A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
TELEFÓNICA MÓVILES ESPAÑA, S.A.U.
2022-02-01
€900,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has fined TELEFÓNICA MÓVILES ESPAÑA, S.A.U. EUR 900,000. Four Telefónica customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Telefónica and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Telefónica had not properly verified the identity of the fraudsters before issuing the SIM cards and ensured that the inquirers were really the SIM card holders.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
Etterforsker1 Gruppen AS
2022-02-01
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Norwegian DPA (Datatilsynet) fined Etterforsker1 Gruppen AS EUR 5,000. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.
AEPD
Spanish Data Protection Authority
Real Estate
Property Owner Community
2022-01-31
€1,500.00
Insufficient legal basis for data processing
Art. 6 GDPR
Use of CCTV cameras in building complex without obtaining the consent of all the property owners.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Cyrana España General S.L.
2022-01-31
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined Cyrana España General S.L. EUR 5,000. The controller had sent an invoice to the data subject although no contractual relationship existed.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INCOPROSOL, S.L.
2022-01-31
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has fined INCOPROSOL, S.L. EUR 5,000. The controller had recorded a telephone conversation with a customer without obtaining the customer's consent.
APD
Belgian Data Protection Authority
Individuals and Private Associations
Researcher
2022-01-27
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), f) GDPR
Art. 6 (1) GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 14 GDPR
Art. 32 GDPR
The Belgian DPA has fined a researcher EUR 1,200. The fine was issued in connection with another fine against the NGO EU DisinfoLab. The researcher was employed at the NGO. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the data. The DPA noted that publication of the data could potentially expose data subjects to the risk of discrimination or discredit because of the non-anonymized political profiling. In addition, the files also contained information about the religious beliefs, ethnic origin, or sexual orientation of the individuals whose accounts were analyzed. For this reason, the DPA concluded that several obligations of the GDPR, such as lawfulness of processing, transparency to data subjects, and data security, were violated.
APD
Belgian Data Protection Authority
Individuals and Private Associations
EU DisinfoLab
2022-01-27
€2,800.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), f) GDPR
Art. 6 (1) GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 14 GDPR
Art. 30 GDPR
Art. 32 GDPR
Art. 35 GDPR
The Belgian DPA has fined the NGO EU DisinfoLab EUR 2,700. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the data. The DPA noted that publication of the data could potentially expose data subjects to the risk of discrimination or discredit because of the non-anonymized political profiling. In addition, the files also contained information about the religious beliefs, ethnic origin, or sexual orientation of the individuals whose accounts were analyzed. For this reason, the DPA concluded that several obligations of the GDPR, such as lawfulness of processing, transparency to data subjects, and data security, were violated.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
Cosmote Mobile Telecommunications S.A.
2022-01-27
€6,000,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 25 (1) GDPR
Art. 26 GDPR
Art. 28 GDPR
Art. 35 (7) GDPR
The Hellenic DPA has imposed a fine of EUR 6 million on Cosmote Mobile Telecommunications S.A.. Cosmote had reported a data breach to the DPA pursuant to Art. 33 GDPR. A hacker had penetrated the controller's systems and obtained and subsequently leaked data from Cosmote customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident.
For this reason, the DPA found that Cosmote had failed to implement adequate technical and organizational measures to ensure the proper execution of the data anonymization process. In addition, Cosmote did not conduct a sufficient data protection impact assessment and did not properly inform data subjects about the processing of their data.
Finally, the DPA found that Cosmote did not clearly regulate the allocation of roles in data processing with its subsidiary, OTE Group.
In calculating the fine, the DPA aggravatingly took into account the very long duration of the breaches (6 years), the large number of data subjects, as well as the fact that no pseudonymization measures of the data were implemented over a long period of time.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
OTE Group
2022-01-27
€3,200,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Hellenic DPA has imposed a fine of EUR 3.2 million on Cosmote subsidiary OTE Group. Among other things, OTE Group had contributed to Cosmote's security infrastructure. Cosmote had reported a data breach to the DPA under Article 33 of the GDPR. A hacker had been able to penetrate Cosmote's systems due to a lack of security measures and obtained and subsequently leaked data from customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident.
