A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
AEPD
Spanish Data Protection Authority
Industry and Commerce
Gerco Fit S.L.
2021-07-27
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Gerco Fit S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the company Vasco Andaluza de Inversiones S.L., the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Vasco Andaluza de Inversiones S.L.
2021-07-27
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Vasco Andaluza de Inversiones S.L.. The data subject had signed a contract with the gym Fitness Place. In this contract, the data subject agreed that his data could be shared with the controller, the owner of Fitness Place sports centers. However, the company shared the data with Gerco Fit S.L. and Body Tonic Shop S.L., although this was not foreseen in the contract. Gerco Fit S.L. and Body Tonic Shop S.L. then processed the data without a legal basis.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
APARTAMENTOS PLAYA DE COVACHOS, S.L.
2021-07-27
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on APARTAMENTOS PLAYA DE COVACHOS, S.L.. The controller had installed a video surveillance system at its resort and informed about it on information posters, which, however, did not contain any information about the identity and contact details of the responsible person.
AEPD
Spanish Data Protection Authority
Employment
UST GLOBAL ESPAÑA, S.A.
2021-07-27
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on UST GLOBAL ESPAÑA, S.A.. An employee filed a complaint against the controller with the DPA. UST GLOBAL ESPAÑA, S.A. was acting as a service provider for OpenBank as part of a project. On 08.01.2020, the controller informed OpenBank by email that two new employees (one of them the complainant) would join the project, for which it requested access to the VPN and other applications. This email, which was sent with a copy to both employees, included their first and last names, professional email addresses, and ID card numbers. This way, both gained mutual unauthorized access to their colleague's data. The DPA considered this to be a violation of the principle of integrity and confidentiality.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INSTAPACK, S.L.
2021-07-27
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on INSTAPACK, S.L.. A data subject had filed a complaint with the DPA. The reason for the complaint is that he had been receiving thousands of SMS messages on his cell phone every month informing him of the receipt of orders and deliveries and in this context asking him to rate the company. He also stated that he had sent a request for deletion of his data to the contact address indicated on the controller's website, but without having received a reply. Even after he submitted the deletion request, the sending of the messages continued.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-07-27
€4,000.00
Non-compliance with general data processing principles
Art. 5 (1) c), e) GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 4,000 for unauthorized video surveillance. The controller had installed two cameras on a public road and another in a tree which covered parts of a private property. In addition, the DPA found that the controller stored the recordings for longer than necessary. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Intersumi S.C.
2021-07-26
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on Intersumi S.C.. The controller failed to provide an adequate privacy statement on its website.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Fincas Miguel García S.L.
2021-07-26
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined Fincas Miguel García S.L. in the amount of EUR 2,000. A data subject had filed a complaint against the controller, alleging a breach of Art. 13 GDPR. The DPA found that the information provided to the data subject by the controller did not comply with the provisions of Art. 13 GDPR, as essential aspects were missing, such as information on the purposes of the processing for which the personal data collected are intended and its legal basis, as well as information on the legitimate interests of the controller that justify the processing, the period for which the personal data will be stored and the right to withdraw consent at any time.
CNIL
French Data Protection Authority
Industry and Commerce
Monsanto Company
2021-07-26
€400,000.00
Insufficient fulfilment of information obligations
Art. 14 GDPR
Art. 28 GDPR
The French DPA (CNIL) has fined MONSANTO EUR 400,000.
In May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file.
For each of these individuals, the file contained information such as the organization they belonged to, the position they held, their business address, their business phone number, their cell phone number, their business email address, and in some cases their Twitter account. In addition, CNIL noted that each person was assigned a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues.
The DPA believes that the company violated the provisions of the GDPR by not informing the data subjects that their data was stored in this file. In addition, the CNIL complained that the company had not given the contractual guarantees that should normally regulate the relationship with a subcontractor.
The creation of contact files by stakeholders for lobbying purposes is not illegal in itself. However, CNIL stressed that data subjects nevertheless have the right to be informed of the existence of the file in order to exercise additional rights, in particular the right to object.
