A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-05-09
€180.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbouring property. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Real Estate
ESTUDIO INMOBILIARIO SAN ISIDRO, S.L.U.
2023-05-09
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has fined ESTUDIO INMOBILIARIO SAN ISIDRO, S.L.U. EUR 5,000. An individual had filed a complaint with the DPA because employees of the controller had visted their home to advertise their rental services without their consent.
AEPD
Spanish Data Protection Authority
Public Sector and Education
FUNDACIÓ PRIVADA UNIVERSITARIA EADA
2023-05-05
€1,200.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on FUNDACIÓ PRIVADA UNIVERSITARIA EADA. An individual who had participated in a training event filed a complaint against the educational institution. The controller had used pictures of the training event, which showed the data subject, for promotional purposes without their consent. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Homeowners' association
2023-05-05
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on a homeowners' association. An owner had filed a complaint with the DPA due to the fact that members of the association had accessed the community's video surveillance footage and distributed it via WhatsApp.
AZOP
Croatian Data Protection Authority
Finance, Insurance and Consulting
Debt collection agency
2023-05-04
€2,265,000.00
Insufficient technical and organisational measures to ensure information security
Art. 6 (1) GDPR
Art. 13 (1) GDPR
Art. 28 (3) GDPR
Art. 32 (1) b), d) GDPR
Art. 32 (2) GDPR
The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors' personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors.
During its investigation, AZOP found that controller did not provide sufficient information about the processing of personal data in its privacy policy. Moreover, it failed to provide information about the legal basis for the refund of overpaid funds. The breach affected 132,652 individuals.
Further, the AZOP found that the controller had not entered into a data processing agreement with a processor that monitored simple consumer bankruptcies. This put the data of 83,896 individuals at risk. The breach persisted for 2 years.
Finally, AZOP found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
Deficiencies in the controller's security system led to insecure processing of personal data on a large scale, resulting in the unauthorized filtering of data. AZOP noted that the breach has been ongoing since at least 2019 and has not been addressed to date.
Aggravating factors considered by AZOP included the controller's failure to adequately cooperate with the DPA during the process. Furthermore, the controller has not yet informed AZOP of additional measures it has taken to prevent future risks of identified violations and has not yet brought its privacy policy into compliance with the GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
BANQUETES SANTA ANA, S.L.
2023-05-03
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 5,000 on BANQUETES SANTA ANA, S.L.. The controller had asked a couple celebrating their wedding at its premises to provide the personal data of their guests, including ID card numbers, for the purpose of contact tracing in the context of the Covid-19 pandemic. The DPA determined that such a broad request for personal information was not necessary for contact tracing purposes and that the provision of the names, for example, would have been sufficient.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
GSMA LTD.
2023-05-03
€200,000.00
Non-compliance with general data processing principles
Art. 35 GDPR
The Spanish DPA has imposed a fine of EUR 200,000 against GSMA LTD.. An individual had filed a complaint with the DPA because they had to transfer special categories of personal data (e.g., ID card data) to the controller in order to register for an event. In the course of its investigation, the DPA found that the controller had failed to conduct a data protection impact assessment for these processing operations.
Cypriot Data Protection Commissioner
Finance, Insurance and Consulting
NAGA Markets Europe Ltd
2023-05-02
€9,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) b), d) GDPR
The Cypriot DPA has imposed a fine of EUR 9,000 on NAGA Markets Europe Ltd. The controller had suffered a data breach in which an unknown person accessed the company's database, holding the data of approximately 342,000 customers. The DPA found that the controller had not implemented appropriate technical and organizational measures to protect personal data, which facilitated such a breach.
AEPD
Spanish Data Protection Authority
Employment
ALBERO FORTE COMPOSITE, S.L.
2023-04-28
€12,000.00
Insufficient technical and organisational measures to ensure information security
Art. 35 GDPR
The Spanish DPA (AEPD) has imposed a fine on ALBERO FORTE COMPOSITE, S.L.. The company had taken pictures of employees at the entrance for the purpose of recording their working hours. However, the company had failed to conduct a data protection impact assessment. The original fine of EUR 20,000 was reduced to EUR 12,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INFINITY ECOM S.L.
2023-04-28
€5,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 5,000 on INFINITY ECOM S.L. for failing to ensure that the privacy policy on its website complied with the requirements of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
ASSOCIACIO DE CAÇADORS D'ALZIRA
2023-04-28
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on ASSOCIACIO DE CAÇADORS D'ALZIRA. A member of the association had filed a complaint with the DPA because the chairman had published a letter they had written without their consent in a WhatsApp group with 195 members.
