A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Danish Immigration Agency
2021-08-17
€20,100.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Danish DPA has imposed a fine of EUR 20,100 on the Danish Immigration Agency.
Media reports brought the DPA's attention to possible logging errors in one of the agency's IT systems, which could have an impact on the rights and freedoms of residents. The DPA consequently started an investigation at the agency.
In spring and summer 2020, several security incidents occurred in the agency's systems, resulting in the loss of data records.
The loss of data led to proceedings being initiated against a number of residents regarding the reduction of their cash benefits, and a number of residents being reported to the police for non-compliance with the provisions of the Foreigners Act.
During its investigation, the DPA found that a lack of technical and organizational measures allowed the incident to occur. For instance, the agency had not made adequate backups of the data processed, although this would have been necessary in view of the legal consequences a loss of the data could mean for the immigrants.
AEPD
Spanish Data Protection Authority
Employment
Employer
2021-08-13
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on an employer. The controller had installed a video surveillance system without properly informing employees.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
President of the Zgierz District Court
2021-08-13
€2,200.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 25 (1) GDPR
Art. 32 (1) b), d), (2) GDPR
The Polish DPA (UODO) has imposed a fine of EUR 2,200 on the president of the Zgierz District Court. The president had reported a data breach involving the loss of an unencrypted USB stick by a probation officer. The data medium stored the data of 400 persons under probation supervision. The lost and at the same time unsecured data carrier has not yet been found, so that unauthorized persons could still have access to the personal data it contained. The president had assumed that the duty to secure the data did not lie with himself, but with the respective probation officers who had these data in use. However, the DPA found that the president himself should have secured the USB sticks.
AZOP
Croatian Data Protection Authority
Media, Telecoms and Broadcasting
Telecommunications company
Unknown
€20,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 5 (1) d) GDPR
The Croatian DPA (azop) has imposed a fine of EUR 20,000 on a telecommunications company. A data subject had filed a complaint with the DPA claiming that the company was still processing their personal data even though they had not been a customer of the company for more than ten years. During its investigation, the DPA found that the company had still been storing the data due to an alleged debt. The debt was no longer outstanding, however, the company had failed to delete the data of the data subject due to a lack of measures to regularly verify that the stored data was up to date and accurate. The DPA concluded that the company had unlawfully processed the data and violated Art. 6 (1) GDPR in relation to Art. 5 (1) d) GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
MED LIFE S.A.
2022-05-24
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2), (4) GDPR
The Romanian DPA has imposed a fine of EUR 5,000 on MED LIFE S.A.. The company had disposed of documents containing sensitive patient data in a publicly accessible garbage can. An individual had found these documents and filed a complaint with the DPA. During its investigation, the DPA found that MED Life had not taken adequate technical and organizational measures to protect personal data and avoid such incidents.
AEPD
Spanish Data Protection Authority
Real Estate
Alquiler Seguro SA
2022-05-24
€42,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 42,000 on Alquiler Seguro SA. The company had advertised a job for which the data subject had applied.
As part of the application process, the company had requested information about the creditworthiness of the data subject from a credit agency. However, the person concerned had never consented to such a query of their creditworthiness by Alquiler Seguro nor had they been informed about it. For this reason, the DPA found that Alquiler Seguro had processed the data of the data subject without a valid legal basis and thus violated Art. 6 (1) GDPR.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Zito Auto di Gianfranco Zito
2022-05-22
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 114 Codice della privacy
The Italian DPA has imposed a fine of EUR 3,000 on the company Zito Auto di Gianfranco Zito. The company had installed video surveillance cameras which monitored, among other things, public spaces and employees. The DPA considered this to be a violation of the principle of data minimization (Art. 5 (1) c) GDPR).