For this reason, the DPA found that OTE Group had failed to implement adequate technical and organizational measures to ensure a level of security commensurate with the risk to data subjects.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Private club 'Ruian'
2022-01-27
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 2,000 on the private club 'Ruian'. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the processing of the data by the video surveillance and thus violated its duty to inform.
GARANTE
Italian Data Protection Authority
Industry and Commerce
T.S.M. s.r.l.
2022-01-27
€40,000.00
Insufficient fulfilment of data subjects rights
Art. 13 GDPR
Art. 15 GDPR
Art. 21 GDPR
Art. 157 Codice della privacy
Art. 166 (2) Codice della privacy
The Italian DPA has imposed a fine of EUR 40,000 on T.S.M. s.r.l.. A data subject had filed a complaint with the DPA against the company for failing to comply with their requests to delete their data and object to the future processing of their personal data.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Uppsala regional board
2022-01-26
€28,500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board.
The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden.
The regional board had transmitted sensitive personal data and personal identity numbers via email. The actual transmission of the emails was encrypted, but the information in the emails was not. The emails in question contained patient data that was automatically sent to the appropriate health administrators in the region, as well as patient data that was manually sent to researchers and physicians in the region.
For this reason, the DPA found that the regional board had not taken adequate technical and organizational measures to protect the data from unauthorized access, for example.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Uppsala hospital board
2022-01-26
€152,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Swedish DPA has imposed a fine of EUR 152,000 on the Uppsala hospital board.
The fine is the result of an investigation by the Uppsala Region (the regional board and the hospital board). DPA had received two reports of incidents involving personal data from Uppsala region. The incidents involved sensitive personal health data that was transferred unencrypted to recipients inside and outside Sweden.
Accordingly, Uppsala University Hospital had sent emails containing patient data to patients and senders in third countries without encryption. In addition, the hospital administration had stored sensitive personal data in the Outlook email hosting service. For this reason, the DPA found that the hospital board had not taken sufficient technical and organizational measures to protect the data from unauthorized access.
Data Protection Authority of Ireland
Finance, Insurance and Consulting
Slane Credit Union Ltd.
2022-01-26
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 24 GDPR
Art. 28 (1), (3) GDPR
Art. 30 (1) GDPR
Art. 32 (1) GDPR
The Irish DPA has imposed a fine of EUR 5,000 on Slane Credit Union Ltd. The controller had notified the DPA of a data breach in 2018. Due to an error in a search engine optimization tool installed on the controller's website, four reports of member inquiries containing personal member data were unintentionally published.
The incident affected 76 members, including minors, and their personal data such as names, addresses, gender, birth dates, account numbers, etc.
The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
In addition, the DPA concluded that the controller failed to conduct due diligence on the processor and to conclude a GDPR compliant contract with the processor.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Website operator
2022-01-21
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 2,000 on a website operator for the lack of a privacy policy on its website, in violation of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Property Owner Community
2022-01-21
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has fined a property owners' community EUR 1,200. A property manager had sent a copy of the general meeting minutes to the director of the security company 'CMM Seguridad'. The document the said document contains the names and addresses of residents, a list of defaulters and the accounts with all income and expenses of the community.
According to the controller, the purpose of sending the minutes in question to the security company was to inform them about the members of the Board of Directors appointed at the respective ordinary general meeting. Therefore, the controller should have limited to only providing this information or to transmitting the minutes document after it had been duly anonymized.
For this reason, the DPA notes that the transmission of the full minutes would not have been necessary.
As a result, the controller violated the principle of data minimization.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Kaufland România SCS
2022-01-20
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 15 (3) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 3,000 on Kaufland Romania SCS.
The DPA initiated an investigation based on a complaint from an individual stating that the controller had not provided them with a complete copy of the video recordings for a certain period of time when they had been in the store premises.
The DPA stated that the controller is obliged to disclose the video images of the data subject after they excercise their right of access, and that the controller may disclose the images by taking measures to blur, if necessary, those images that may violate the rights and freedoms of other natural persons.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Santander Bank Polska S. A.
2022-01-19
€117,000.00
Insufficient fulfilment of data breach notification obligations
Art. 34 (1) GDPR
The Polish DPA has fined Santander Bank Polska S.A. EUR 118,000 for failing to notify data subjects of a data breach.
A former employee of the bank managed to gain unauthorized access to a database for electronic services. Among other things, this allowed numerous Santander customers' data to be accessed.
