A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
GARANTE
Italian Data Protection Authority
Health Care
Azienda sanitaria provinciale di Caltanissetta
2022-03-10
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 15 GDPR
Art. 37 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has fined Azienda sanitaria provinciale di Caltanissetta EUR 6,000. The data subject had asked the controller, in the context of legal proceedings, to send any communication regarding this matter only to their personal email inbox. Nevertheless, the controller had sent communications to the data subject's business email address.
In addition, the data subject had requested access to their data. However, the controller did not properly comply with this request.
In the course of its investigation, the DPA also found that the health care facility had failed to notify the DPA of the name and contact details of a new data protection officer and to update them on its website.
GARANTE
Italian Data Protection Authority
Employment
Agenzia Regionale per la Tutela dell'Ambiente dell'Abruzzo
2022-03-10
€8,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 10 GDPR
Art. 2-ter Codice della privacy
Art. 2-octies Codice della privacy
The Italian DPA (Garante) has fined the Agenzia Regionale per la Tutela dell'Ambiente dell'Abruzzo EUR 8,000. A former employee of the environmental agency had filed a complaint with the DPA due to the fact that the agency had freely published documents containing his personal data on its website. The documents contained, among other things, information about the individual's previous employment and criminal information.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Alfa Shipyard s.r.l.
2022-03-10
€10,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Italian DPA has imposed a fine of EUR 10,000 on Alfa Shipyard s.r.l.. The controller had failed to implement measures ordered by the DPA in due time.
ICO
Information Commissioner
Finance, Insurance and Consulting
Tuckers Solicitors LLP
2022-03-10
€115,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) f) GDPR
The UK DPA (ICO) has fined law firm Tuckers Solicitors LLP EUR 115,000. Tuckers suffered a ransomware attack on its systems, which resulted in a personal data breach. As part of its investigation, the DPA determined that Tuckers had failed to take appropriate technical and organizational measures to protect personal data. This failure left its systems vulnerable to malicious attacks. The attackers managed to encrypt 972,191 individual files of which 24,712 were related to court proceedings and to siphon off 60 files and publish them in underground data marketplaces. The files contained both personal and special category data, such as medical records, witness statements, names and addresses of witnesses and victims, and the alleged crimes of data subjects.
HDPA
Hellenic Data Protection Authority
Employment
Employer
2022-03-09
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 13 GDPR
The Hellenic DPA has imposed a fine of EUR 2,000 on an employer. An employee had filed a complaint due to the employer's failure to comply with the employee's right to object. The employee had objected to continuous monitoring of his online courses offered via zoom. However, the employer had continued the monitoring. In addition, the DPA found that the employer could not provide a sufficient legal basis for processing the data.
HDPA
Hellenic Data Protection Authority
Employment
Foreign language school
2022-03-09
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 13 GDPR
The Hellenic DPA imposed a fine of EUR 2,000 on an employer (owner of a private foreign language school). An employee, who works as a language teacher in the school, had filed a complaint with the DPA against their employer. The reason for this was that the controller continued to constantly monitor the employee during their online courses via the platform 'Zoom', despite their objection.
Therefore, the DPA found that the controller had violated its duty to comply with the data subject's right to object. In addition, the DPA found that the controller had not properly informed the data subject about the processing of his personal data pursuant to Art. 13 GDPR.