Data Protection Authority of Sweden
Public Sector and Education
Skåne region
2023-04-26
€17,600.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Swedish DPA has fined Skåne region EUR 17,600. An employee of the region had lost an unencrypted USB stick containing the social security numbers and sensitive personal data of nearly 2,000 people. The DPA found that the region had failed to implement adequate technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Not assigned
Website operator
2023-04-26
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 1,000 on a website operator for failing to ensure that the privacy policy on its website complied with the requirements of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
DIGI SPAIN TELECOM, S.L.
2023-04-25
€70,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 70,000 on DIGI SPAIN TELECOM, S.L.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. This allowed the fraudsters to gain access to the data subject's bank account and make unauthorized transactions.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-04-25
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which also recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Tensa Art Design SA
2023-04-24
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Tensa Art Design SA. The controller failed to comply with a data subject's right to object.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, S.A.U.
2023-04-24
€70,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 70,000 on Telefónica Móviles España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. This allowed the fraudsters to gain access to the data subject's bank account and make unauthorized transactions.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SECURITAS DIREC ESPAÑA, S.A.
2023-04-21
€25,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine of EUR 25,000 on SECURITAS DIREC ESPAÑA, S.A. for failing to comply with an order issued by the DPA.
AEPD
Spanish Data Protection Authority
Industry and Commerce
KFC RESTAURANTS SPAIN, S.L.
2023-04-20
€25,000.00
Insufficient involvement of data protection officer
Art. 13 GDPR
Art. 37 GDPR
The Spanish DPA has fined KFC RESTAURANTS SPAIN, S.L EUR 25,000. During its investigation, the DPA found that the controller had failed to appoint a data protection officer. In addition, the DPA found that the controller did not provide all of the information required under Art. 13 GDPR on its website.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Partidul Uniunea Salvați România
2023-04-19
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), b) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on the party 'Partidul Uniunea Salvați România'. The controller had published personal data of persons with different degrees of disability on their website without a valid legal basis.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-04-13
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2023-04-13
€112,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. This allowed the fraudsters to gain access to the data subject's bank account and make unauthorized transactions. The original fine of EUR 140,000 was reduced to EUR 112,000 due to voluntary payment.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Aldi
2023-04-12
€253,000.00
Non-compliance with general data processing principles
Unknown
The Hungarian DPA imposed a fine of EUR 253,000 on the supermarket chain Aldi. Aldi had entered and stored the date of birth of many customers in the checkout system when purchasing alcoholic beverages. This procedure was introduced to make the cashiers' work easier, as the software could quickly calculate whether the person was over 18 or not, but was considered excessive by the DPA. Furthermore, ALDI did not answered any questions about the legal basis for this processing.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
REGENCY COMPANY SRL
2023-04-07
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), c) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on REGENCY COMPANY SRL. The controller had installed video surveillance cameras in its premises for the purpose of monitoring access of people and security of premises and property. However, this allowed it to monitor its employees extensively. In the course of its investigation, the DPA found that the video surveillance was partly carried out without the consent of the employees and that the purposes underlying the surveillance could also be achieved by means less intrusive into the privacy of the employees.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-04-05
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property.
ICO
Information Commissioner
Media, Telecoms and Broadcasting
TikTok
2023-04-04
€14,500,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 12 GDPR
Art. 13 GDPR
The UK DPA (ICO) has fined TikTok EUR 14.5 million. The ICO had found that more than one million British children under the age of 13 were using TikTok without the consent of their parents. The ICO criticized TikTok for failing to implement adequate controls to identify and remove underage children from its platform. Further, the ICO found that TikTok did not provide users of the platform with sufficient and easily understandable information about the collection, use and disclosure of their data.
For this reason, the ICO concluded that TikTok had not ensured that its users' personal data was processed in a lawful, fair and transparent manner.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Tensa Art Design SRL
2023-04-04
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 21 (3) GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on Tensa Art Design SRL. An individual had filed a complaint for receiving promotional messages despite having filed an objection to receiving promotional messages and having their personal data processed for marketing purposes. The DPA considered this to be a violation of Art. 21 (3) GDPR.
AEPD
Spanish Data Protection Authority
Transportation and Energy
ENFOKA SISTEMAS GLOBALES, S.L.