Due to the high risk for the data of the data subjects, the bank would have been obliged to inform them of the data breach. However, the bank deliberately refrained from doing so and continued to state that it would not comply with this obligation in the future.
The DPA noted that this constituted a major intrusion for the data subjects, as they did not have the opportunity to take appropriate steps to protect their rights.
UODO
Polish National Personal Data Protection Office
Transportation and Energy
Fortum Marketing and Sales Polska S.A.
2022-01-19
€1,000,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 24 (1) GDPR
Art. 25 (1) GDPR
Art. 28 (1) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA has imposed a fine of EUR 1 million on Fortum Marketing and Sales Polska S.A..
The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data. The data breach occurred at the time of the introduction of a change in the company's IT environment. The change was made by a processing agent. As part of the change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons succeeded in accessing the data.
The DPA also found that the processor failed to pseudonymize and encrypt the data. In addition, the processing agent had been using real customer data, rather than test data, to test the changes to the system.
For this reason, the DPA concluded that the controller failed to take appropriate technical and organizational measures to ensure the protection of personal data. In addition, the DPA found that the controller would have been required to monitor the work of the processor to ensure that the protection of personal data is continuously guaranteed.
UODO
Polish National Personal Data Protection Office
Industry and Commerce
PIKA Sp. z o.o.
2022-01-19
€53,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 (3) c), f) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA has fined PIKA Sp. z o.o. in the amount of EUR 53,000.
The fine is related to a fine imposed on Fortum Marketing and Sales Polska S.A.. PIKA was acting as a processor for Fortum. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data.The data breach occurred at the time of the introduction of a change in the company's IT environment by PIKA. As part of this change, an additional Fortum customer database was created. However, the server on which the database was stored did not have sufficient security measures, which is why the unauthorized persons were able to access the data.
The DPA also found that PIKA had failed to pseudonymize and encrypt the data. In addition, PIKA had used real customer data rather than test data to test the system changes.
For this reason, the DPA concluded that PIKA had failed to take appropriate technical and organizational measures to ensure the protection of personal data.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
VODAFONE ESPAÑA, S.A.U.
2022-01-18
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on VODAFONE ESPAÑA, S.A.U. due to insufficient legal basis for data processing. The data subject states that two telephone connections were registered in his/her name. However, the data subject had never signed contracts with the company for any of these connections. In fact, the contracts in question were concluded by fraudsters using the personal data of the data subject. Nevertheless, the personal data were entered into the company's information systems without verifying whether the contracts had been lawfully and actually concluded by the data subject, whether he/she had given his/her consent to the collection and subsequent processing of his/her personal data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to immediate payment.
AEPD
Spanish Data Protection Authority
Transportation and Energy
GARLEX SOLUTIONS, S.L.
2022-01-18
€15,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on GARLEX SOLUTIONS, S.L.. The data subject had received a call from the company to renew their electricity supply contract. Subsequently, the data subject received an SMS with a link to an electricity supply contract in which their personal data had already been entered. The data subject could not explain how the company had come into possession of the data, since they never provided it and had certainly not consented to its processing.
Data Protection Commissioner of Malta
Industry and Commerce
C-Planet (IT Solutions) Limited
2022-01-17
€65,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 6 (1) GDPR
Art. 9 (1), (2) GDPR
Art. 14 GDPR
Art. 32 GDPR
Art. 33 GDPR
Art. 34 GDPR
The DPA of Malta has imposed a fine of EUR 65,000 on C-Planet (IT Solutions) Limited. The DPA had initiated an investigation against C-Planet in April 2020 after being informed of a data breach.
The DPA noted as a result that C-Planet had violated Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 14 GDPR and Art. 5 (1) f) GDPR in the context of data processing.
The DPA also found that C-Planet failed to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk and that this led to the data breach. This constitutes a violation of Art. 32 GDPR.
In addition, the DPA found that the controller failed to notify the personal data breach within the legally required deadline and to inform the data subjects. This constitutes a violation of Art. 33 GDPR and Art. 34 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MEETING PUERTO C.B.
2022-01-17
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on MEETING PUERTO C.B.. The data controller had unlawfully published a picture of the complainant with his partner on Facebook and Instagram, which was accompanied by insulting comments.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-01-17
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 1,500 on a private individual. The person had installed video cameras in the apartment building where he lives, which recorded, among other things, common areas of all residents. The DPA considered this a violation of the principle of data minimization.
