A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
GARANTE
Italian Data Protection Authority
Public Sector and Education
Italian Ministry of Defense
2022-04-28
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 10 GDPR
Art. 2-ter Codice della privacy
Art. 2-sexies Codice della privacy
Art. 2-octies Codice della privacy
The Italian DPA has imposed a fine of EUR 10,000 on the Italian Ministry of Defense.
An employee of the ministry had filed a complaint with the DPA.
During its investigation, the DPA found that two emails had been forwarded without authorization. These e-mails contained, among other things, sensitive information on the health status of the data subject as well as information on legal proceedings.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Istituto Nazionale Assicurazione Infortuni sul Lavoro
2022-04-28
€50,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a), f) GDPR
Art. 6 (1) e) GDPR
Art. 9 (2) g) GDPR
Art. 32 GDPR
Art. 2-ter Codice della privacy
Art. 2-sexies Codice della privacy
The Italian DPA has fined Istituto Nazionale Assicurazione Infortuni sul Lavoro (Public Accident Insurance for workers) EUR 50,000.
As part of its investigation, the DPA found that on three occasions the accident and occupational illnesses of other employees were publicly viewable on an online system of the insurance carrier. The incident occurred due to an outdated version of the system.
The DPA concluded that the insurance carrier had not sufficiently fulfilled its duty to take appropriate technical and organizational measures to prevent personal data breaches. The insurance carrier should have ensured that updated and secure online systems were used.
GARANTE
Italian Data Protection Authority
Public Sector and Education
'Isabella Gonzaga' high school
2022-04-28
€2,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-sexties Codice della privacy
The Italian DPA has imposed a fine of EUR 2,500 on the 'Isabella Gonzaga' high school. The school had published a document, which also contained personal health data of some teachers, on an online platform for the teaching staff. The document contained information on benefits linked to the health status of teachers who were entitled to such benefits. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Partanna
2022-04-28
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The community published information about a court case on its website, including personal data such as the name and professional information of a data subject.
GARANTE
Italian Data Protection Authority
Accomodation and Hospitalty
Ekss s.r.l.
2022-04-28
€2,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has fined the restaurant operator Ekss s.r.l. EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Il Sole 24 Ore S.p.a.
2022-04-28
€40,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 9 GDPR
Art. 12 GDPR
The Italian DPA has fined the newspaper Il Sole 24 Ore S.p.a. EUR 40,000. The newspaper had published an article on the recognition by the Italian authorities of a U.S. judge's decision on the adoption of a child by a same-sex couple. By mistake, the newspaper also published personal data on the couple and the adopted child. The couple then demanded the deletion of the personal data and access to information about the processing of the personal data. The newspaper deleted the personal data, but failed to comply with the data subjects' right of access.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Nos s.r.l.s.
2022-04-28
€20,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 13 GDPR
Art. 14 GDPR
The Italian DPA fined Nos s.r.l.s. in the amount EUR 20,000. Nos acted as a processor for Vodafone and did advertising for the telecommunications company.
For this purpose, Nos had acquired as well as processed personal data from the companies Kdata ltd. and Dynamic Web Solution ltd. In the course of its investigation, the DPA found that the data subjects had neither consented for such use nor were they informed about it by Nos.
GARANTE
Italian Data Protection Authority
Health Care
Ospedale San Raffaele s.r.l.
2022-04-28
€70,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA has imposed a fine of EUR 70,000 on the healthcare facility Ospedale San Raffaele s.r.l.. The hospital had reported two data breaches to the DPA under Art. 33 GDPR.
In the first case, the neurology department of the hospital had sent a newsletter in an open distribution list, which resulted in the email addresses of the recipients being visible to all recipients. Of the 499 email addresses affected, 321 email addresses related to patients and 46 related to family members/caregivers of patients, which allowed these individuals to be identified by name.
In the second case, a surgical department had sent a newsletter in an open distribution list, so again the recipients' email addresses were visible to all recipients. Of the 90 e-mail addresses affected, 75 e-mail addresses referred to patients and/or family members/caregivers of the patients, which meant that these individuals could be identified by name.
The DPA considered this to be a violation of the principle of 'integrity and confidentiality,' which requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures. With regard to the calculation of the fine, the DPA took into aggravating account the fact that the data breach also affected data relating to the health of the persons concerned.
