A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
GARANTE
Italian Data Protection Authority
Industry and Commerce
Foodinho s.r.l.
2021-06-10
€2,600,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), e) GDPR
Art. 13 GDPR
Art. 22 (3) GDPR
Art. 25 GDPR
Art. 30 (1) a), b), c), f), g) GDPR
Art. 32 GDPR
Art. 35 GDPR
Art. 37 (7) GDPR
The Italian DPA (Garante) has fined Foodinho s.r.l. EUR 2,600,000. Foodinho is an Italian food delivery service. The investigation against Foodinho mainly focused on the drivers of Foodinho. In the process, the DPA found some serious violations of applicable data protection regulations. Thus, the DPA identified some irregularities concerning the algorithms of the Foodinho system. In particular, the DPA found that the controller had not adequately informed employees about how the system worked and did not guarantee the accuracy and correctness of the results of the algorithms used to evaluate drivers. Furthermore, the DPA found violations of the principles of data minimization as well as memory limitation. For example, the systems processed drivers' data to an extent that exceeded the purpose of the processing and, in some cases, stored the data significantly longer than necessary. In addition, the controller had not taken sufficient technical and organizational measures to ensure secure data processing. The controller had also not conducted a data protection impact assessment, although this would have been necessary due to the considerable amount of data of different types relating to a significant number of data subjects. Separate proceedings are being conducted against the parent company GlovoApp23 by the Spanish DPA (AEPD).
GARANTE
Italian Data Protection Authority
Health Care
Dentist
2021-06-10
€20,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
The Italian DPA (Garante) has fined a dentist EUR 20,000. A data subject filed a complaint with the DPA against the dentist for refusing to treat him after the data subject had indicated he had HIV in his medical history form.
In the dentist's clinic, it was common practice for patients to fill out a medical history form before medical treatment, which contained questions about previous, existing or suspected infectious diseases (e.g. tuberculosis, hepatitis, HIV). The DPA considered this to be a violation of the principles of legality. It stated that it was legitimate to ask for such information in order to better plan medical treatment. However, it was not permissible to collect such information and then refuse treatment to the patient.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Aeroporto Guglielmo Marconi di Bologna S.p.a.
2021-06-10
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 25 GDPR
Art. 32 GDPR
The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier EUR 20,000 for violations of the GDPR. In the course of the DPA's investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the <a class='blau' href='https' target='_blank'>link</a> protocol) and that the application itself did not provide for encryption of the reporting party's identification data, the information about the report and the attached documents. The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects. In addition, the DPA found that the controller should have conducted an impact assessment, given the sensitivity of the information processed and the risks and vulnerability of the data subjects.
GARANTE
Italian Data Protection Authority
Industry and Commerce
aiComply S.r.l.
2021-06-10
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 GDPR
Art. 32 GDPR
The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian Data Protection Authority (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software supplier aiComply S.r.l. EUR 20,000 for violations of the GDPR.
In the course of the DPA's investigation, it was found that the application for collecting and managing criminal reports was accessed without the use of a secure network protocol (e.g., the <a class='blau' href='https' target='_blank'>link</a> protocol) and that the application itself did not provide for encryption of the reporting party's identification data, the information about the report and the attached documents.
The DPA considered this to be a violation of the obligation to take technical and organizational measures that ensure a level of security appropriate to the risk to the data subjects.
In addition, the DPA found that aiComply failed to contractually regulate the relationships with two other companies that processed data on its behalf.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Not assigned
S.C. Dreamtime Call S.R.L.
2021-06-09
€2,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
The Romanian DPA (ANSPDCP) has fined S.C. Dreamtime Call S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Employment
Directorate of the Östra Skaraborg Rescue Service
2021-06-09
€34,800.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 32 (1), (4) GDPR
The Swedish DPA has imposed a fine of EUR 34,800 on the directorate of the Östra Skaraborg Rescue Service. The DPA had received information that several fire stations in Östra Skaraborg operated surveillance cameras that filmed areas where firefighters were changing during an emergency, whereupon it initiated a review of the camera surveillance. The video surveillance was taking place around the clock, although the controller itself stated that video surveillance was only required in case of emergency alarms.
The DPA concludes that the 24/7 monitoring was too far-reaching, but notes that the controller had weighty reasons for the camera surveillance. However, the camera surveillance should be limited to emergencie cases. The fine is composed proportionally of EUR 29,800 for a violation of Art. 5 (1) a), c) GDPR and EUR 5,000 for a violation of Art. 32 (1), (4) GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Not assigned
La Santrade S.R.L.
2021-06-09
€2,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
The Romanian DPA (ANSPDCP) has fined La Santrade S.R.L. EUR 2,000 for failing to provide information requested by the DPA during an investigation.
AEPD
Spanish Data Protection Authority
Public Sector and Education
Master Distancia S.A.
2021-06-07
€20,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 25,000 on Master Distancia S.A.. The controller had included personal data of the data subject in a credit report register without sufficient legal basis. The controller justified this with alleged debts the data subject had with the controller. In fact, however, the parties were still in arbitration. Accordingly, the controller had no authorization to include the data subject's data in the register. The original fine of EUR 25,000 was reduced to EUR 20,000 due to immediate payment.