GARANTE
Italian Data Protection Authority
Health Care
Azienda Socio Sanitaria Territoriale Dei Sette Laghi
2022-05-22
€7,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 9 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 7,000 on the healthcare facility Azienda Socio Sanitaria Territoriale Dei Sette Laghi. A patient had mistakenly received medical records and clinical documentation from another patient in his own file.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Napoli Corpo di Polizia Municipale
2022-05-22
€12,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 88 GDPR
Art. 113 Codice della privacy
The Italian DPA has fined the police authority 'Comune di Napoli Corpo di Polizia Municipale' EUR 12,000. The police authority had sent a list of names, addresses, tax numbers, contact details and appointments for Covid-19 tests of employees to various administrative units via e-mail. The authority referred to the consent given by the employees as the legal basis for the data processing. However, the DPA concluded that the authority could not rely on consent, as voluntary consent is questionable in the employee-employer relationship.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-05-20
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had taken photos of a group of minors as well as police officers without their consent and later uploaded them to Facebook.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-05-20
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras in his car which, among other things, also covered parts of a community garage. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-05-20
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has fined a private individual operating three websites EUR 2,000. During its investigation, the DPA found that all three websites lacked a field for giving consent to the processing of personal data. In addition, the DPA found that the privacy policies on the websites were missing any reference to the identity of the data controller and to the right of data subjects to withdraw their consent to data processing.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Kredyt Inkaso Investments RO S.A
2022-05-18
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 33 GDPR
The Romanian DPA has fined Kredyt Inkaso Investments RO S.A.
EUR 5,000.
A data subject had filed a complaint with the DPA against the controller for having disclosed their personal data and that of their minor child to medical institutions without authorization and without the data subject having any relationship with the institutions. During its investigation, the DPA found that the controller had disclosed data such as home address, professional status, as well as data from the employment contract.
In addition, the DPA found that the controller had not notified the DPA of the data breach in a timely manner required by Art. 33 GDPR.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Google LLC
2022-05-18
€10,000,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 10 million on GOOGLE LLC. Two data subjects had complained to the DPA that Google had disclosed their personal data to third parties without authorization.
In the course of the lengthy investigation, the DPA found that Google had passed on personal data of data subjects to the so-called Lumen project.
Lumen is a project run by the Berkman Klein Center for Internet & Society at Harvard University. The project began in 2002 for the purpose of collecting requests relating to the removal of content from websites within and outside of the United States. This data may then be accessed by researchers and other interested parties.
Users of Google-operated platforms such as YouTube or Google Drive have the option of requesting that content about themselves on the platforms be removed. For this purpose, Google has provided various contact and complaint forms.
However, the data of the data subjects who use these forms was automatically transmitted to the Lumen project.
The data subjects did not have the opportunity to object to this transmission, because the automatic transmission to Lumen was a condition for using the forms.
For this reason, the DPA found that, due to the lack of possibility to object to the transfer of the data to Lumen, Google processed the data subjects' data without a valid legal basis.
In this context, the DPA also found that Google did not sufficiently enable data subjects to exercise their right to erasure of their data.
When assessing the fine, the DPA took into account as aggravating factors that the data was not only disclosed, but also transferred to a third country without giving the data subjects the possibility to object to it. This deprived the data subjects of control over the handling of their personal data. In addition, the DPA found that the transfer took place over a very long period of time.
Also, a large number of individuals were affected and in some cases sensitive data was processed.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SCF ZHU, S.L.
2022-05-18
€600.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has fined SCF ZHU, S.L. due to a lack of sufficient data processing information in relation to video surveillance on business premises. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility.
ICO
Information Commissioner
Industry and Commerce
Clearview Al Inc.
2022-05-18
€9,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), e) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 16 GDPR
Art. 17 GDPR
Art. 21 GDPR
Art. 22 GDPR
Art. 35 GDPR
The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such as image tags and geolocation. Clearview AI no longer offers its services in the UK, but it does in other countries, which means that the company continues to use personal data of UK residents.
In the course of its investigation the DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis.
Furthermore, in order to exercise their rights under the GDPR, such as the right of access under Art. 15 GDPR, data subjects had to provide Clearview with additional personal data by submitting a photograph of themselves that could be matched against the Clearview database. According to the DPA, this constitutes a significant impediment and deterrent to the exercise of such rights.
In addition, the DPA found that the company had violated several principles of the GDPR. For example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated violated the principle of storage limitation by not providing a data retention policy and thus not being able to ensure that personal data is not held for longer than necessary. Further, Clearview failed to conduct a privacy impact assessment despite the high risk to data subjects' data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
MAYR MELNHOF PACKAGING ROMANIA S.R.L.
2022-05-17
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) b), c) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 1,500 on MAYR MELNHOF PACKAGING ROMANIA S.R.L.. The controller had installed video surveillance cameras in the premises for the purpose of protecting company assets and the safety of employees. During its investigation, the DPA also found that the cameras covered the employee cafeteria and smoking area, allowing employees to be monitored outside of their working hours. The DPA states that the recording of the employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA found this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-05-17
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras on his property which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
TIGERS MARKET, S.L.