AZOP
Croatian Data Protection Authority
Transportation and Energy
Energy company (name not available at the moment)
2022-03-08
€124,245.00
Insufficient fulfilment of data subjects rights
Art. 15 (3) GDPR
The fined energy company owns petrol stations and sells fuel to customers. The data subject is a customer who filed a consumer complaint relating to inaccurate measuring and consequently charging of fuelled petrol at one of the petrol stations. The data subject requested a copy of its personal data, i.e. a copy of the video surveillance footage relating to a specific time and area. The energy company justified rejecting the request by: (i) lack of written request by competent authorities to deliver the footage, (ii) lack of justified purpose for the request, and (iii) claiming that providing a copy of the footage would adversely affect rights and freedoms of the station’s personnel and other customers. Following issuance of the DPA’s general opinion to the customer on the obligation of the controllers to provide surveillance footage to the data subjects filmed on such footage, the energy company informed the customer on the inability to provide the footage as the video surveillance footage archives are being erased after seven days. Due to the violation of fundamental rights of the data subject the DPA imposed a fine of HRK 940,000.00. The clarification on the fine amount notes that the DPA has taken into consideration not only the indirect damages to the customer, but also the potential financial gains of the company that has indirectly avoided damages that could have arisen in the course of a consumer dispute and the fact that by deleting the footage, the company has eliminated potentially important evidence.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Retail company (name not available at the moment)
2022-03-08
€89,250.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
Art. 32 (2) GDPR
Art. 32 (4) GDPR
A retail company, i.e. the data controller, reported the breach of personal data to the DPA informing that its employees have recorded video surveillance footage via mobile phone which was unauthorised and contrary to the company’s internal acts and instructions. The recording was made public by leaking to social media and consequently other media outlets. The DPA determined that the data controller did not take adequate actions to prevent its employees from creating the footage. Although the company did undertake certain measures such as adopting internal acts on access to video surveillance footage, educating employees and implementing confidentiality statements, the DPA determined the company did not ensure – neither before nor after the disclosure of the unauthorised footage – appropriate organisational and technical security measures for the purpose of minimising risk of such or similar data breaches. In addition, the data controller did not regularly monitor or inspect efficiency of the technical and organisational measures implemented for the purpose of maintaining confidentiality, integrity and accessibility of personal data. Thus, the DPA imposed a fine of HRK 675,000.00 for the failure to take appropriate technical measures and clarified that this fine should also have general preventive effects and raise awareness among the data controllers and processor on the obligations concerning data processing.
PERSÓNUVERND
Icelandic data protection authority
Industry and Commerce
Hörpu tónlistar- og ráðstefnuhúss ohf.
2022-03-08
€7,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 6 GDPR
The Icelandic DPA has fined Hörpu tónlistar- og ráðstefnuhúss ohf. EUR 7,000.
The DPA had received a complaint regarding the concert hall's collection of ID number and date of birth information as part of an electronic ticket purchase.
The incident occurred prior to the start of the Covid-19 pandemic, when the registration of personal data for contact tracking in the context of event visits was not yet required.
The DPA concluded that it would not have been necessary to collect the data for issuing a ticket, as it would have been possible to conclude a purchase contract even without this collection. For this reason, the DPA found that the concert hall had violated the principle of data minimization.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Norwegian Parliament
2022-03-04
€195,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) b), d) GDPR
The Norwegian DPA has fined the Norwegian Parliament EUR195,000.
The parliament had suffered a data breach in which unauthorized persons gained access to the email accounts of members of parliament and parliamentary administrative staff. The attackers had succeeded in siphoning off the data, including personal data on bank accounts, dates of birth and health-related data.
During its investigation, the DPA found that the parliament did not incorporate sufficient security mechanisms, such as two-factor authentication, even though a risk analysis in 2020 had found that this posed a high privacy risk.
For this reason, the DPA found that the parliamentary administration had not taken appropriate technical and organizational measures to achieve a sufficient level of security.
Data Protection Authority of Bremen
Real Estate
BREBAU GmbH
2022-03-03
€1,900,000.00
Insufficient legal basis for data processing
Art. 5 (1) GDPR
Art. 6 (1) GDPR
Art. 9 GDPR
The DPA of Bremen has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH.
BREBAU GmbH had processed upwards of 9,500 datasets about potential tenants without a valid legal basis. In particular, the DPA found that the controller had processed particularly sensitive data as defined by Art. 9 GDPR. For example, the controller unlawfully processed information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects. BREBAU GmbH also deliberately ignored requests from data subjects for transparency about the processing of their data.
In imposing the fine, the DPA took into account, as an aggravating factor, the extraordinary depth of the violation of the fundamental right to data protection.