In addition, the CNIL found that the data collection was carried out by a provider contracted by Monsanto and that Monsanto violated Article 28 of the General Data Protection Regulation by not including in its contracts with the data processor the provisions foreseen in the GDPR, in particular regarding data security.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Mercadona S.A.
2021-07-26
€2,520,000.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 25 (1) GDPR
Art. 35 GDPR
The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees.
During its investigation, the DPA found numerous privacy violations.
For instance, the system violated the principle of data minimization, the principle of necessity and proportionality since the controller could process multiple biometric data - beyond the purpose of the system.
In addition, the DPA concluded that Mercadona's privacy impact assessment was deficient as it did not take into account the specific and unique risks to Mercadona's employees posed by data processing through facial recognition systems.
Furthermore, MERCADONA had violated its duty to inform according by not properly providing data subjects with information about the processing of their personal data.
The original fine of EUR 3,150,000 consisted of EUR 500,000 due to a violation of Art. 5(1)(c), EUR 2,000,000 due to a violation of Art. 6 and Art. 9 of the GDPR, EUR 100,000 due to a violation of Art. 12 and Art. 13 of the GDPR, EUR 500,000 due to a violation of Art. 25(1) of the GDPR, and EUR 50,000 due to a violation of Art. 35 of the GDPR. The original fine was reduced to EUR 2,250,000 due to voluntary payment.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Deliveroo Italy s.r.l.
2021-07-22
€2,500,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), e) GDPR
Art. 13 GDPR
Art. 22 (3) GDPR
Art. 25 GDPR
Art. 30 (1) c), f), g) GDPR
Art. 32 GDPR
Art. 35 GDPR
Art. 37 (7) GDPR
The Italian DPA (Garante) has fined food delivery service Deliveroo Italy s.r.l. EUR 2,500,000 for unlawfully processing the personal data of approximately 8000 drivers. Garante's investigation revealed numerous and serious data protection violations.
The violations included a lack of transparency in the algorithms used to manage drivers, both when assigning jobs and when booking work shifts.
Deliveroo had used a centralized system for driver management through which it then processed and managed the assignment of orders as well as the booking of work shifts.
However, Garante notes that the controller did not adequately inform the drivers about the functioning of the system they had installed on their smartphones, and did not ensure the accuracy and correctness of the results of the algorithmic systems used to evaluate the drivers.
In addition, Garante found that Deliveroo carried out a meticulous control of the drivers' work performance - through the continuous geolocation of their device, which went far beyond what was necessary to assign the order (e.g., recording the position every 12 seconds) - and through the storage of a large amount of personal data collected during the execution of the orders, including communication with customer service. In this context, the storage period of the various data had not been defined in a manner appropriate to the purpose. Instead, the controller had defined a flat storage period of six years. Furthermore, the Garante found that the controller had not implemented adequate technical and organizational measures to ensure adequate security of the processing. Deliveroo Italy had also not conducted a data protection impact assessment, although this would have been necessary due to the risk posed to the drivers.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Regione Lombardia
2021-07-22
€200,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 200,000 on the Region of Lombardy. The region had published on its website the personal data of more than 100,000 students who had applied for state scholarships or financial grants for the purchase of textbooks, technical equipment and teaching materials. As the Garante's preliminary audit revealed, it was possible to view and download the list of approved and funded applications, the list of approved and to be funded applications, the list of state scholarship recipients and the list of ineligible applications from the region's website. These lists included personally identifiable information such as the application ID, the applicant's name, the student's grade, the code and name of the school, as well as the application number.
In this context, the DPA stated that the data of persons applying for economic benefits must be protected in a special way to prevent the economic and social hardship of the data subjects from becoming evident.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Roma Capitale
2021-07-22
€800,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 28 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. Part of the equipment was supplied by another company, Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees.
Irregularities were then identified during the investigation. Namely, the city of Rome, as data controller, had not provided information on the processing of the drivers' data, had not designated the company Atac as data processor, and had not provided it with the necessary instructions to process the data collected. Also, the subcontractor was not formally instructed nor instructed on how to proceed with the data processing.
It was also found that the companies had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by Atac were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person's habits and parking location.