The fact that the hospital had introduced measures to prevent such events in the future and had cooperated to a high degree with the DPA was taken into beneficial consideration.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-04-27
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR.
GARANTE
Italian Data Protection Authority
Health Care
ASST di Lodi
2022-04-26
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 9 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 1,000 on ASST di Lodi.
The healthcare facility had reported a data breach to the DPA pursuant to Art. 33 GDPR. A patient had provided two contacts for their medical affairs. The facility had been explicitly authorized to obtain medical information of the patient from these two persons in case of emergency.
In the context of an important diagnostic examination of the patient, the two authorized contacts were not reachable, so a healthcare facility employee asked a family member they personally knew for the information.
During its investigation, the DPA found that the healthcare facility processed the data subject's information without the data subject's consent and, therefore, without a valid legal basis.
In addition, the DPA concluded that the healthcare facility had not taken appropriate technical and organizational measures to protect personal data in order to prevent such incidents.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MOVALIA TRASLADOS, S.L.U.
2022-04-23
€1,200.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine on MOVALIA TRASLADOS, S.L.U.. During its investigation, the DPA found numerous deficiencies on a website operated by the controller. For example, the controller processed data from visitors to the website without their explicit consent. Furthermore, contrary to the controller's obligation under Art. 13 GDPR, the website did not have a privacy policy. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Health Care
Physician
2022-04-22
€5,600.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined a physician. The physician had used recordings of a patient's treatment for advertising purposes. However, the patient had not consented to this. For this reason, the DPA found that the doctor had processed the data without a valid legal basis. The original fine of EUR 7,000 was reduced to EUR 5,600 due to immediate payment.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Individuals and Private Associations
Political party
2022-04-22
€8,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (2) GDPR
Art. 32 (1) a), b) GDPR
Art. 32 (2) GDPR
The Hungarian DPA has imposed a fine of EUR 8,000 on a party. The party had suffered a data protection breach resulting in six Excel files being made accessible on the Internet. The files contained personal data of party members. The incident affected approximately 2,000 data subjects. During its investigation, the DPA found that the party had failed to take appropriate technical and organizational measures to protect personal data, which allowed such an incident to occur.
AEPD
Spanish Data Protection Authority
Transportation and Energy
DOOR2DOOR SPAIN, S.L.
2022-04-19
€600.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine on DOOR2DOOR SPAIN, S.L.. The controller had failed to implement measures repeatedly ordered by the DPA in due time. Also, the controller had failed to provide the DPA with information that was requested. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility by the controller.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
IKEA România S.R.L.
2022-04-18
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on IKEA România S.R.L.. A data subject had complained to the DPA that IKEA had failed to comply with their requests to delete the data subject's personal data from their IKEA user account in a timely manner. The DPA found that IKEA Romania had violated Art. 12 (3) GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
FLORAQUEEN FLOWERING THE WORLD S.L.
2022-04-18
€1,800.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Spanish DPA has fined FLORAQUEEN FLOWERING THE WORLD S.L. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
JIMBO NETWORKS, S.L.
2022-04-18
€9,000.00
Insufficient fulfilment of information obligations
Art. 6 (1) GDPR
Art. 13 GDPR
Art. 22 (2) LSSI
The Spanish DPA (AEPD) has imposed a fine on JIMBO NETWORKS, S.L.. During its investigation, the DPA found numerous deficiencies on a website operated by the controller.
For example, the controller processed data from visitors to the website without their explicit consent.
In addition, the privacy policy on the website did not comply with the requirements set out in Art. 13 GDPR. The privacy policy contained outdated information and referred to laws that were not in effect.
Furthermore, the DPA found deficiencies in cookie use.
The original fine of EUR 15,000 was reduced to EUR 9,000 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Website operator
2022-04-18
€1,800.00
Insufficient fulfilment of information obligations
Art. 6 (1) GDPR
Art. 13 GDPR
Art. 22 (2) LSSI
The Spanish DPA (AEPD) has imposed a fine on the operator of the website <a class='blau' href='https://liasclothes.olistshops.com.' target='_blank'>link</a> During its investigation, the DPA found numerous deficiencies on a website operated by the controller.
For example, the controller processed data from visitors to the website without their explicit consent.
In addition, the website did not contain any type of privacy policy. The DPA therefore found that the controller violated its duties set out in Art. 13 GDPR.
