A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
Data Protection Authority of Bremen
Industry and Commerce
Supermarket
2022
€NaN
Insufficient legal basis for data processing
Unknown
The DPA of Bremen has imposed a fine on a supermarket. A store detective had taken a photo of the data subject on the occasion of an alleged theft and transmitted it via the messenger service WhatsApp to the manager, the store manager and two closing staff members, allegedly to enforce house rules but without a sufficient legal basis.
Data Protection Authority of Hamburg
Individuals and Private Associations
Private individual
2022
€NaN
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Unlawful use of a dashcam
Data Protection Authority of Hamburg
Transportation and Energy
Logistics company
2022
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
Art. 33 GDPR
Art. 32 GDPR
A logistics company had disposed of delivery lists in a public waste paper container. The lists contained a large amount of detailed information, such as the first and last names of subscribers, the addresses, subscribed newspapers, and special delivery information, such as the location of mailboxes and any complaints from recipients. The DPA also noted that the company failed to inform the data subjects and the DPA of the data breach in a timely manner.
Data Protection Authority of Hamburg
Health Care
Physician
2022
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
A physician's office had disposed of records of positive and negative Covid-19 Antigen Rapid test results from patients in a public waste disposal site.
Data Protection Authority of Hamburg
Health Care
Covid-19 test center
2022
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The DPA of Hamburg has fined a Covid-19 test center EUR 1,000 for failing to comply with the right of data subjects to have their personal data deleted.
Data Protection Authority of Hamburg
Health Care
Covid-19 test center
2022
€2,700.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The DPA of Hamburg has imposed a fine of EUR 2,700 on a Covid-19 test center. The test center had send the data subjects an unencrypted e-mail containing a URL that allowed them to access the test result without taking any further security measures. In some cases, the download link was structured in a way that led to the download of a PDF file with the file name corresponding to the last name of the person tested. With knowledge of the directory path, it was therefore possible to view third-party test results.
Data Protection Authority of Hamburg
Health Care
Covid-19 test center
2022
€1,400.00
Insufficient legal basis for data processing
Art. 6 (1) c) GDPR
The DPA from Hamburg has imposed a fine of EUR 1,400 on a Covid-19 test center. The controller intended to fulfill its statutory documentation obligations and scanned the front and back of ID cards of tested persons for this purpose. However, such extensive storage of personal data would not have been necessary to fulfill its documentation obligations. This could and should have been known to the controller.
UOOU
Czech Data Protection Auhtority
Transportation and Energy
Company
2022
€3,400.00
Insufficient legal basis for data processing
Unknown
The Czech DPA imposed a fine of EUR 3,400 on a company. The data subject had concluded an energy supply contract with the controller in the past, but then duly terminated it. Nevertheless, the controller assigned the previously terminated contract to a processor (sales representative) in order to contact the data subject to conclude a new contract. The DPA found that the controller had unlawfully transferred the data subject's data to the sales agent, as in the absence of an existing contract it had no valid legal basis for such transfer.
Data Protection Authority of Hessen
Health Care
Covid-19 test center
2022
€16,400.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 33 (1), (5) GDPR
The DPA of Hessen has fined a Covid-19 test center EUR 16,400. The controller had sent an e-mail containing personal data to several recipients in an open distribution list. The DPA also found that the controller had failed to adequately document the data breach.
Data Protection Authority of Hessen
Health Care
Covid-19 test center
2022
€1,800.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 6 (1) GDPR
The DPA of Hessen imposed a fine of EUR 1,800 on a Covid-19 test center. An employee had taken an adhesive label from the trash, written the test center's e-mail address on it and attached it to the center's window. However, due to a lack of care, the employee did not notice that the label still contained personal data of an individual. The data was therefore visible to third parties for about 24 hours until the label was removed.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2022
€7,380.00
Insufficient legal basis for data processing
Unknown
A police officer had accessed data in police databases for private research purposes over a period of three years.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2022
€300.00
Insufficient legal basis for data processing
Unknown
A police officer had accessed data in police databases for private research purposes in order to obtain information about their ex-partner's new partner.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2022
€800.00
Insufficient legal basis for data processing
Unknown
A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague.
Data Protection Authority of Brandenburg
Finance, Insurance and Consulting
Bank
2022
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 28 (3) GDPR
Art. 32 GDPR
The DPA of Brandenburg has imposed a five-digit fine on a bank. The bank had installed a video surveillance system that covered parts of the foyer of the branch with ATMs, the entrance area and the sidewalk and parking spaces in front of it. The transmission of the images as well as the commands to access the camera were carried out unencrypted via the Internet. The bank suffered a data breach in which unknown third parties compromised the video cameras and then posted the images on the Internet. They were also able to control the cameras to a limited extent.
During its investigation, the DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data, which facilitated such a breach. In addition, the DPA found that the bank failed to enter into a processing agreement with its processors, that also had access to cameras and images.
