principle from Art. 5 (1) a) GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Automecanica Jerez, S.L.
2021-09-02
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has fined Automecanica Jerez, S.L. EUR 4,000. The controller had sent commercial e-mails to a large number of people without their consent. In doing so, the controller failed to hide the personal data of the recipients, such as surname, first name and email address, which allowed the other recipients to view the data. The AEPD considered this to be a violation of Article 5 (1) f) GDPR and Article 32 GDPR, as the controller had failed to implement technical and organizational measures to ensure an adequate level of security in the processing of personal data. Furthermore the AEPD found a breach of Art. 21 LSSI.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Furnishyourspace S.L.
2021-08-30
€6,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 21 (4) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller's privacy notice.
Namely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearly stated.
No information was provided regarding the legal basis, the retention period of the personal data and the data subjects' right to object. Also, the privacy notice was confusing and the wording contained grammatical errors and used terms that are not part of common usage.
In addition, the privacy notice required a tax identification number in order to issue a simplified invoice, i.e., an invoice not exceeding the amount of EUR 3,000. The AEPD found this to be a violation of the principle of legality.
The fine is composed as follows:
EUR 3,000 for a breach of Art. 12 GDPR and Art. 13 GDPR;
EUR 1,000 for a breach of Art. 21 (4) GDPR; and
EUR 2,000 for a breach of Art. 5 (1) a) GDPR and Art. 6 GDPR.
AEPD
Spanish Data Protection Authority
Real Estate
Owners Association
2021-08-26
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on an owners' association. The controller had unlawfully installed a video surveillance system in a residential complex which recorded, among other things, common areas such as the swimming pool, as well as parts of the public space. In addition, video cameras were installed in the rooms where the guards of the residential complex dressed, without any notice being given. The DPA considered this to be a violation of the principle of data minimization.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
Dixons South East Europe ΑΕΒΕ-ΚΩΤΣΟΒΟΛΟΣ
2021-08-26
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (1), (2), (3) GDPR
Art. 15 (1) GDPR
The Hellenic DPA has imposed a fine of EUR 20,000 on Dixons South East Europe ΑΕΒΕ-ΚΩΤΣΟΒΟΛΟΣ. A data subject had filed a complaint against the controller after it failed to comply with its right to information. After returning a product, the data subject had asked the controller via Facebook Messenger to inform him about the request to cancel his credit card statements sent electronically to the bank. However, the controller refused to comply, whereupon the data subject asserted the same right with the bank, which, however, did not provide him with a response.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
National Bank of Greece
2021-08-26
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (1), (2), (3) GDPR
Art. 15 (1) GDPR
The Hellenic DPA has imposed a fine of EUR 20,000 on the National Bank of Greece. A data subject had filed a complaint against a company and the bank after they failed to comply with his right to information. After returning a product he had purchased from a company, the data subject had asked the company via Facebook Messenger to inform him about the request to cancel his credit card statements sent electronically to the bank. However, the controller refused to comply, whereupon the data subject asserted the same right with the bank, which, however, did not provide him with a response.
HDPA
Hellenic Data Protection Authority
Health Care
NOW DOCTOR – Εταιρία Παροχής Ηλεκτρονικών Υπηρεσιών Αναζήτησης και Προβολής Ιατρών Ε.Π.Ε.
2021-08-26
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), e) GDPR
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 12 (2), (3) GDPR
Art. 17 GDPR
The Hellenic DPA has imposed a fine of EUR 5,000 on the operator of the medical platform nowdoctor.gr that enables online booking of medical appointments. A doctor had filed a complaint with the DPA. Accordingly, she had repeatedly stated that she no longer wished to work with the controller and requested the deletion of her data on the platform. The controller did not comply with her request. The deletion did not take place until 18 months later, after the DPA requested the controller to do so. The DPA considered this to be a breach of the controller's accountability obligations and found that the controller had stored the data subject's data longer than necessary for the intended purpose. The purpose, namely the provision of online display services, ceased to exist when the data subject declared that she no longer wished to work with the controller. In addition, the DPA finds that the controller failed to take measures with regard to the requirement of Art. 12 GDPR to facilitate the exercise of data subjects' rights. The controller had publicly provided an e-mail address on its website as a means of communication. However, the controller did not have sufficient staff available to actually process the correspondence.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria, S.A.
2021-08-25
€120,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The reason for this had been a complaint from a person relating to a lack of authentication. Accordingly, only the ID number had to be given as identification when providing information by telephone. This could allow any person to call, provide an ID number, and thus receive the information associated with the ID number without any verification that the caller is actually the ID holder. The DPA considered this to be a failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. The original fine of EUR 200,000 was reduced to EUR 120,000 due to voluntary payment and acknowledgement of guilt.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Actamedica SRL
2021-08-24
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 (1) GDPR
Art. 32 GDPR
Art. 33 GDPR
The Romanian DPA (ANSPDCP) has fined Actamedica SRL EUR 3,000. The controller had informed a private individual about the loss of her biological samples and a sum of money sent via a courier service. When asked what personal data had been disclosed on this occasion and whether the ANSPDCP had been informed of this incident, the controller only provided the contact details of his lawyer and an e-mail address of the courier service to which the private individual could address her complaint. The ANSPDCP found a breach of the controller's obligation to implement technical and organizational measures to ensure a level of protection appropriate to the risk to data subjects, as well as a breach of the controller's obligation to notify the ANSPDCP of the data breach.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Company owner
2021-08-23
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a company owner. A person had applied for a job at the controller's company and sent the controller his CV via WhatsApp. Thereby, he was neither informed about the processing of his personal data nor about his data subject rights. The AEPD considered this to be a violation of Art. 13 of the GDPR.
AEPD
Spanish Data Protection Authority
Not assigned
Agency
2021-08-23
€1,800.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Spanish DPA (AEPD) has imposed a fine on an agency. The controller had disposed of documents containing personal data of its clients in the garbage. The AEPD considered this to be a lack of security and data protection measures in the sense of Art. 32 GDPR, which states that 'the controller and processor shall implement appropriate technical and organizational measures to ensure an adequate level of security.' The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and acknowledgement of guilt.
Data Protection Authority of Ireland
Individuals and Private Associations
MOVE Ireland
2021-08-20
€1,500.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Irish DPA (DPC) has fined the organization MOVE (Men Overcoming Violence) EUR 1,500. MOVE is a charity working in the field of domestic violence. The organization aims to support the safety and well-being of women and their children who have experienced violence in relationships. For this purpose, participants (men) come to weekly sessions in order to change their behavior. On February 3, 2021, the organization reported a data breach in accordance with Art. 33 GDPR.
The organization stated that eighteen SD cards had been lost, which may have contained recordings of group sessions of the MOVE program, in which participants discuss their behavior and attitudes regarding domestic violence with a group leader. Some of the participants could be seen and heard on the recordings. In addition, the recordings included footage of participants discussing their behaviors and feelings regarding current or former partners, other family members, and friends who may have been named. Approximately 80-120 participants could have been affected by the data breach, as well as at least one group leader per recorded session. The DPC found that MOVE had breached its obligation under Art. 32 (1) GDPR by failing to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing of personal data through the recording of group sessions.