2023-04-04
€18,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on ENFOKA SISTEMAS GLOBALES, S.L.. A customer had filed a complaint with the DPA due to the fact that the controller carried out a change of their electricity supply company without obtaining their consent beforehand. The original fine of EUR 30,000 was reduced to EUR 18,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
2023-04-04
€84,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 15 GDPR
The Spanish DPA has imposed a fine on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. During its investigation, the DPA found that the controller had registered alleged debts of a former client to the risk information center of the Spanish Central Bank without a valid legal basis. The DPA also found that the controller had not adequately complied with the former customer's request for access to their personal data. The original fine of EUR 140,000 was reduced to EUR 84,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Real Federación Española de Tenis de Mesa
2023-04-04
€10,000.00
Insufficient fulfilment of information obligations
Art. 9 (2) GDPR
The Spanish DPA has imposed a fine of EUR 10,000 on Real Federación Española de Tenis de Mesa. A participant in an examination to become a table tennis coach had filed a complaint with the DPA because they were required to show a Covid test in order to access the examination premises. During its investigation, the DPA found that the controller did not have a valid legal basis for this processing, as the legal provisions regarding hygiene concepts at that time did not require proof of testing.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Not assigned
Company
2023-04-04
€13,300.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
The Hungarian DPA has imposed a fine of EUR 13,300 on a company. A customer had filed a complaint with the DPA because a conversation, which they had with a sales representative of the controller, had been recorded without them being informed about this. The DPA considered this to be a breach of the controller's information obligations under the GDPR.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A.
2023-04-03
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
20 MINUTOS EDITORA, S.L.
2023-04-03
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on 20 MINUTOS EDITORA, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-04-03
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Private individual
2023-03-27
€450.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 450 on an private individual. The individual had published personal data of numerous people on a social network without their consent.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
INMARAN ASESORES S.L.
2023-03-24
€1,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine of EUR 1,000 on INMARAN ASESORES S.L. for failing to comply with an order issued by the DPA.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ALI MARKET
2023-03-24
€360.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 30 GDPR
The Spanish DPA has imposed a fine of EUR 360 on ALI MARKET. The controller had failed to provide a notice with information about video surveillance in its premises. In addition, the controller failed to keep a proper register of processing activities.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
Tehnoplus Industry SRL
2023-03-23
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), e) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 5,000 on Tehnoplus Industry SRL.
An employee of the company had filed a complaint with the DPA because the controller had installed a GPS system in their company vehicle for the purpose of monitoring the vehicle without providing them with sufficient information about such installation. During its investigation, the DPA also found that the controller was processing the GPS data outside working hours and for purposes other than originally intended. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller was unable to prove that it did not store the data for longer than legally permitted.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Orange Espagne S.A.U.
2023-03-23
€70,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 70,000 on Orange Espagne S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. This allowed the fraudsters to gain access to the data subject's bank account and make unauthorized transactions.
GARANTE
Italian Data Protection Authority
Health Care
Azienda socio-sanitaria locale n. 1 di Sassari
2023-03-23
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 9 GPDR
Art. 32 GDPR
The Italian DPA has imposed a fine of EUR 4,000 on Azienda socio-sanitaria locale n. 1 di Sassari. The controller had mistakenly sent a document containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-03-23
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on a private individual. The data controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
GARANTE
Italian Data Protection Authority
Health Care
Bolzano municipality
2023-03-23
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 25 GDPR
Art. 32 GDPR
Art. 33 GDPR
The Italian DPA has imposed a fine of EUR 30,000 on Bolzano municipality. The Bolzano health authority had reported a data breach to the DPA involving unauthorized access to the health records of a number of patients, which was caused by a deficiency in the electronic health record service that the municipality had delegated to a processor. During its investigation, the DPA found that although the leak occurred at the processor's site, the municipality should have taken appropriate technical and organizational measures to ensure that such incidents would be avoided.
GARANTE
Italian Data Protection Authority
Health Care
Informatica Alto Adige Spa
2023-03-23
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA has fined Informatica Alto Adige Spa EUR 10,000. The municipality of Bolzano had reported a data protection breach to the DPA involving unauthorized access to the health data of a number of patients caused by a deficiency in the electronic health record that the municipality had delegated to Informatica Alto Adige Spa. During its investigation, the DPA found that Alto Adige Spa had failed to take appropriate technical and organizational measures to prevent such incidents.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
2023-03-21
€70,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 70,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. The data subject had received a message from a debt collection company on behalf of Caixabank requesting payment of outstanding debts. However, the debt had been annulled, which was also confirmed in a court ruling. For this reason, the DPA determined that the disclosure of the data subject's personal data for the purpose of contacting them regarding the settlement of the debt was unlawful.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
SOCIEDAD ESPAÑOLA DE RADIODIFUSIÓN, S.L.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on SOCIEDAD ESPAÑOLA DE RADIODIFUSIÓN, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
LA VANGUARDIA EDICIONES, S.L.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on LA VANGUARDIA EDICIONES, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
DIARIO ABC, S.L.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on DIARIO ABC, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
CONECTA5 TELECINCO, S.A.U.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on CONECTA5 TELECINCO, S.A.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
DISPLAY CONNECTORS, S.L.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on DISPLAY CONNECTORS, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
EL DIARIO DE PRENSA DIGITAL SL.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on EL DIARIO DE PRENSA DIGITAL SL.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