Furthermore, the DPA found deficiencies in cookie use.
The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and acknowledgement of guilt.
CNIL
French Data Protection Authority
Health Care
DEDALUS BIOLOGIE
2022-04-15
€1,500,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 GDPR
Art. 29 GDPR
Art. 32 GDPR
The French DPA (CNIL) has imposed a fine of EUR 1.5 million on DEDALUS BIOLOGIE. DEDALUS distributes software solutions for medical analysis laboratories.
In February, the press revealed a data leak at DEDALUS that resulted in the leak of nearly 500,000 individuals' data. The leaked data included information on the surnames, first names, social security number, name of the treating physician, data on medical examinations and illnesses of the data subjects.
During its investigation, the CNIL found several violations of the GDPR.
Namely, DEDALUS had violated Art. 29 GDPR by extracting more data than required in the course of processing on behalf of two laboratories.
In addition, the DPA found that DEDALUS had failed to implement appropriate technical and organizational measures to ensure the security of personal data. This constitutes a violation of Art. 32 GDPR.
For example, no specific procedure for data migration operations had been implemented. Also, the leaked data had not been stored in encrypted form on the server. In addition, the DPA found that DEDALUS lacked authentication for access to the public area of the server.
The absence of such security measures was one of the main causes of the data leak.
Further, the DPA found that the contractual documents between DEDALUS and its customers did not comply with the requirements set forth in Art. 28 GDPR.
The DPA took into aggravating consideration the seriousness of the violations committed, in particular the security breaches, as well as the large number of individuals affected, when imposing the fine.
AEPD
Spanish Data Protection Authority
Industry and Commerce
RAMONA FILMS, S.L.
2022-04-13
€8,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 22 (2) LSSI
The Spanish DPA (AEPD) fined RAMONA FILMS, S.L. for failing to ensure that the company's privacy policy complied with the requirements of Art. 13 GDPR. Specifically, the website contained outdated information and referred to laws that were not in effect. In addition, the DPA found deficiencies in cookie use. The original fine of EUR 10,000 was reduced to EUR 8,000 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2022-04-12
€500.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine of EUR 500 on a homeowners' association.
The executive board of the owners' association had publicly posted a list of defaulting owners. The DPA considered this to be a violation of the principle of confidentiality and integrity set out in Art. 5 (1) f) GDPR.
AEPD
Spanish Data Protection Authority
Transportation and Energy
BASER COMERCIALIZADORA DE REFERENCIA, S.A.
2022-04-11
€150,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 32 GDPR
The Spanish DPA has fined BASER COMERCIALIZADORA DE REFERENCIA, S.A., EUR 150,000. A customer of the company had filed a complaint with the DPA since their electricity supply contract was modified without their consent. This resulted in an increase in the electricity supply. In the course of its investigations, the DPA found that a fraudster had pretended to be the data subject by providing the name and ID number of the data subject. In this way, they were able to modify the data subject's contract.
According to the DPA, the controller had not properly verified the identity of the fraudster before modifying the contract and, due to a lack of sufficient security measures, had not made sure that the inquirer was actually the data subject.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Real Estate
Property owners' association
2022-04-07
€500.00
Insufficient cooperation with supervisory authority
Art. 58 (1) a), e) GDPR
The Romanian DPA (ANSPDCP) has fined a property owners' association EUR 500 for failing to provide information requested by the DPA during an investigation.
AP
Dutch Supervisory Authority for Data Protection
Public Sector and Education
Dutch Tax and Customs Administration
2022-04-07
€3,700,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), d), e) GDPR
Art. 6 (1) GDPR
Art. 32 (1) GDPR
Art. 35 (2) GDPR
The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA
As part of its investigation, the DPA found a number of violations of the GDPR.
The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, and criminal personal data as part of the list maintenance.
The DPA initially found that the administration did not have a valid legal basis for processing the data contained in the list. For this reason, the data were processed unlawfully.
Further, the DPA found that the information in the list was often incorrect, so that a large number of individuals were falsely registered as possible fraudsters.
In addition, the investigation revealed that the maintenance of the list led to discrimination against some individuals, as the risk of fraud was determined on the basis of the nationality and appearance of the data subjects, among other factors. For example, donations to mosques were considered a risk factor for fraud.