Data Protection Authority of Brandenburg
Accomodation and Hospitalty
Restaurant operator
2022
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The DPA of Brandenburg has imposed a five-figure fine on a restaurant operator. During the Corona pandemic, the operator had required restaurant visitors to fill out forms with their name, address, telephone number and e-mail address for the purpose of contact tracing as required by law. However, there was no legal requirement to collect the e-mail address. Visitors were further required to check a box stating that they agreed to be contacted by the restaurant. However, the restaurant subsequently used the email addresses to send a promotional newsletter. During its investigation, the DPA found that the processing of the email address for advertising purposes was unlawful due to the fact that the requirements for giving effective consent were not met. After all, it was not clear to the data subjects that the restaurant intended to use the e-mail address for advertising purposes. The restaurant operator also failed to inform the data subjects of their right to withdrawal.
Data Protection Authority of Brandenburg
Not assigned
Operator of a swimming pool
2022
€NaN
Insufficient legal basis for data processing
Art. 6 (1) c) GDPR
The DPA of Brandenburg has imposed a five-digit fine on the operator of an outdoor swimming pool. The controller had processed more visitor data than legally required for contact tracing purposes in the context of the Covid pandemic.
Data Protection Authority of Brandenburg
Individuals and Private Associations
Aid organization
2022
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 28 (3) GDPR
Art. 32 GDPR
The DPA of Brandenburg has imposed a five-figure fine on an aid organization. The aid organization provides transportation for people with illnesses. The organization had reported a data breach to the DPA in which data of data subjects had been published due to a hack. At the time of the attack, the controller's database contained more than 80,000 records with data that included information about the health status of the data subjects. During its investigation, the DPA found that the bank had failed to take adequate technical and organizational measures to protect personal data, which allowed such a breach to occur. In addition, the DPA found that the bank had failed to conclude a processing agreement with its processors.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Beauty salon
2022
€80,700.00
Insufficient legal basis for data processing
Unknown
The Hungarian DPA has imposed a fine of EUR 80,700 on a beauty salon. The controller had installed video cameras in all its premises, which permanently recorded customers and employees. During its investigation, the DPA found that the controller did not have the required permission to operate the video surveillance system. In addition, the controller processed the data of the customers for marketing purposes without having a valid legal basis and informing the customers about it.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Physician
2022
€1,600.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 12 (2) GDPR
Art. 13 (1) GDPR
The Hungarian DPA imposed a fine of EUR 1,600 on a physician. A patient had filed a complaint against the controller with the DPA. The patient had asked the doctor to send all medical records after the death of her unborn child. However, the physician did not comply with this request.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Not assigned
Website operator
2022
€1,300.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 12 (2), (3) GDPR
Art. 31 GDPR
The Hungarian DPA has imposed a fine of EUR 1,300 on a website operator. An individual had filed a complaint with the DPA against the controller due to the fact that the controller had published personal data of them on the website. The data subject sent a request for access to their data to the controller, but never received a response. Furthermore the controller had not properly cooperated with the DPA during the investigation.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Dentist
2022
€1,400.00
Non-compliance with general data processing principles
Unknown
The Hungarian DPA has fined a dentist EUR 1,300. The controller had installed several surveillance cameras in their practice, which permanently recorded employees and patients. The controller had installed the cameras for the purpose of protecting property and individuals. However, in the course of its investigation, the DPA determined that such extensive video surveillance interfered too much with the fundamental freedoms of the data subjects and that the surveillance was therefore unlawful.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Credit institution
2022
€2,700.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 5 (2) GDPR
The Hungarian DPA has imposed a fine of EUR 2,700 on a credit institution. Several individuals had filed a complaint with the DPA due to the fact that the controller had transferred claims from their loan agreements to a new bank account without their consent.
KZLD
Bulgarian Commission for Personal Data Protection
Individuals and Private Associations
Political party
2022
€12,800.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Bulgarian DPA has imposed a fine of EUR 12,800 on a political party. Several individuals had filed a complaint with the DPA because their personal data had been added to voter lists without their consent.
KZLD
Bulgarian Commission for Personal Data Protection
Employment
Trucking company
2022
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Bulgarian DPA has imposed a fine of EUR 5,000 on a trucking company. The controller had disclosed personal data of a former employee to third parties without a valid legal basis.
Data Protection Commissioner of Malta
Not assigned
Unknown
2022
€2,500.00
Insufficient technical and organisational measures to ensure information security
Art. 24 (2) GDPR
Art. 32 (1) (b) GDPR
Art. 32 (4) GDPR
The controller has unlawfully disclosed personal data of a data subject.