However, because BREBAU GmbH cooperated fully during the investigation, made efforts to mitigate the damage, clarified the facts on its own and ensured that such violations would not be repeated, the amount of the fine could be reduced.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Company
2022-03-02
€13,500.00
Insufficient legal basis for data processing
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 12 (2) GDPR
Art. 17 (1) b) GDPR
The Hungarian DPA imposed a fine of EUR 13,500 on a company. An individual had filed a complaint with the DPA, stating that the company had published personal data such as their name, address, telephone number without their consent. Furthermore, the company had not responded to a deletion request from the individual.
AP
Dutch Supervisory Authority for Data Protection
Public Sector and Education
Dutch Foreign Ministry
2022-02-24
€565,000.00
Insufficient technical and organisational measures to ensure information security
Art. 13 (1) e) GDPR
Art. 32 (1) GDPR
The Dutch DPA has imposed a fine of EUR 565,000 on the Dutch Foreign Ministry.
As part of its investigation, the DPA found that the National Visa Information System (NVIS) suffered from significant security deficiencies.
This is particularly serious as the Foreign Ministry has processed an average of 530,000 visa applications per year over the last three years and the personal data processed in the course of the applications was therefore inadequately secured.
The data included sensitive information such as fingerprints, name, address, place of residence, country of birth, purpose of travel and nationality.
Due to the inadequate security measures, it would have been possible for unauthorized persons to access the data.
According to DPA, the Foreign Ministry had been aware of the security flaws in the visa system for some time. Despite this knowledge, the Ministry did not adjust the security measures in time. For this reason, the DPA finds that the Ministry acted with gross negligence.
The DPA also found that the Foreign Ministry did not adequately inform individuals who applied for visas that their personal information would be shared with other parties.
AEPD
Spanish Data Protection Authority
Industry and Commerce
FRUTAS Y VERDURAS LOS CAMPEONES, S.L.
2022-02-23
€1,200.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on FRUTAS Y VERDURAS LOS CAMPEONES, S.L.. The controller had installed a video surveillance system, however, without having placed signs informing about the use of video surveillance.
AEPD
Spanish Data Protection Authority
Industry and Commerce
WORLDWIDE CLASSIC CARS NETWORK S.L.
2022-02-23
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on WORLDWIDE CLASSIC CARS NETWORK S.L.. The controller had installed video surveillance cameras which, among other things, also covered parts of the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Civil law firm 'Sabou, Burz & Cuc'
2022-02-22
€1,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), b), c), f) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
The Romanian DPA has fined the civil law firm 'Sabou, Burz & Cuc' EUR 1,000. The DPA launched an investigation after a client complained that the controller had published their personal data in a WhatsApp group used by several lawyers of a bar association without their prior consent. The DPA found that the controller had processed the data without a valid legal basis, as they had published the data for a purpose other than that originally agreed with the data subject.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
IAMSAT Muntenia SA
2022-02-22
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 13 GDPR
Art. 21 GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on IAMSAT Muntenia SA.
The DPA launched an investigation following a complaint from a former employee who claimed that the controller continued to process their personal data even after the termination of their employment contract in 2020. The data subject had previously stated that they would not agree to the continued use of their email address and that they objected to the processing of their personal data by the controller or/and by third parties after the termination of their employment contract.
In the course of its investigation, the DPA also found that the controller had not informed its employees, including the data subject, in advance and comprehensively about the processing of their personal data by a video surveillance system at the workplace.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MALAGATROM, S.L.U.
2022-02-22
€1,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine of EUR 1,000 on MALAGATROM, S.L.U. for failing to comply with an order issued by the DPA.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Hotel operator
2022-02-22
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a hotel operator. The controller had installed video surveillance cameras which, among other things, also covered the public space and parts of the hotels pool area. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
RESTATURANTE FUENTEBRO, S.C.