Furthermore, the DPA found that the administration violated its obligation under the GDPR to implement appropriate technical and organizational measures that ensure adequate protection of the personal data it collects. Indeed, the administration had inadequately secured the personal data.
The DPA also found that the administration had violated the principle of storage limitation by storing the data for a longer time contrary to the retention period established for the personal data in the list.
Furthermore, the DPA found that the processing of the data in the list had not been necessary for the administration to properly perform its tasks. The processing was therefore disproportionate. Also, the administration had not sufficiently defined the purposes underlying the processing and thus violated the principle of purpose limitation.
The fine is composed as follows:
EUR 1 million for a breach of Art. 5 (1) a) GDPR and Art. 6 (1) GDPR;
EUR 750,000 for a breach of Art. 5 (1) b) GDPR;
EUR 750,000 for a breach of Art. 5 (1) d) GDPR;
EUR 250,000 for a breach of Art. 5 (1) e) GDPR;
EUR 500,000 for a breach of Art. 32 (1) GDPR
EUR 450,000 for a breach of Art. 35 (2) GDPR.
GARANTE
Italian Data Protection Authority
Health Care
Azienda ospedaliera di Perugia
2022-04-07
€40,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 25 GDPR
Art. 30 GDPR
Art. 32 GDPR
Art. 35 GDPR
The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000.
During an investigation at the healthcare facility, the DPA found multiple GDPR violations.
The DPA's investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers.
The healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured. This made it possible to record and store users' browsing data, thus identifying those users and, as such, potential whistleblowers.
With respect to the processing of personal data, the health facility had failed to inform the employees in advance.
In addition, the DPA found that the healthcare facility had not conducted a data protection impact assessment and had not registered the processing in the register of processing activities. Thus, no sufficient assessment of the risks to the rights and freedoms of the data subjects had been carried out. '
GARANTE
Italian Data Protection Authority
Industry and Commerce
ISWEB S.p.A.
2022-04-07
€40,000.00
Insufficient data processing agreement
Art. 28 GDPR
The Italian DPA imposed a fine of EUR 40,000 on ISWEB S.p.A.. The fine is related to a fine against the healthcare facility Azienda ospedaliera di Perugia. ISWEB had provided the healthcare facility with the web application for its whistleblower system.
During an investigation at the healthcare facility, the DPA identified multiple GDPR violations related to the whistleblower system.
The DPA's investigation took place as part of a series of inspections addressing whistleblower system data processing at employers.
In relation to ISWEB, the DPA found that they had used an external provider to host the whistleblower systems. However, ISWEB failed to provide the external provider with specific instructions for the processing of data subjects' data, as well as to inform the health care facility of the same.
GARANTE
Italian Data Protection Authority
Employment
Palumbo Superyacht Ancona s.r.l.
2022-04-07
€50,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), e) GDPR
Art. 13 GDPR
Art. 12 (3) GDPR
Art. 15 GDPR
Art. 157 Codice della privacy
Art. 166 (2) Codice della privacy
The Italian DPA has fined Palumbo Superyacht Ancona s.r.l. EUR 50,000. The company had blocked an employee's company email account without permission. The employee had reported the incident to the company and asked for the restoration of the e-mail inbox, which contained both private and business e-mails. However, the company did not comply with this request.
In the course of its investigation, the DPA found further violations. For example, the company did not respond to a request for information from the DPA and violated the principle of limiting data retention.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Made in Italy s.r.l.s.
2022-04-07
€20,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 7 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 21 GDPR
Art. 130 (3) Codice della privacy
Art. 157 Codice della privacy
Art. 166 (2) Codice della privacy
The Italian DPA (Garante) has imposed a fine of EUR 20,000 on Made in Italy s.r.l.s.. A data subject had filed a complaint with the DPA after receiving promotional calls from the data controller, even though they had not consented to it. Even after the data subject had objected to the sending, the controller did not stop the calls. The data subject then requested information about the origin of the data and the deletion of this data. However, the controller did not respond to this request. Also, the controller had not sufficiently cooperated with the DPA in the course of the investigation.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Findomestic Banca spa
2022-04-07
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
The Italian DPA has imposed a fine of EUR 10,000 on Findomestic Banca spa. A customer had filed a complaint with the DPA regarding a breach of confidentiality related to the financial institution. The controller had unauthorizedly sent several payment reminders to the data subject's wife regarding a loan taken out by the data subject. The wife had indeed guaranteed a loan taken out by the data subject, however not the loan in question.