In calculating the fine for the unlawful data processing, the DPA aggravatingly took into account the large amount of personal data processed (from June 2018 to November 2019, the system established by Atac had already collected the data of 8,600,000 stops and potentially affects all users of the paid parking service in the city area) and the sanctions already received for data protection violations, but also the positive cooperation offered by the city and the companies to remedy some violations detected during the inspection.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Flowbird Italia s.r.l.
2021-07-22
€30,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 30 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 30,000 on Flowbird Italia s.r.l.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters that were installed in the city of Rome in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. Part of the equipment was supplied by Flowbird Italia s.r.l. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. During the investigation the DPA found that Flowbird Italia had not established a data processing register.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Atac s.p.a.
2021-07-22
€400,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 30 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transport tickets) and introduce new payment methods that also take into account the vehicle's license plate number. All parking information was then managed through a centralized system, which could also be accessed through an app by the employees responsible for controlling parking fees. Irregularities were then identified during the investigation. It was found that Atac had not established a data processing register. Also, the retention periods for the collected data were not specified, and appropriate security measures were not taken. For example, it was found that at the time of the audit, some data flows to and from the system implemented by were going through insecure channels. In addition, officials could have checked any license plate en masse and repeatedly over time, for example, to find out a person's habits and parking location.
CNIL
French Data Protection Authority
Finance, Insurance and Consulting
SGAM AG2R LA MONDIALE
2021-07-20
€1,750,000.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 13 GDPR
Art. 14 GDPR
The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000.
The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019.
On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns.
With regard to the data of prospects, the controller did not comply with the maximum retention period of three years defined in the reference framework and in the Group's processing register. As a result, the controller retained the data of nearly 2,000 customers who had not been in contact with the controller for more than three years, and in some cases five years.
In relation to customer data, the controller did not comply with the maximum statutory retention periods stipulated in the Insurance Code and the Commercial Code. In this case, the controller retained the data of more than 2 million customers, some of which were sensitive (health) or specific (banking data), beyond the legally permitted retention periods after the end of the contract.
DATATILSYNET
Danish Data Protection Authority
Health Care
Region of Syddanmark
2021-07-16
€67,900.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach.
The Region of Syddanmark had maintained a database for research and clinical purposes for a period of more than 1.5 years, whereby the database was not adequately secured against unauthorized access. By manipulating URLs, it was possible to gain access to PDF documents stored in the database. This allowed citizens who were registered in the database - and who also had a login to the database - to access the personal data of people registered in the database. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care.
CNPD
National Commission for Data Protection
Industry and Commerce
Amazon Europe Core S.à.r.l.
2021-07-16
€746,000,000.00
Non-compliance with general data processing principles
Unknown
In its quarterly report, Amazon.com Inc. announced that the DPA from Luxembourg (CNPD) had fined Amazon Europe Core S.à r.l. EUR 746,000,000 for failing to process personal data in compliance with the GDPR. Amazon plans to take legal action against the decision.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, S.A.U.
2021-07-12
€45,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has fined Telefónica Mobiles España, S.A.U. EUR 45,000. A data subject filed a complaint against the controller with the DPA. His complaint was based on the fact that his telephone number and customer profile were used by controller employees to conduct tests in call centers and branches without his consent. As a result, the data subject received 247 unsolicited calls from the controller. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and acknowledgement of responsibility.
DATATILSYNET
Danish Data Protection Authority
Health Care
Medicals Nordic I/S
2021-07-09
€80,700.00
Non-compliance with general data processing principles
Unknown
The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company's test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre. The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared confidential information about citizens to the company's central administration through those WhatsApp groups. This meant that employees who, did not have a work-related need to process information - which other employees had to transmit to the central administration - nevertheless received the information, which included, inter alia, personal identity numbers and health data of citizens.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Aparcamiento Arcusa S.L.U.
2021-07-09
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on Aparcamiento Arcusa S.L.U. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine is made up of EUR 1,000 for a violation of Art. 5 (1) c) GDPR and EUR 500 for a violation of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Caixabank S.A.
2021-07-08
€50,000.00
Insufficient legal basis for data processing
Art. 6 (1) f) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 50,000 on Caixabank S.A.. A data subject had filed a complaint with the DPA because he had received commercial advertising from the controller, although he had objected to the processing of his data for advertising purposes and the controller had replied that it would comply with this request.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Malagatrom S.L.U.