Data Protection Commissioner of Malta
Not assigned
Unknown
2022
€250,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2) GDPR
The controller has failed to implement appropriate technical and organizational measures to protect personal data.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Waxing Palace AS
2021-08-12
€9,600.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 9,600 on the waxing salon operator of Waxing Palace AS. The controller had camera surveillance of the controller's reception area. The DPA found that the controller had no legal basis for the camera surveillance, as well as had not provided sufficient information about it. The camera surveillance concerned both employees and customers.
AEPD
Spanish Data Protection Authority
Employment
DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES
2021-08-10
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on DESPACHO TEJEDOR INFANTES CONSULTORES ASESORES, S.L.. The controller had forwarded two emails containing personal data (payroll and extension of working hours) of the data subject to an employee.
AEPD
Spanish Data Protection Authority
Industry and Commerce
BAZTANDIS, S.L.
2021-08-09
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Use of surveillance cameras without proper contact information on the data controller, in violation of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
CLUB GIMNASIA RÍTMICA SAN ANTONIO
2021-08-09
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on CLUB GIMNASIA RÍTMICA SAN ANTONIO. A person had filed a complaint against the controller with the AEPD based on the controller's posting of pictures and videos of her two underage daughters on Instagram. The complainant had previously told the controller that she did not want pictures of her daughters to be posted on social media as she refused to give permission for her daughters to be photographed and recorded.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-08-05
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. Two neighbors had complained about the individual to the DPA due to the fact that he had installed two video surveillance cameras with motion detectors on a public street. Among other things, these recorded images of the neighbors reaching their properties via the street. The authority considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Future Vinline S.L.
2021-08-05
€6,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish Data Protection Agency (AEPD) has fined Future Vinline S.L.. The privacy policy on the website operated by the controller did not comply with the provisions of the GDPR. The original fine of EUR 10,000 was reduced to EUR 6,000 due to a voluntary payment and an admission of guilt.
CNPD
National Commission for Data Protection
Finance, Insurance and Consulting
Insurance company
2021-08-05
€135,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) a), b) GDPR
Art. 33 (1), (5) GDPR
The DPA of Luxembourg has imposed a fine of EUR 135,000 on an insurance company.
On October 19, 2018, an employee of the controller had sent an e-mail to an uninvolved third party instead of the data subject. This occurred due to an error by the employee who had incorrectly entered the e-mail address of the data subject. In addition to the name and gender of the data subject, the e-mail also contained detailed information about the data subject's illnesses. In addition, the attachment contained three forms relating to illnesses that the data subject had reported in connection with the conclusion of a life insurance policy.On November 29, the same incident occurred. The second misdirected e-mail contained, in addition to the data subject's name, very specific questions about a particular pathology, the last name of the life insurance doctor, the address of said doctor, and two blank forms related to said pathology to be filled out by him or his doctor
The DPA noted that it had not been informed of the data breach in a timely manner in accordance with Art. 33 GDPR. The company had also not complied with its documentation obligation under Art. 33 (5) GDPR.
Furthermore, the DPA found that the controller had failed to implement technical and organizational measures to ensure a level of security appropriate to the risk for the data subjects.
DSB
Austrian Data Protection Authority
Individuals and Private Associations
Private individual
2021-08-05
€600.00
Insufficient legal basis for data processing
Art. 9 GDPR
The Austrian DPA has imposed a fine of EUR 600 on a private individual. A private individual had sent a document obtained in a court case between the data subject and himself to the data subject's employer. This document contained information regarding health-related data of the data subject. At no time had the data subject consented to the forwarding of the document to her employer.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-08-03
€96,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U.. A data subject had filed a complaint with the DPA against the controller for failing to comply with her deletion request. The data subject states that on she had received calls from the company ISGF on behalf of the controller claiming a debt received from a third party for an ADSL connection for the residence of the data subject. However, the data subject had never entered into a contract for an ADSL connection. Instead, the contract had been concluded by a third party who had fraudulently used the name and ID number of the data subject to conclude the contract in her name. The data subject then requested ISGF to cancel the contract and asked the controller to delete her personal data. However, the controller had not responded to her request. The DPA then imposed a fine of EUR 120,000 which consisted of EUR 70,000 due to a violation of Art. 6 (1) GDPR and EUR 50,000 due to a violation of Art. 17 (1) GDPR. The original fine was reduced to EUR 96,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Club Náutico el Estacio
2021-08-02
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club's ordinary meeting on its website, disclosing personal data without access restrictions.
DSB
Austrian Data Protection Authority
Industry and Commerce
Unser Ö-Bonus Club GmbH
2021-08-02
€2,000,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 7 GDPR
Art. 12 GPDR
The Austrian DPA has imposed a fine of EUR 2,000,000 on Rewe affiliate Ö-Bonus Club GmbH.