GARANTE
Italian Data Protection Authority
Industry and Commerce
E-Mac Professional s.r.l.
2022-04-07
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
Failure to respond to the data subject's request for access to their data in a timely manner.
DATATILSYNET
Danish Data Protection Authority
Finance, Insurance and Consulting
Danske Bank
2022-04-05
€1,300,000.00
Non-compliance with general data processing principles
Art. 5 (2) GDPR
The Danish DPA has imposed a fine of EUR 1.3 million on Danske Bank. The DPA had opened an investigation against the bank after it informed the DPA that it had a problem with the deletion of personal data.
During the investigation, the DPA found that the bank had failed to document the rules for deletion and storage of personal data in more than 400 systems. Consequently, the bank was unable to prove that such rules, which are required under the GDPR, existed.
The DPA considered this to be a breach of the bank's accountability obligation under Art. 5 (2) GDPR.
Data Protection Authority of Ireland
Finance, Insurance and Consulting
Bank of Ireland
2022-04-05
€463,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 33 GDPR
Art. 34 GDPR
The Irish DPA has fined the Bank of Ireland EUR 463,000.
The bank had reported 22 data breaches to the DPA under Article 33 GDPR.
As part of its investigation, the DPA found that the bank had provided false information to the Central Credit Register due to a mix-up of bank customers' account data.
This error had the potential to have a negative impact on the creditworthiness of the data subjects.
The DPA found that the personal data breach had occurred due to inadequate technical and organizational measures on the part of the bank.
In addition, the bank did not immediately inform the data subjects and the DPA about the data breach.
APD
Belgian Data Protection Authority
Transportation and Energy
Brussels Airport Zaventem
2022-04-04
€200,000.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 6 (1) e) GDPR
Art. 9 (2) g) GDPR
Art. 12 GDPR
Art. 13 (1) c) GDPR
Art. 13 (2) e) GDPR
Art. 35 (1), (3), (7) b) GDPR
The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000.
The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport.
Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms.
The DPA particularly noted that the airport did not have a valid legal basis for processing this health data.
Health data constitute sensitive data according to Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR.
One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the present case, the processing was based on a protocol which did not meet these requirements.
In addition, the DPA found deficiencies in the data protection impact assessment. Moreover, the airport failed to properly inform the data subjects about the processing of the data.
APD
Belgian Data Protection Authority
Transportation and Energy
Brussels Airport Charleroi
2022-04-04
€100,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), b) GDPR
Art. 6 (1) c) GDPR
Art. 6 (3) GDPR
Art. 9 (2) i) GDPR
Art. 12 (1) GDPR
Art. 13 (1) c) GDPR
Art. 13 (2) e) GDPR
Art. 35 (1), (7) GDPR
The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000.
The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport.
Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms.
The DPA particularly noted that the airport did not have a valid legal basis for processing this health data.
Health data constitute sensitive data according to Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR.
One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the present case, the processing was based on a protocol which did not meet these requirements.
In addition, the DPA found deficiencies in the data protection impact assessment. Moreover, the airport failed to properly inform the data subjects about the processing of the data.
APD
Belgian Data Protection Authority
Industry and Commerce
Ambuce Rescue Team
2022-04-04
€20,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
The Belgian DPA has fined Ambuce Rescue Team EUR 20,000. The fine is related to the fines against Brussels Airport Charleroi and Brussels Airport Zaventem.
Due to the Covid 19 pandemic, the airports used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then asked to answer questions about possible coronavirus symptoms. In this process, Ambuce Rescue Team provided the questionnaires.
Specifically, the DPA found that there was no valid legal basis for processing this health data.
Health data are sensitive data in the sense of Art. 9 GDPR. These may only be processed in exceptional cases pursuant to Art. 9 (2) GDPR.
One such exceptional case is processing on the grounds of public interest in the area of public health. For this, however, the processing must be based on a clear legal norm. In the cases at hand, the processing was based on a protocol that did not meet these requirements.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
Piraeus Bank
2022-04-04
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 33 GDPR
Art. 34 GDPR
The Hellenic DPA has imposed a fine of EUR 10,000 on Piraeus Bank.