2022-02-21
€1,500.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined RESTATURANTE FUENTEBRO, S.C. EUR 1,500 for failing to provide information signs about CCTV surveillance in the establishment.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2022-02-21
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a store owner EUR 1,000 for failing to provide information signs about CCTV surveillance in the establishment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private person
2022-02-18
€2,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,500 on a private individual. The controller had installed video surveillance cameras at his house which, among other things, also covered the public space and neighbor properties. The DPA considered this to be a violation of the principle of data minimization. In addition, the information signs regarding the video surveillance were blurred and thus not well readable. The DPA considered this to be a breach of the duty to inform pursuant to Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-02-16
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on a private individual. The data subject had filed a complaint against the data controller for publishing images of herself in a bikini on a website without prior authorization. The data subject had originally uploaded the images of herself in a bikini to the second-hand platform Vinted, where she offered the bikini for sale.
HDPA
Hellenic Data Protection Authority
Individuals and Private Associations
ΛΙΜΕΝΟΣ ΗΡΑΚΛΕΙΟΥ Α.Ε.
2022-02-15
€30,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (1), (2) GDPR
Art. 15 (1) GDPR
The Hellenic DPA has imposed a fine of EUR 30,000 on the ΛΙΜΕΝΟΣ ΗΡΑΚΛΕΙΟΥ Α.Ε. organization. A data subject who had suffered a car accident on the organization's premises filed a complaint against the organization with the DPA. The organization operated a video surveillance system which, among other things, also recorded the car accident. In connection with the accident, the data subject requested the organization to grant them access to the recordings. However, the organization did not comply with this request.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
RECLAMADOR, S.L.
2022-02-14
€1,600.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has imposed a fine RECLAMADOR, S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 1000 for a breach of Art. 17 GDPR and EUR 1000 for a breach of Art. 21 LSSI. The original fine in the amount of EUR 2,000 has been reduced to EUR 1,800 due to immediate and voluntary payment.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Amazon Road Transport Spain S.L.
2022-02-11
€2,000,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 10 GDPR
Art. 10 LOPDGDD
The Spanish DPA (AEPD) has fined Amazon Road Transport Spain S.L. EUR 2,000,000. The AEPD had received a complaint from a trade union against the company. Amazon Road required certificates confirming the absence of criminal records when hiring drivers. Amazon Road believed that these certifications were not subject to Art. 10 GDPR. However, contrary to Amazon Road's interpretation, the AEPD determined that these data do fall under Art. 10 GDPR. During its investigation, the AEPD concluded that the processing of these data consequently did not comply with the requirements of Art. 10 GDPR. For this reason, the DPA came to the conclusion that Amazon Road had processed the data on the absence of criminal records without a valid legal basis.
GARANTE
Italian Data Protection Authority
Employment
Costampress S.p.A.
2022-02-10
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 12 GDPR
Art. 13 GDPR
The company had left the e-mail account of the data subject active even after the termination of his employment and did not provide sufficient information about this.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Clearview Al Inc.
2022-02-10
€20,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), e) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 27 GDPR
The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory.
The company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation.
The DPA launched an investigation into the company after it became known that Clearview - contrary to initial claims - also enabled searches of Italian nationals and residents.
The DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis.
In addition, the DPA found that the company had violated several principles of the GDPR.
For example, the company had violated the principle of transparency by failing to adequately inform users about the processing of their data. Clearview had also violated the principle of purpose limitation, by processing users' data for purposes other than those for which they had been made available online. Finally, it violated the principle of storage limitation by not specifying a time period for data storage.
GARANTE
Italian Data Protection Authority
Health Care
Azienda socio sanitaria territoriale Melegnano e della Martesana
2022-02-10
€3,500.00
Insufficient legal basis for data processing
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 3,500 on Azienda socio sanitaria territoriale Melegnano e della Martesana. The DPA initiated an investigation against the controller after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from another patient in his digital medical record.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Region of Tuscany
2022-02-10
€10,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 10,000 on the Region of Tuscany. The region had notified the DPA of a data breach pursuant to Art. 33 GDPR.