DSB
Austrian Data Protection Authority
Industry and Commerce
REWE International AG
2022-01-14
€8,000,000.00
Unknown
Unknown
The Austrian DPA has imposed a fine of EUR 8 million on REWE International AG. Just in the summer of 2021, the subsidiary 'Unser Ö-Bonus Club GmbH' received a fine of EUR 2 million. According to the 'Salzburger Nachrichten' newspaper, the fine is based on various violations of the GDPR. Further details about the incident are not known at the moment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-01-14
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera that was also capturing foreign private space of a neighbour.
AEPD
Spanish Data Protection Authority
Industry and Commerce
PHARMA TALENTS, S.L.U.
2022-01-14
€2,400.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine against PHARMA TALENTS, S.L.U. A data subject had filed a complaint against the company after he found a database on one of the company's websites containing personal data about himself and other hundreds of health sector professionals, including email address and telephone number. Both the website and the database were freely accessible. The DPA found that the company had failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to data subjects, since not even a username and password were required to access the database. The original fine of EUR 4,000 was reduced to EUR 2,400 due to voluntary payment and admission of guilt.
AP
Dutch Supervisory Authority for Data Protection
Media, Telecoms and Broadcasting
DPG Media Magazines B.V.
2022-01-14
€525,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (2) GDPR
The Dutch DPA has imposed a fine of EUR 525,000 on DPG Media Magazines B.V.
The DPA had received several complaints regarding the way the controller handled requests from customers.
Customers who wanted to know what kind of personal data the controller stored, or wanted to have their data deleted, first had to upload or send in proof of identity.
The DPA determined that sending in proof of identity would not have been necessary for the purpose of processing the request. In addition, the mailing process presented an excessive hurdle for data subjects to exercise their rights.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-01-13
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Sanitaria Locale Frosinone
2022-01-13
€7,500.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 GDPR
Art. 13 GDPR
The Italian DPA has fined Azienda Sanitaria Locale Frosinone EUR 7,500. In the course of its investigation against the medical facility, the Garante found that their privacy policy showed significant deficiencies. For example, the facility had indicated several purposes for processing the data, but the relevant legal bases for doing so were not always indicated. Those legal bases that were stated were often incorrect or contradictory. In addition, the facility did not provide sufficient information on the storage periods of the collected data.
GARANTE
Italian Data Protection Authority
Health Care
Medicina & Lavoro s.r.l.
2022-01-13
€4,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
Failure to respond to the data subject's request for access to their data in a timely manner.
GARANTE
Italian Data Protection Authority
Health Care
Azienda sanitaria unica regionale Marche
2022-01-13
€14,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Art. 35 GDPR
The Italian DPA has imposed a fine of EUR 14,000 on Azienda sanitaria unica regionale Marche. The DPA launched an investigation against the health department following media reports of deficiencies in the system used to collect and manage Covid 19 screening data. The health department used an app that generated QR codes for people who were tested for Covid-19. The QR code was generated based on a progressive criterion rather than on a random basis. Thus, each person was assigned a number. Because of this, it would have been possible for unauthorized persons to change a digit and gain access to another person's profile and thus personal data. The DPA found that the health authority failed to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk to the data subjects.
GARANTE
Italian Data Protection Authority
Health Care
Villa Masi Residenza per anziani
2022-01-13
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Inexistence of signalization regarding the use of CCTV systems in a nursing care facility.
GARANTE
Italian Data Protection Authority
Employment
A.S.L. Napoli 1 Centro
2022-01-13
€1,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA (Garante) has imposed a fine of EUR 1,000 on A.S.L. Napoli 1 Centro. An employee at the health authority had filed a complaint with the DPA against the authority.An employee at the health authority had filed a complaint with the DPA against the authority. The health authority had published a press release on its website containing personal data of the data subject and information about a disciplinary procedure.The health authority believed that the publication was lawful since the data subject had already given this information to the press, which in turn had published a report on the matter. However, the DPA concluded that the authority still needed a valid legal basis for the publication, regardless of whether the information had already been published on other media.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Property Owner Community
2022-01-11
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
AEPD
Spanish Data Protection Authority
Employment
EDUCANDO JUNTOS SL
2022-01-11
€9,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 9,000 on EDUCANDO JUNTOS SL. The controller had published photos of an employee on some of its channels on social networks and its website. However, the controller had published the photos without having obtained the consent of the data subject. For this reason, the data subject repeatedly requested the removal of the photos from the social networks and the website. However, the controller did not comply with this request. The fine is made up of EUR 6,000 for a violation of Art. 6 (1) GDPR and EUR 3,000 for a violation of Art. 17 GDPR.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
Εγνατία Οδός Α.Ε.