The bank had mistakenly sent a document containing data of the data subject to a third party. This error was based on a wrongly provided e-mail address by a co-owner of the account.
Although the bank became aware of this error, they did not stop sending the communications to the third party, but instead instructed the data subject to exercise their right to correct the inaccurate data.
As a result of its investigation, the DPA found that the bank had violated the principle of confidentiality for failing to stop sending the communications. The DPA also found that the bank had failed to report the data breach to the DPA and the data subject in a timely manner.
HDPA
Hellenic Data Protection Authority
Employment
Mayor
2022-04-04
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
The Hellenic DPA has fined a mayor EUR 5,000. The mayor had sent documents of an employee of the municipality to third parties without the employee's consent. The DPA considered this to be a violation of Art. 5 (1) a) GDPR.
APD
Belgian Data Protection Authority
Employment
Company
2022-04-01
€7,500.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 6 (1) f) GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 18 GDPR
Art. 21 GDPR
Art. 28 GDPR
The Belgian DPA has imposed a fine of EUR 7,500 on a company.
A former managing director had filed a complaint against the company with the DPA. In the context of being dismissed, the former managing director deleted all data on the work laptop before handing over the technical equipment.
According to the managing director, only the private data, such as the private e-mail inbox, had been deleted. However, the company stated that the managing director had deleted both private and work-related data. The company then restored the data that had previously been on the laptop.
For this reason, the former managing director requested to exercise their right to delete, restrict the processing of their personal data and object.
However, the company refused the request. In the course of its investigation, the DPA found that the company had breached its obligation under the GDPR to grant the former managing director the exercise of these rights.
In addition, the DPA found that due to the lack of a valid legal basis at the time of the restoration, the company unlawfully processed the data.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Workshop
2022-03-29
€1,300.00
Non-compliance with general data processing principles
Art. 5 (1) b), c) GDPR
Art. 6 (1) f) GDPR
Art. 13 (1), (2) GDPR
The Hungarian DPA has imposed a fine of EUR 1,300 on a workshop. The workshop had installed a video surveillance system to protect the company's assets. However, the cameras also captured parts of the employee's work area. The DPA found that the recording of the employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA also found that the workshop had not sufficiently complied with its information obligations under Art. 13 GDPR. The workshop referred to the consent given by the employees as the legal basis for the video surveillance. However, the DPA concluded that the workshop could not base the video surveillance on consent, as voluntary consent in the employee-employer relationship is questionable. Instead, the workshop should have based the video surveillance on a legitimate interest.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Condor SA
2022-03-28
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2), (4) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Condor SA.
The controller had suffered a data breach in which unauthorized persons gained access to several documents containing personal data of employees and former employees such as place of work, surname, first name, position, salary and bank details.
During its investigation, the DPA found that the controller had not taken appropriate technical and organizational measures that would ensure the protection of personal data.
Data Protection Authority of Sweden
Finance, Insurance and Consulting
Klarna Bank AB
2022-03-28
€720,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 12 (1) GDPR
Art. 13 (2) f) GDPR
Art. 14 (2) g) GDPR
The Swedish DPA has imposed a fine of EUR 720,000 on Klarna Bank AB.
Klarna is a financial company that processes a large number of personal data in various ways.
As part of its investigation, the DPA found that Klarna had not properly complied with its information obligations.
For example, Klarna did not provide sufficient information on its website about the purpose and legal basis for the processing of personal data.
In addition, with regard to the transfer of data to Swedish and foreign credit agencies, Klarna provided incomplete information about the recipients of the personal data.
Klarna also failed to provide information about third countries where personal data is transferred to.
Finally, the DPA found that Klarna insufficiently informed data subjects about their rights under the GDPR.
DATATILSYNET
Danish Data Protection Authority
Health Care
Danish National Genome Center
2022-03-25
€6,700.00
Insufficient technical and organisational measures to ensure information security
Art. 36 GDPR
The Danish DPA has imposed a fine of EUR 6,700 on the Danish National Genome Center.
The center had conducted a data protection impact assessment that revealed circumstances that could pose a high risk to the rights of data subjects.
The DPA imposed the fine because the center had processed personal data without first consulting the DPA, even though the impact assessment had revealed a high risk to data subjects. The center has complied with all the DPA's requests and has shown good cooperation with the authority.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Kaufland Romania SCS
2022-03-25
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 15 (3) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Kaufland Romania SCS.