The region stated that it had inadvertently published personal data of 3,548 applicants for administrative assistant positions. The data concerned information that the applicants had shared as part of a pre-selection test for the application. The region had mistakenly published a URL through which personal data and the results of the test could be viewed.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Scanshare S.r.l.
2022-02-10
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 (2) GDPR
Art. 32 GDPR
The Italian DPA has imposed a fine of EUR 10,000 on Scanshare S.r.l.. That fine is related to a fine imposed on the Region of Tuscany.
The region stated that it had inadvertently published personal data of 3,548 applicants for administrative assistant positions. The data concerned information that applicants had provided as part of a pre-selection test for application. Scanshare had been entrusted with organizing the pre-selection test. Due to an error on the part of Scanshare, a URL was erroneously published through which the personal data and the results of the test could be viewed.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Guidizzolo
2022-02-10
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The community published information about a court case on its website, including personal data such as the name and professional information of a data subject.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Arte del vivere S.r.l.
2022-02-10
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 17 GDPR
Art. 157 Codice della privacy
The Italian DPA has imposed a fine of EUR 5,000 on Arte del vivere S.r.l.. A data subject filed a complaint with the DPA as his personal data had been published on the website www.mondoshiatsu.com operated by the controller. The data subject had been automatically included in the Shiatsu Portal after having participated in a one-year Shiatsu training. However, as he had never worked in this field, he repeatedly requested the deletion of his data. However the controller had not fulfilled the request despite the fact that they had promised to delete the data.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Studio Colli Aniene Verderocca S.r.l.
2022-02-10
€1,500.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 21 GDPR
The Italian DPA has imposed a fine of EUR 1,500 on Studio Colli Aniene Verderocca S.r.l.. A data subject had filed a complaint with the DPA for unsolicited telephone advertising. In addition, the data subject stated that he had not received a response to his request for information and deletion regarding the processing of his personal data.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Budapest Bank Zrt.
2022-02-08
€634,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), b) GDPR
Art. 6 (1), (4) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 21 (1), (2) GDPR
Art. 24 (1) GDPR
Art. 25 (1), (2) GDPR
The Hungarian DPA (NAIH) has fined Budapest Bank Zrt. EUR 634,000. NAIH reports that the bank used an artificial intelligence-driven software solution to automate the evaluation of customers' emotional state. The speech evaluation system determined which customers needed to be recalled based on the customer's mood. The bank operated the application to prevent complaints and to keep customers.
The bank did not inform the data subjects, that the processing of their data serves, among other things, for customer retention purposes, meaning that customers were not in a position to object to the processing. As a result, the rights of the data subjects regarding adequate information and the right to object were not guaranteed.
The DPA also found that the bank's legitimate interest as a legal basis for processing the personal data was not sufficiently substantiated as the bank had not sufficiently examined the interests of the data subjects. The bank thus processed the data without a valid legal basis.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Cafe operator
2022-02-07
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The cafe used CCTV cameras which also captured the public space outside resulting in a violation of the so called principle of data minimisation.
AEPD
Spanish Data Protection Authority
Employment
PINTODIS, S.L.
2022-02-07
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has fined PINTODIS, S.L. EUR 10,000. The controller had installed several video cameras which also covered the food areas and changing rooms of their employees. The Spanish DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private person
2022-02-04
€900.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization).
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
SEGURCAIXA ADESLAS, S.A. DE SEGUROS Y REASEGUROS
2022-02-04
€300,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 17 GDPR
Art. 28 GDPR
The Spanish DPA (AEPD) fined SEGURCAIXA ADESLAS, S.A. DE SEGUROS Y REASEGUROS. in the amount of EUR 300,000. The data subject had received marketing emails from the controller despite being registered in the Robinson advertising exclusion list. The sending of the emails continued even after the data subject asked for their data to be deleted.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-02-04
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had published audiovisual material of a court trial on Twitter without obtaining the consent of the witnesses and parties to the trial that could be seen on it.