2022-01-05
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
The Hellenic DPA has imposed a fine of EUR 1,000 on Εγνατία Οδός Α.Ε. The company operated a video surveillance system to monitor the payment of tolls. A car owner, who had received a fine for non-payment of the toll, exercised his right to information granted by the GDPR. He requested the photographic material which had been captured in the context of the fine. He also requested to receive a copy of the documentation of the incident. However, the company refused to provide the information to the data subject. Only after the DPA intervened did the company provide the information, but without enclosing the photographic material. For this reason, the DPA found a violation of Art. 12 (3) GDPR.
Data Protection Authority of Bremen
Health Care
Physician
2022
€NaN
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
The DPA of Bremen imposed a fine on a physician for failing to respond to a data subject's request for access to their data in a timely manner.
Data Protection Authority of Bremen
Not assigned
Company
2022
€NaN
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
The DPA of Bremen imposed a fine on a company for failing to respond to a data subject's request for access to their data in a timely manner.
Data Protection Authority of Bremen
Health Care
Physician
2022
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
The DPA of Bremen imposed a fine on a physician for using a patient's contact details to contact them privately without their consent.
Data Protection Authority of Bremen
Health Care
Physician
2022
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
The DPA of Bremen imposed a fine on a physician for transmitting patient's data to a billing office without their consent.
Data Protection Authority of Bremen
Individuals and Private Associations
Private individual
2022
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The DPA of Bremen imposed a fine on a private individual. The individual who worked in a restaurant, had contacted a restaurant visitor privately using the contact information they had provided, which was required for a restaurant visit during the Covid 19 pandemic.
Data Protection Authority of Bremen
Individuals and Private Associations
Private individual
2022
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The DPA of Bremen imposed a fine on a private individual. The individual, who worked at a Covid19 testing center, had contacted a patient privately using the contact details the patient had provided for their Covid-test
Data Protection Authority of Bremen
Employment
Company
2022
€NaN
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The DPA of Bremen has imposed a five-digit fine on a company. The controller had unlawfully used GPS software in its company vehicles, allowing unrestricted monitoring of its employees over a long period oftime. The DPA found that such extensive monitoring was not necessary and therefor unlawful.
Data Protection Authority of Bremen
Employment
Company
2022
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The DPA of Bremen has imposed a five-digit fine on a company. The company had sent an unredacted social plan to all affected employees in the context of dismissals due to operational reasons, resulting in the disclosure of personal data contained therein, such as date of birth, age, marital status, number of dependent children, function in the company, severe disability, etc., to all employees. The DPA found that such extensive disclosure of personal data was unlawful due to the lack of a legal basis. The DPA considered the fact that special categories of personal data, such as information on a severe disability, had also been disclosed to be an aggravating factor.
Data Protection Authority of Bremen
Employment
Company
2022
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The DPA of Bremen has imposed a five-digit fine on a company. The company had transferred the pay slips of its employees without their consent to another company, which was to continue to employ the employees in the future. The DPA considered the fact that a high double-digit number of employees were affected as an aggravating factor.
Data Protection Authority of Bremen
Not assigned
Company
2022
€NaN
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The DPA from Bremen has fined a company for failing to inform the DPA pursuant to Art. 33 GDPR that an employee's business email account had been hacked.
Data Protection Authority of Bremen
Not assigned
Company
2022
€NaN
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
The DPA of Bremen has imposed a three-digit fine on a company. The company offered its applicants an online application procedure on its website without informing users about the processing of their personal data.
Data Protection Authority of Bremen
Health Care
Medical care center
2022
€NaN
Insufficient legal basis for data processing
Unknown
The DPA of Bremen has imposed a fine on a medical care center for having scanned a customer's ID card against their will and stored the copy. Once the customer complained, they were threatened with termination of the customer relationship. In assessing the fine, the DPA took into account the fact that the ID card had been scanned against the explicit objection of the data subject.