A data subject had filed a complaint with the DPA concerning the controller's failure to comply with their request to provide copies of recordings of the video surveillance system in which the data subject could be seen. In the course of its investigation, the DPA determined that the controller had violated its duty to provide information, especially since the recordings were available.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Brav s.r.l.
2022-03-24
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA has imposed a fine of EUR 10,000 on Brav s.r.l.. The operator of the online platform had reported a data breach to the DPA pursuant to Art. 33 GDPR. Unauthorized persons had managed to access the platform used by the Genoa Police for the management of traffic violations, as well as the personal data contained therein.
According to the City of Genoa, it was possible to gain unauthorized access to the platform due to the fact that certain employees had unauthorizedly disclosed the password for accessing the platform, in violation of official regulations. For this reason, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. The controller should have ensured that passwords were changed regularly to prevent unauthorized persons from gaining access to personal data.
Cypriot Data Protection Commissioner
Public Sector and Education
English School Cyprus
2022-03-22
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 4,000 on the English School in Cyprus. The school had reported a data breach to the DPA under Art. 33 GDPR. A teacher had used the email address of the students' parents for a purpose other than that for which the email addresses were originally collected. The DPA found that the school had failed to take adequate technical and organizational measures to ensure the protection of personal data and to prevent such incidents.
Cypriot Data Protection Commissioner
Public Sector and Education
English School staff union (ESSA)
2022-03-21
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Cypriot DPA has imposed a fine of EUR 5,000 on the English School staff union (ESSA). The school had notified the DPA of a data breach under Art. 33 GDPR. A teacher, also a member of the staff union, had used the email addresses of the parents of the students for a purpose other than the one for which the email addresses had originally been collected. The DPA found that the staff union had failed to take appropriate technical and organizational measures to ensure the protection of personal data and to prevent such incidents.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Meta Platforms Ireland Limited
2022-03-15
€17,000,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (2) GDPR
Art. 24 (1) GDPR
The Irish DPA (DPC) has imposed a fine of EUR 17 million on Meta Platforms Ireland Limited (former Facebook Ireland Limited).
The decision is based on twelve notifications of data breaches that occurred between June 7, 2018 and December 4, 2018.
The outcome of the DPC's investigation revealed that Meta had violated Article 5 (2) GDPR and Article 24 (1) GDPR. In the course of its investigation, the DPC found that Meta failed to demonstrate that it had taken appropriate technical and organizational measures to protect the data of EU users.
The fine proceedings involved cross-border data processing, which is why the decision was subject to the co-decision procedure under Art. 60 GDPR involving all other European supervisory authorities as co-decision-makers. Although two European DPAs objected to the DPC's draft decision, a consensus was ultimately reached. Accordingly, the DPC's decision reflects the collective views of the DPC and the other European DPAs.
DATATILSYNET
Norwegian Supervisory Authority
Employment
Company
2022-03-15
€9,700.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 13 GDPR
Art. 21 GDPR
The Norwegian DPA has imposed a fine of EUR 9,700 on a company. The DPA had received a complaint from a former employee of the company. Background of the complaint is the fact that after the employee's termination, both professional and private e-mails from the employee's mailbox were automatically forwarded to an e-mail address administrated by the managing director. During its investigation, the DPA found that the controller had automatically forwarded the e-mails without a valid legal basis. Also, the controller did not inform the former employee about the processing of the data by forwarding the e-mails, contrary to its obligation under Art. 13 GDPR. Finally, the DPA found that the controller did not properly comply with a request of objection to the processing submitted by the former employee.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Operatorul Briza Land S.R.L.
2022-03-10
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The Romanian DPA (ANSPDCP) has fined Operatorul Briza Land S.R.L. EUR 2,000. The controller failed to properly respond to a request for information.
GARANTE
Italian Data Protection Authority
Health Care
Azienda USL Toscana Centro
2022-03-10
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
Art. 32 GDPR,
The Italian DPA (Garante) has imposed a fine of EUR 10,000 on Azienda USL Toscana Centro. The DPA initiated an investigation against the controller after it reported a data breach under Art. 33 GDPR. The controller had mistakenly sent patient medical records to the wrong patients. The DPA therefore found that the health care facility had not taken sufficient technical and organisational measures to protect personal data.