Cypriot Data Protection Commissioner
Media, Telecoms and Broadcasting
Εκδοτικού Οίκου Δίας
2022-02-04
€10,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Cypriot DPA has imposed a fine of EUR 10,000 on the publisher Εκδοτικού Οίκου Δίας. A public figure had filed a complaint with the DPA. The publisher had published incorrect information about the data subject's financial situation on a website. In the course of its investigation, the DPA, weighing the publisher's right to freedom of expression against the data subject's right to privacy and protection of personal data, found that the publisher had unlawfully processed the data of the data subject.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
ASESORES DE SEGURIDAD PRIVADA, S.L.
2022-02-02
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on ASESORES DE SEGURIDAD PRIVADA, S.L.. The DPA criticized that the controller did not sufficiently inform the data subject about data processing, as required by Art. 13 GDPR.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
IAB Europe
2022-02-02
€250,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 9 (1), (2) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 24 (1) GDPR
Art. 30 GDPR
Art. 31 GDPR
Art. 32 (1), (2) GDPR
Art. 37 GDPR
The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol.
The OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for the sale and purchase of advertising space on the Internet. When users visit a website that contains an ad space, technology companies, through an automated auction system, can bid in real time for that ad space to display personalized advertising.
When users visit a website for the first time, an interface appears through which they can consent to the collection and sharing of their personal information or object to various types of processing.
As part of the TCF, a consent management tool appears during this process. The tool allows the user to object to certain types of data processing. The TCF registers the user's preferences through the tool by generating a TC string and sends it to all partners participating in the OpenRTB system. Based on this TC string, user profiles are compiled, which are then passed on to advertisers. This makes it visible to them what kind of data processing the users have agreed to.
Within the scope of its investigation against IAB, the DPA identified a number of violations of the GDPR.
It found that the TC strings already constituted personal data and therefore IAB was required to have a legal basis for processing these data. However, IAB was unable to demonstrate any such legal basis.
In addition, IAB did not properly inform users about the functioning of the TCF. For example, the information provided to users was too generic and vague to understand the scope of the data processing.
Furthermore, IAB had not maintained a register of its processing activities, had not appointed a data protection officer, as well as had not conducted a data protection impact assessment.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Lillestrøm Municipality
2022-02-02
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 6 GDPR
Art. 32 (1) b) GDPR
The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality.
The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well.
It was only a journalist who later drew attention to the data breach.
During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data.
Also, the fact that the incident was discovered not by the municipality, but by a third party, indicates inadequate routines in this area.
CNPD
National Commission for Data Protection
Accomodation and Hospitalty
Café owner
2022-02-02
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg has imposed a fine of EUR 1,000 on a café owner. The owner had installed two video surveillance cameras in the café for the purpose of protecting company assets and the safety of customers and employees. Those cameras, however, constantly captured parts of the employee's work areas. The DPA found this to be a violation of the principle of data minimization. It also found that the owner had not sufficiently complied with its information obligations under Art. 13 GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
SC Grupex 2000 SRL
2022-02-01
€1,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 9 GDPR
The Romanian DPA (ANSPDCP) has fined SC Grupex 2000 SRL EUR 1,000. The controller unlawfully uploaded videos of patients on its website.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-02-01
€3,940,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
The Spanish DPA has fined Vodafone España, S.A.U. EUR 3.94 million. Nine Vodafone customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Vodafone and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Vodafone had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders due to a lack of sufficient security measures.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ORANGE ESPAÑA VIRTUAL, S.L.
2022-02-01
€70,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has fined ORANGE ESPAÑA VIRTUAL, S.L. EUR 70,000. Two Orange España Virtual customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Orange España Virtual and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA ,Orange España Virtual had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Orange Espagne S.A.U.
2022-02-01
€700,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has fined Orange Espagne S.A.U. EUR 700,000. Two Orange Espagne customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Orange Espagne and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Orange Espagne had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
XFERA MÓVILES, S.A.
2022-02-01
€200,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has fined XFERA MÓVILES, S.A. EUR 200,000. Two Xfera customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Xfera and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Xfera had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders.