2021-07-08
€4,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Malagatrom S.L.U.. The data subject had purchased a product from the controller via the platform 'Amazon', which was delivered defectively . The data subject then decided to leave a negative review on the controller's store page due to the defective delivery. Thereupon, the controller published personal data of the data subject, such as his first and last name, address, cell phone number as well as the name of his wife and her cell phone number on the store page of the defendant in the Amazon portal.
HDPA
Hellenic Data Protection Authority
Health Care
Pediatrician
2021-07-08
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (1) GDPR
Art. 15 (1) GDPR
The Hellenic DPA has fined a pediatrician EUR 5,000. A father had asked the controller to view the medical records contained in his child's patient file via e-mail. However, the controller did not comply with this request.
DATATILSYNET
Danish Data Protection Authority
Employment
Nordbornholms Byggeforretning Aps
2021-07-07
€53,800.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps.
In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company's customers.
The controller had emailed two of the company's customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in detail the alleged course of events.
According to the DPA, the controller in such a case had a
legitimate interest in disclosing information about the former employee's dismissal to its customers and in informing the customers that, as a result, the employee could not enter into any contracts on behalf of the company. However, such a detailed description of the allegations was not necessary and thus unlawful.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2021-07-07
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera which also captured the public space in violation of the principle of data minimisation.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Marbella Resorts S.L.
2021-07-06
€4,200.00
Insufficient data processing agreement
Art. 28 (3) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 7,000 on Marbella Resorts S.L.. In the case at hand, the data subject had booked a room in the hotel complex of the controller. On the day of the data subject's arrival, a concierge made copies of the data subject's data. However, the concierge was not authorized to do so. He was solely authorized to verify the reservation and then to give the guests the keys to their room. After providing the controller with his personal data, the data subject discovered that his personal data had been published on a page with online content for adults. In this regard, the DPA found a lack of diligence on the part of the controller in managing the personal data of its customers and thus a violation of Article 28 (3) GDPR. The fine is composed proportionally of EUR 2,000 for a breach of Art. 22(2) LSSI and 5,000 EIR for a breach of Art. 28(3) GDPR. However, the original fine of EUR 7,000 was reduced to EUR 4,200 due to the immediate payment and admission of guilt.
AZOP
Croatian Data Protection Authority
Industry and Commerce
IT services company
2021-07-05
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which led to unauthorized access and processing of personal data by hackers and involved personal data of 28,085 respondents. The incident occurred because the IT provider had not taken the necessary measures to achieve an adequate level of security in accordance with existing and foreseeable risks. The IT provider, as a data processor, was obliged to take appropriate technical security measures in such a way as to ensure the permanent confidentiality of the system, including regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure security of processing. When assessing the appropriate level of security, the IT provider should have taken particular account of the risks of unauthorized disclosure of personal data. Due to failure to take appropriate technical measures for the security of personal data processing, the DPA imposed an administrative fine on the IT provider. The amount of the fine is unknown at the moment. In its decision, the DPA took into account the nature of the IT provider’s business activity, whose role should be to support other entities through opinions and guidelines, proposing solutions for the implementation of web applications, and especially designing and implementing appropriate technical measures.
ICO
Information Commissioner
Individuals and Private Associations
Mermaids
2021-07-05
€29,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1), (2) GDPR
The ICO has fined transgender charity Mermaids EUR 29,000 for failing to protect the personal data of its users, in breach of Art. 5 (1) f) UK GPDR and Art. 32 (1), (2) UK GDPR.
The ICO conducted an investigation after it received a report of a data breach relating to an internal email group.
During the investigation, the ICO found that the group was created with insufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly three years. This resulted in personal information, such as names and email addresses, of 550 people being online.
The ICO concludes that Mermaids should have restricted access to its email group and could have considered pseudonymization or encryption to provide additional protection for the personal data. Organizations responsible for personal data must ensure that they take the appropriate technical and organizational measures to ensure the security of personal data.