When signing up for the customer loyalty program jö Bonus Club, the controller is said to have failed to properly explain that customers' data and shopping behavior are used to create individual profiles, and that the information is also passed on to partner companies. According to the GDPR, the clarification must be easily accessible and in simple language. However, the controller had designed the registration for the jö Bonus Club in such a way that the clarification about profiling could only be found after scrolling down. However, the consent was placed higher up, so in all cases the consents were obtained before the clarification. In turn, on the physical flyers, the signature box placed at the bottom of the form appeared as if it were a confirmation of enrollment in the club, even though it constituted consent to profiling as well.
The DPA concluded that the controller breached its duty to provide consent in an understandable and easily accessible form in clear and simple language. Accordingly, it deemed the consents to be invalid and the profiling carried out on their basis to be unlawful.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Private Individual
2021-07-30
€200.00
Insufficient legal basis for data processing
Art. 5 (1) a), b), (2) GDPR
Art. 6 (1) GDPR
Art. 14 (1), (4) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 200 on a private individual due to the unlawful disclosure of personal data. The controller had disclosed personal data of several individuals by distributing some materials in households of the municipality and through posts on his personal Facebook account. This involved, on the one hand, a photo of a salary statement of the data subject, whereby, among other things, the surname, first name, place of work and salary could be extracted. The other was a photo of a file from the register of children enrolled in the kindergarten of the municipality, whereby personal data of a minor child were disclosed.
The DPA found that the controller had processed the data without a legal basis and had not informed the data subjects about the processing of their data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-07-30
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 600 for unauthorized video surveillance. The controller had installed a video surveillance camera which covered, among other things, neighboring houses and a public street. The DPA considered this to be a violation of the principle of data minimization. Due to voluntary payment the original fine in the amount of EUR 750 has been reduced to EUR 600.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-07-30
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 2,000 on a private individual. The controller had published the phone number of the data subject to a picture of another person on a dating website in order to create a fake profile with the name 'Katy'. This was only possible due to the fact that no proof of identity was required to create a profile on the portal.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Gas inspector
2021-07-30
€4,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined a gas inspector. The controller had carried out butane gas checks in the private homes of the data subjects on the basis of a list containing their surnames, first names, addresses and telephone numbers. However, the data subjects had never consented to be included in the list. The original fine of EUR 5,000 was reduced to EUR 4,000 due to acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Public Sector and Education
UNIVERSIDAD A DISTANCIA DE MADRID, S.A.
2021-07-29
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 17 (1) GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has imposed a fine on UNIVERSIDAD A DISTANCIA DE MADRID, S.A.. A data subject had filed a complaint against the distance learning university. He stated that he had requested the controller to delete all his data and prohibit its processing for any purpose. He received a confirmation, that his data had been completely deleted. Nevertheless, the data subject later received advertising from the controller by e-mail. The AEPD then imposed a fine of EUR 5,000, which was reduced to EUR 3,000 due to acknowledgement of guilt and immediate payment.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Website operator
2021-07-27
€500.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) fined a website operator EUR 500 due to the fact that its privacy policy did not comply with the requirements of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
NEXTSTEPAGENCY, S.L.
2021-07-27
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined NEXTSTEPAGENCY, S.L. EUR 1,000. A website of the controller lacked reliable data about the owner of the website such as tax number and postal address.
AEPD
Spanish Data Protection Authority
Industry and Commerce
PERSONAL MARK, S.L.
2021-07-27
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on PERSONAL MARK, S.L.. A data subject complained that she was receiving promotional text messages from the controller, despite having requested the deletion of her personal data from the controllers's databases on several occasions.
AEPD
Spanish Data Protection Authority
Public Sector and Education
PODEMOS PARTIDO POLÍTICO
2021-07-27
€2,400.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine on the political party PODEMOS PARTIDO POLÍTICO. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. Due to voluntary payment and acknowledgement of guilt, the original fine in the amount of EUR 4,000 was reduced to EUR 2,400.
AEPD
Spanish Data Protection Authority
Real Estate
Owners Association
2021-07-27
€900.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine on an owners' association. A data subject claimed to the DPA that the controller had installed a camera on one of his houses, which recorded both the public pool area and parts of the data subject's house. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Real Estate
Owners Association
2021-07-27
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on an owners' association. A data subject claimed to the DPA that the controller had installed a camera that recorded both the pool area and other parts of the interior of the data subject's home.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
PRA Iberia S.L.
2021-07-27
€60,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 15 GDPR
The Spanish DPA (AEPD) has fined PRA Iberia S.L. EUR 60,000. A data subject had filed a complaint against the controller with the AEPD. The complaint was based on the fact that the controller asserted a claim arising from a contract that the data subject had never concluded and of which he had no knowledge. The AEPD points out that the data subject had attempted to exercise his right to information, but received no response from the controller, that instead continued to add interest to the data subject's alleged debt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Body Tonic Shop S.L.
2021-07-27
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Body Tonic Shop S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the company Vasco Andaluza de Inversiones S.L., the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis.