2022-05-17
€8,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 (4) LOPDGDD
The Spanish DPA (AEPD) imposed a fine of EUR 8,000 on TIGERS MARKET, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list.
AEPD
Spanish Data Protection Authority
Industry and Commerce
RAMONA FILMS, S.L.
2022-05-17
€18,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Spanish DPA (AEPD) has fined RAMONA FILMS, S.L.
for failing to provide information requested by the DPA during an investigation. The original fine of EUR 30,000 was reduced to EUR 18,000 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INSEKT FOOD S.L.
2022-05-17
€4,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on INSEKT FOOD S.L.. A data subject hat filed a complain with the DPA against the controller due to the fact that the controller had published personal data of the data subject in three WhatsApp groups. As a result, all 541 members of these WhatsApp groups were granted unauthorized access to certain personal data of the data subject (surname, first name, address).
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-05-17
€42,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine on Vodafone España S.A.U.. A data subjects had filed a complaint with the AEPD against the controller. The data subject complained about receiving invoices even though there was no longer a contractual relationship between them and the controller. However, although the data subject had objected to the continued receipt of messages as there were no more invoices outstanding and the controller had confirmed this, the sending continued. The DPA therefore found, that the controller processed the data subejct's data without a valid legal basis. The original fine of EUR 70,000 was reduced to EUR 42,000 due to immediate payment and admission of guilt.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Arbeidstilsynet
2022-05-16
€14,500.00
Insufficient legal basis for data processing
Art. 6 (1) e) GDPR
The Norwegian DPA (Datatilsynet) has fined the Norwegian Labor Inspectorate 'Arbeidstilsynet' EUR 14,500. The controller had carried out a credit check on the data subject without any valid legal basis for doing so.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Mercadona S.A.
2022-05-13
€170,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 12 GDPR
Art. 15 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 170,000 on the supermarket chain Mercadona S.A.. An individual had filed a complaint with the DPA. The individual had suffered an accident in one of the supermarkets and had asked Mercadona to provide the recordings of the accident from the video surveillance system in order to claim damages. However, Mercadona did not comply with this request. After the lawyer of the data subject asked Mercadona again to provide the recordings, Mercadona replied that the images had already been deleted.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Civilstyrelsen
2022-05-12
€13,400.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 33 GDPR
The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen.
A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media.
Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach, contrary to its obligation under Art. 33 GDPR.
The DPA concluded that the agency had not taken appropriate technical and organizational measures to protect personal data. Encryption of removable media, for example, is a necessary and required security measure, especially if the removable media contain sensitive information such as personal data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
LORIS FUEL SHOP SRL
2022-05-12
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (4) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on the gas station operator LORIS FUEL SHOP SRL.
A person had filed a complaint with the DPA because pictures of him were published on Facebook. The images originated from a video surveillance system installed in one of the controller's gas stations.
During its investigation, the DPA found that the controller had not taken sufficient technical and organizational measures to ensure the confidentiality of the personal data generated through the CCTV system installed in the gas stations. This resulted in unauthorized third parties filming the images from the video cameras and subsequently publishing them on social networks.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-05-12
€500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, neighboring properties. The AEPD considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-05-12
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had shared a video on WhatsApp showing images of a violent attack on the data subject without having obtained the data subject's consent.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Bazar di Hu Xiaoyan
2022-05-12
€20,000.00
Insufficient fulfilment of information obligations
Art. 5 GDPR
Art. 13 GDPR
Art. 114 Codice della privacy
The Italian DPA has imposed a fine of EUR 20,000 on the company 'Bazar di Hu Xiaoyan'. The controller had operated video surveillance cameras in its premises without a required permit. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.
GARANTE
Italian Data Protection Authority
Employment
Villabate municipality
2022-05-12
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 37 (1) a) GDPR
Art. 37 (7) GDPR
Art. 38 (6) GDPR
The Italian DPA has fined Villabate municipality EUR 6,000. The municipality had disclosed personal data of a former employee to unauthorized third parties without a valid legal basis. The DPA also found that the municipality had not appointed a data protection officer.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Singh Market
2022-05-12
€2,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has fined the owner of the store 'Singh Market' EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Bar owner
2022-05-11
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a bar owner EUR 600. The bar operated a video surveillance system in which the observation angle of the cameras extended into the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Homeowners Association
2022-05-11
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on a homeowners' association.
An apartment owner who had been a resident for 15 years had filed a complaint with the DPA due to the fact of having to show ID before using the communal pool. This request for personal data was based on measures to combat the covid-19 pandemic.