AZOP
Croatian Data Protection Authority
Finance, Insurance and Consulting
Insurance company
2021-07-05
€NaN
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 14 GDPR
Art 27 (1) of the National Implementation Law
The DPA has ex officio, without prior notice, conducted a direct supervision over an insurance company based in Zagreb. Upon inspection of its business facility for carrying out technical inspections and vehicle registration and contracting insurance services, the DPA established that both the business facility and its external surface are under video surveillance. However, the DPA established that the insurance company has failed to provide notice of such surveillance, which is contrary to Art 27 (1) of the Law on the Implementation of GDPR. Namely, data controllers and processors are obliged to indicate that the object and its outer surface are under video surveillance, and such notice must be visible at the latest when entering the perimeter of the recording and must contain all the prescribed information. Due to the breach, the DPA imposed an administrative fine on the insurance company.
Deputy Data Protection Ombudsman
Employment
Higher Education Institution
2021-07-05
€25,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 6 GDPR, § 3 Law 759/2004
The Finnish DPA imposed a fine of EUR 25,000 on a higher education institution for data protection violations in the processing of employee location data.
The controller had introduced a mobile application that allowed teleworkers to clock in and out. The use of the application on a mobile device also required authorization for location data collection. The collection of location data at the time of clocking in was a feature of the app, without which it was not possible to clock in working hours using the app.
According to the information received from the controller, the controller did not actively use or exploit the location data in any situation, but only processed the location data at the time of clocking in for technical reasons. However, the mere fact that time clocking is not possible in the application without processing the location data does not make it necessary to process them.
The DPA therefore considered this to be a violation of the lawfulness of the data collection and of the principle of data minimization, since the processing of location data was not necessary for the purpose of the processing - i.e., the mere recording of working hours.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-07-02
€1,500.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. That private individual had published personal data of the data subject on a website without her permission. The data included photos, personal notes and information about the sexual relationship between the controller and the data subject. The DPA finds that the controller processed these data without a valid legal basis and thus violated Art. 6 (1) a) GDPR.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2021-07-01
€1,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a company. The controller had used the personal data of a third party in order to obtain a microcredit. The DPA states that the controller lacked a legal basis for the processing and thus violated Art. 6 (1) GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-07-01
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of Euro 6,000 on a private individual. On July 8, 2020, the DPA became aware of the dissemination on social networks of a video showing images of aggression by a man against a woman, as well as a young male minor intervening in the scene and trying to prevent the aggression that was taking place. However, the faces of the woman and the minor had not been pixelated.
The original fine of EUR 10,000 was reduced to EUR 6,000 due to timely payment and admission of guilt.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra
2021-06-30
€3,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identification number) of 96 data subjects.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-06-29
€12,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 12,500 on a company. The company had installed a video surveillance system for the purpose of protecting company property, securing access to private and high-risk locations, and ensuring the safety of users and preventing accidents. However, the cameras also excessively captured parts of the public space and workplaces of employees. The DPA finds that the controller thus violated the principle of data minimization under Art. 5 (1) c) of the GDPR. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
Deputy Data Protection Ombudsman
Media, Telecoms and Broadcasting
Magazine publisher
2021-06-24
€8,500.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 7 (2), (4) GDPR
Art. 12 (2) GDPR
Art. 21 (2) GDPR
Art. 24 (1) GDPR
Art. 28 (1), (3) GDPR
The Finnish DPA has imposed a fine of EUR 8,500 on a magazine publisher. The DPA received four complaints against the magazine publisher for unsolicited telephone advertising.The controller had carried out direct marketing using an automated calling system, without valid consent from the recipients of the calls.
Specifically, the controller had obtained the apparent consent for direct marketing when a customer subscribed to a magazine on its website, for example. The subscriber to the magazine was required to accept the terms of the subscription and contract, which included consent to direct marketing. If the consent to direct marketing was not given, the magazine could not be subscribed. The DPA states that the consent and the way it was obtained did not comply with the GDPR. Indeed, the consent was not specifically requested for direct marketing and the consent collected together with the subscription and contract terms did not constitute voluntary consent for the purpose of direct marketing.
In addition, it was not possible for data subjects to exercise their right to object due to the fact that the direct marketing calls were made using automated calling systems and the voice bots could not understand specific questions from data subjects about their data.
Furthermore, the magazine publisher had commissioned a call center to carry out the advertising campaign and had not regulated its processing activities in a contract on commissioned processing.
DATATILSYNET
Norwegian Supervisory Authority
Employment
Unknown
2021-06-22
€24,800.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 17 GDPR
Art. 21 GDPR
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing customer inquiries). However, the DPA found that the controller lacked a legal basis for such access to the data subject's e-mail account. In addition, the DPA concluded that the controller had breached its information obligations under Art. 13 GDPR, its obligation to delete the contents of the data subject's e-mail account under Art. 17 GDPR and its obligation to consider the complainant's objection under Art. 21 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
TNT EXPRESS WORLDWIDE SPAIN, S.L.
2021-06-22
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) d) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on TNT EXPRESS WORLDWIDE SPAIN, S.L.. The data subject had placed a private order with the controller and had entered the address of his workplace as the delivery address. The delivery was correctly delivered, but the invoice was issued to the company where the data subject was employed and not to the data subject. Both the invoice and the delivery bill contained various personal data of the data subject. These were disclosed to his employer as a result of the incident.
VDAI
Lithuanian Data Protection Authority
Industry and Commerce
UAB VS FITNESS
2021-06-21
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 9 (1) GDPR
Art. 13 (1), (2) GDPR
Art. 30 GDPR
Art. 35 (1) GDPR
The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that the controller also unlawfully processed employees' fingerprints. The controller also failed to set out for what purpose and on what legal basis it processed the employees' biometric data. It also did not conduct a data protection impact assessment and did not demonstrate the necessity and proportionality of the processing of the employees' fingerprints. Furthermore, the DPA finds that the controller did not comply with its information obligations pursuant to Art. 13 GDPR.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Transportation and Energy
Storstockholms Lokaltrafik
2021-06-21
€1,600,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) f) GDPR
Art. 13 GDPR
The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000.
The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket.
Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passed the inspector. Since several hundred thousand people use public transportation in Stockholm every day, a large number of people were thus at risk of being monitored by video and audio recordings.
The DPA believes that body-worn camera technology could be used to prevent and document threatening situations, but that the pre-recording time should be reduced to a maximum of 15 seconds, as a longer pre-recording time is not necessary to achieve the above-mentioned purposes. Furthermore the DPA found that audio recordings did not contribute to the identification of persons without a valid ticket. The DPA therefore considered the audio recordings to be a violation of the principles of legality and transparency as well as data minimization. The DPA also criticized the controller for not providing sufficient information about the camera surveillance, including the fact that not only images but also sounds were recorded.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Sopockie Towarzystwo Ubezpieczeń ERGO Hestia S.A.
2021-06-21
€35,300.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The controller had sent an email to that contained personal data of a customer to the wrong recipient. The leaked data included data such as the name, postal address of the data subject and insurance details. In this context the controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
Magyar Telekom Nyrt.
2021-06-18
€28,400.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) d) GDPR
Art. 6 (1) GDPR
Art. 12 (2), (3), (4) GDPR
Art. 17 (1) GDPR
Art. 25 GDPR
The Hungarian DPA (NAIH) has imposed a fine of EUR 28,400 on Magyar Telekom Nyrt. The controller had mistakenly sent an e-mail newsletter to the data subject. This occurred due to the fact that a third party had mistakenly entered the wrong e-mail address, namely that of the data subject. The data subject then requested the controller to delete his data several times. He continued to receive the newsletter and instead of deleting the data, the controller sent him a link to unsubscribe from the newsletter.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Vejle Municipality
2021-06-16
€27,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA (Datatilsynet) has imposed a fine of EUR 27,000 on Vejle municipality. The Danish DPA had started investigations against the municipality after it had reported a data breach pursuant to Art. 33 GDPR. The municipal dental care service had sent automated welcome letters to both parents as part of the treatment of children, which contained the contact details of both parents. In this process, the municipality had not checked whether it was permitted to pass the information on to the other parent. In several cases, parents thus received the address of the other parent, regardless of whether the other parent had name and address protection. The DPA considered this to be a failure of the municipality to take technical and organizational measures to ensure adequate data protection.