During its investigation, the DPA found that the collection of the pesonal data through the ID check was unnecessary given the fact that the data subject had been a resident for 15 years, and thus violated the principle of data minimization set forth in Art. 5 (1) c) GDPR. Furthermore, the DPA found that the data subject had not been sufficiently informed about the processing of their personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2022-05-10
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a store owner. The controller had requested various personal data from customers for appointment bookings. The DPA found that the controller failed to properly inform the data subjects about the processing of the data in accordance with Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
CONTIMAG INVEST, S.L.
2022-05-09
€1,200.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined CONTIMAG INVEST, S.L. EUR 1,200 for failing to provide sufficient information on video surveillance in one of the restaurants it operates
Deputy Data Protection Ombudsman
Media, Telecoms and Broadcasting
Otavamedia Oy
2022-05-09
€85,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) c) GDPR
Art. 12 (1), (2), (3), (4), (6) GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 25 GDPR
The Finnish DPA has imposed a fine of EUR 85,000 on Otavamedia Oy.
The DPA had received eleven complaints regarding Otavamedia between 2018 and 2021. Namely, the complaints primarily concerned the lack of response to inquiries from data subjects.
Otavamedia explained that some of the privacy requests had not been fulfilled due to a technical problem with email management. During the incident, messages received in the privacy inquiry email box were not forwarded to customer service representatives. The situation had only been discovered after seven months.
In this context, the DPA noted that Otovamia should have tested the new e-mail system before using it in order to be able to guarantee the response to the requests and the rights of the data subjects.
Analogous request were possible, but the request form had to be signed by the data subjects for identification purposes. However, Otavamedia was not processing the signature data in any other contexts, so the signature could not even be cross-checked.
The DPA concluded that Otavamedia thereby collected an unnecessarily large amount of data for identification purposes and made the exercise of data subject rights harder by requiring signatures.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Concordia Capital IFN S.A.
2022-05-04
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Romanian DPA has fined Concordia Capital IFN S.A. EUR 4,000. The controller had unlawfully installed audio and video cameras in the offices of its employees. The video surveillance was intended to protect the company's employees and goods. The DPA however stated that the controller violated Art. 5 GDPR and Art. 6 GDPR, as such extensive surveillance was not necessary.
APD
Belgian Data Protection Authority
Transportation and Energy
Nationale Maatschappij der Belgische Spoorwegen
2022-05-04
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) GDPR
Art. 12 (2) GDPR
Art. 21 (2), (3), (4) GDPR
The Belgian DPA has imposed a fine of EUR 10,000 on the Belgian national railroad company (Nationale Maatschappij der Belgische Spoorwegen).
A Twitter user who had received an e-mail newsletter from the railroad company had filed a complaint with the DPA. According to the Twitter user, the newsletter did not include an option to unsubscribe.
During its investigation, the DPA found, first, that that there was no valid legal basis for the processing of personal data through the newsletter. Contrary to the railroad company's view, the DPA concluded that the newsletter was not necessary for the performance of the contracts between passengers and the company and that this performance interest therefore did not constitute a legal basis for the processing. Furthermore, the DPA found that the data subjects' right to object was not sufficiently taken into account, as it was not possible to unsubscribe from the newsletter directly via the e-mails.
KZLD
Bulgarian Commission for Personal Data Protection
Transportation and Energy
Bulgarian Post EAD
2022-05-04
€500,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), c), d) GDPR
Art. 32 (2) GDPR
The Bulgarian DPA has imposed a fine of EUR 500,000 on Bulgarian Posts EAD. The controller had suffered a hacking attack, during which the attackers managed to access the controller's databases. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data in order to avoid a data breach.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Megareduceri TV S.R.L.
2022-05-03
€4,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
Failure to provide requested information to the Romanian DPA within the required timeframe in violation of Art. 58 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MISTORE CANARIAS, S.L.
2022-05-03
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on MISTORE CANARIAS, S.L.. A person who had made a purchase from the company had filed a complaint against the company with the DPA. According to the person, her personal data such as surname, first name and bank account details were collected during the purchase. In the course of the purchase, she was offered products from three other companies, which she rejected. Nevertheless, the controller transmitted her data to the three companies without her consenting to such transmission.
PERSÓNUVERND
Icelandic data protection authority
Public Sector and Education
City of Reykjavík
2022-05-03
€36,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 32 GDPR
The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs.