PERSÓNUVERND
Icelandic data protection authority
Employment
Huppuís ehf
2021-06-15
€34,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 (1) GDPR
Art. 12 (1) GDPR
Art. 13 (1), (2) GDPR
The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 34,000 on Huppuís ehf. A former employee filed a complaint against the controller with the DPA. The reason for this was the camera surveillance installed by the controller. During their shifts, the controller's employees wore clothing provided by the controller.However, the designated changing room of the store was a storage room in which large quantities of cleaning materials were stored. Due to a lack of sufficient space in this room, the employees (mostly minors) had to change in the general employee area, which was covered by a video camera. The controller stated that they had installed the video camera for security purposes. The DPA concluded that the controller had a legitimate interest in the video surveillance, but that the interests of the mostly underage employees must also be taken in account. The controller should have tried to implement less restrictive measures. In addition, the DPA underlined that the information on video surveillance was inadequate in both the employee and customer service areas. In determining the amount of the fine, the fact that a large number of the data subjects were minors was taken into account as an aggravating factor.
AEPD
Spanish Data Protection Authority
Real Estate
Inmopiso Zaragoza S.L.
2021-06-14
€1,200.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The controller failed to provide accurate information about the data collection in accordance with Art. 13 GDPR. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of guilt.
CNIL
French Data Protection Authority
Industry and Commerce
BRICO PRIVÉ
2021-06-14
€500,000.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 13 GDPR
Art. 17 GDPR
Art. 32 GDPR
Art. 82 Loi informatique et libertés
Art. L. 34-5 CPCE
The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ.
CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers.
The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000 people who had not logged into their customer accounts for five years.
In addition, the controller violated its information obligations under Art. 13 GDPR. Furthermore, the controller failed to fulfill its obligation to fully comply with the deletion requests received.
The CNIL also found that the controller did not implement sufficient technical and organizational measures to ensure information security. Thus, for example, the controller did not require the use of a secure password during the process of opening an account the company´s website or when employees accessed the customer relationship management software. The fine is composed proportionately of EUR 300,000 for violations of Art. 5(1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR and Art. 32 GDPR and EUR 200,000 for violations of Art. 82 Loi informatique et libertés and Art. L. 34-5 CPCE.
CNPD
National Commission for Data Protection
Employment
Unknown
2021-06-11
€7,200.00
Non-compliance with general data processing principles
Art. 5 (1) c), e) GDPR
Art. 13 GDPR
Art. 32 (1) GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,200 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area and the smoking area that employees frequently used. Furthermore, the controller had installed location sensors on the cars in its fleet. This was intended to optimize the company's operations.
The DPA finds that the recording of employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA states that the controller thus violated the principle of data minimization under Article 5 (1) c) of the GDPR.
The location data collected by the controller was stored for a period of eight months, although this would not have been necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of data retention.
Furthermore, the DPA found a violation of the information obligations set out in Art. 13 GDPR.
Finally, the DPA found a violation of Art. 32 (1) GDPR. All persons who had authorized access to the software via which the locations could be tracked used the same account and not an individual account.
CNPD
National Commission for Data Protection
Employment
Unknown
2021-06-11
€7,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,600 on a company. This company had installed a video surveillance system for the purpose of protecting the company's assets, preventing intrusion by unauthorized persons and preventing accidents. However, two of the cameras also covered parts of a public street and six of the cameras covered the workplaces of some employees
The DPA states that the recording of the employees and the public street was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA finds that the controller thus breached the principle of data minimization under Article 5(1)(c) of the GDPR.
In addition, the DPA found that the controller had not complied with its information obligations under Article 13 GDPR.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-06-11
€15,000.00
Insufficient involvement of data protection officer
Art. 38 (1), (3) GDPR
Art. 39 (1) a), b) GDPR
The DPA of Luxembourg (CNPD) has imposed a fine of EUR 15,000 on a company. During an investigation, the DPA found that the controller had not sufficiently involved the data protection officer in all matters relating to the protection of personal data. In addition, the controller had not guaranteed sufficient autonomy for the data protection officer. Lastly, the data protection officer had not received sufficient training to be able to properly and independently advise and inform the controller.