During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of the principle of proportionality and data minimization. In addition, the DPA concluded that the city had not implemented adequate technical and organizational measures regarding the protection of personal data. This would have been necessary given the high risk that the data might be transferred to and processed in the United States.
In determining the fine, mitigating consideration was given to the fact that no damage was caused by the data breaches.
PERSÓNUVERND
Icelandic data protection authority
Health Care
HEI – Medical Travel
2022-05-03
€10,600.00
Insufficient fulfilment of data subjects rights
Art. 15 (1), (3) GDPR
Art. 9 (1) Act 90/2018
Art. 17 (2) Act 90/2018
The Icelandic DPA has imposed a fine of EUR 10,600 on HEI - Medical Travel. A data subject had filed a complaint with the DPA against the controller.
The controller had gained access to the data subject's email via the Icelandic Medical Association's internal website and had then sent them unsolicited emails. The DPA found that such access was unlawful due to the lack of a valid legal basis.
In addition, the data subject had asked the controller for information about the processing of their personal data, such as the origin of the e-mail address. The controller did not properly comply with this request.
AEPD
Spanish Data Protection Authority
Health Care
CLÍNICA DENTAL SAN FRANCISCO, S.L.
2022-04-29
€4,200.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has imposed a fine on CLÍNICA DENTAL SAN FRANCISCO, S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data. The original fine of EUR 7,000 was reduced to EUR 4,200 due to immediate payment and admission of responsibility by the controller.
AEPD
Spanish Data Protection Authority
Health Care
LABORATORIOS GONZÁLEZ, S.L.
2022-04-29
€16,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) has fined LABORATORIOS GONZÁLEZ, S.L.. The laboratory had sent the results of a Covid-19 test that the data subject had taken not only to them but also to their boss without their consent. The original fine of EUR 20,000 was reduced to EUR 16,000 due to immediate payment.
Deputy Data Protection Ombudsman
Media, Telecoms and Broadcasting
Telemarketing company
2022-04-29
€8,300.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Finnish DPA has imposed a fine of EUR 8,300 on a telemarketing company for non-compliance with a DPA order. A customer of the company had requested access to the recording of a sales call. However, the company did not comply with the request and therefore the DPA ordered the company to grant the customer access to the recordings. Later, the customer reported that despite the DPA's order, they still had not received the recording of the call.
AEPD
Spanish Data Protection Authority
Employment
CAFFE VECCHIO, S.L.
2022-04-28
€1,500.00
Insufficient legal basis for data processing
Art. 5 (1) f) GDPR
Art. 6 (1) a) GDPR
The Spanish DPA has fined CAFFE VECCHIO, S.L. EUR 1,500. A former employee of the café had filed a complaint with the DPA. The operator of the café had responded to negative online reviews regarding the café, disclosing personal data of the former employee. In addition, the operator published information on the reasons for the termination of the employment relationship.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
MEDEROS MOVITEN, S.L.
2022-04-28
€15,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on MEDEROS MOVITEN, S.L.. The data subject had signed a mobile service contract with the company. However, the company also invoiced the data subject for services to which the data subject had not consented. The contracts for these services contained the personal data of the data subject but no signature. Due to the lack of a valid contract, the DPA determined that the company illegally processed the personal data of the data subject for the contracts in question and thus violated Art. 6 (1) GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Working Capital Management España, S.L.
2022-04-28
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 40,000 on the credit information agency Working Capital Management España, S.L.. A data subject had filed a complaint with the AEPD against the company. Fraudulent third parties had taken out a loan with NBQ Technology, S.A.U. in the name of the data subject without the data subject actually entering into a contract. After the data subject subsequently did not make payments, NBQ disclosed the data subject's information to Working Capital Management. The AEPD determined that Working Capital Management, has processed the data subjects data illegally since the personal data was entered into the company's information systems without checking whether the data subject had given their consent to the processing of their personal data.
GARANTE
Italian Data Protection Authority
Employment
Educationest s.r.l.
2022-04-28
€1,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), e) GDPR
Art. 6 (1) b), c) GDPR
The Italian DPA has fined Educationest s.r.l. EUR 1,000. The daycare center had sent an email to the families of the children in its care, informing them of the pregnancy and the maternity leave of one of the educators. The daycare center had written the e-mail to prevent rumors about the teacher's absence ( e.g. a covid illness) and to protect her. However, the educator had not consented to the disclosure of her pregnancy status. The DPA therefore found that Educationest had unlawfully processed the educator's data and violated Art. 5 GDPR and Art. 6 GDPR.