AEPD
Spanish Data Protection Authority
Employment
Radiotelevisión del principado de Asturias
2021-06-07
€19,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 12 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 26,000 on Radiotelevisión del principado de Asturias. The fine consists of EUR 20,000 due to a violation of Art. 5 (1) c) GDPR and EUR 6,000 due to a violation of Art. 12 GDPR. The fine was based on the fact that the controller installed a video surveillance system totaling 14 video cameras and monitoring the business premises. The controller states that the cameras were installed for the purpose of security of the premises. However, the cameras captured the employees' offices in a way that was not necessary for this purpose. For example, one camera also captured a considerable part of the employees' recreation room. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The fine was reduced to EUR 19,600 due to timely payment and admission of guilt.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Region Sörmland
2021-06-07
€25,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Swedish DPA has imposed a fine of EUR 25,000 on Region Sörmland. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures.
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate.
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability.
The DPA imposed the fine on Region Sörmland for collecting call data from data subjects without first properly informing them of its processing.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Region Värmland
2021-06-07
€25,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Swedish DPA has imposed a fine of EUR 25,000 on Region Värmland. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures.
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate.
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability.
The DPA imposed the fine on Region Värmland for collecting call data from data subjects without first properly informing them of its processing.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Region Stockholm
2021-06-07
€50,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
Art. 14 GDPR
The Swedish DPA has imposed a fine of EUR 50,000 on Region Stockholm. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures.
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate.
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability.
The DPA imposed the fine on Region Stockholm for collecting call data from data subjects without first properly informing them of its processing.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
MedHelp AB
2021-06-07
€1,200,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 6 GDPR
Art. 9 (1) GDPR
Art. 13 GDPR
Art. 32 GDPR
The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures.
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate.
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability.
The Swedish DPA found that MedHelp had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it. Similarly, MedHelp had failed to properly inform callers about the processing of their personal data in accordance with Art. 13 GDPR.
In addition, the DPA finds the outsourcing of the processing of personal data to Medicall to be a breach of the legality principle set out in the GDPR. This is because Medicall is not covered by Swedish health and medical legislation and is therefore not subject to the legally regulated confidentiality obligation that exists in the Swedish healthcare sector.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Voice Integrate Nordic AB
2021-06-07
€64,500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions.
In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network.
In 2019, the media reported that recorded calls to the 1177 helpline were available on a web server without password protection or other security measures.
All calls to the 1177 number initially went to the company Inera, which managed and developed the shared systems. Calls to the number 1177 from people living in the Stockholm, Sörmland and Värmland regions were put through by Inera to Medhelp AB, which took the calls. Medhelp had in turn contracted the Thai company Medicall Co Ltd. to take calls on weekends and at night. Both Medhelp and Medicall had a contract with the technology company Voice Integrate Nordic AB for, among other things, call recordings. A data breach had then occurred in which recordings of calls to the number 1177 were available on the Internet on a storage server belonging to Voice Integrate.
The incident resulted from the misconfiguration of a network-attached storage device that was publicly accessible over the Internet and did not use encrypted communications. A large number of calls were accessed due to the vulnerability.
The Swedish DPA found that Voice Integrate had failed to take appropriate technical and organizational measures to ensure an adequate level of security to protect personal data so that unauthorized persons could not access it.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Creator Energy S.L.
2021-06-04
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) b) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Creator Energy S.L.. The controller had used the personal data of the data subject without his consent to conclude contracts for gas and electricity supplies and a maintenance service.
DATATILSYNET
Norwegian Supervisory Authority
Health Care
Moss municipality
2021-06-04
€49,200.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
The Norwegian DPA (Datatilsynet) has fined the municipality of Moss EUR 49,200 for inadequately securing personal data.
In January, the municipality of Rygge was annexed to the municipality of Moss. For this reason, several IT systems from both municipalities were combined.
Due to inadequate security measures, a data breach occurred in a productive system used in the municipality's health service.
This system processed personal and health data and affected people who live in the municipality and use the health center. The system is used for services related to immunization programs in the municipality, as well as for other health checks and follow-ups of pregnant women. About 2000 people were potentially affected by the breach. Due to the data breach, errors had occurred in vaccine registration. As a result, the data subjects were at risk of receiving the wrong vaccines. There was also a potential for their immunization data to be misfiled in the national immunization registry.
Furthermore, errors occurred in follow-ups for pregnant women, including information on the week of pregnancy or the mother's drug use.
Also, patient information was provided to health workers in a health service ward without being required and without access being documented.
HDPA
Hellenic Data Protection Authority
Not assigned
PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ
2021-06-03
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 5 (2) GDPR
The Hellenic DPA has fined PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ EUR 15,000 due to the illegal installation and operation of a video surveillance system. The controller had installed a video surveillance system in the office premises without informing the employees about it, thus violating the principles of legality, fairness, transparency, purpose limitation and accountability.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Avalos Consultores, S.L.
2021-06-02
€4,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Avalos Consultores, S.L.. The data subject, who was a client of the controller, filed a complaint with the AEPD because the controller had transferred her personal data to the agency Torrent Asesores Nga, S.L. without her consent.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-05-31
€18,000.00
Insufficient involvement of data protection officer
Art. 38 (1), (2) GDPR
Art. 39 (1) a) GDPR
The DPA of Luxembourg has imposed a fine of EUR 18,000 on a company. According to the DPA, the controller firstly failed to involve the data protection officer in all matters relating to the protection of personal data. Secondly, the controller failed to provide the data protection officer with the necessary resources to perform his duties.
AP
Dutch Supervisory Authority for Data Protection
Finance, Insurance and Consulting
UWV (Dutch employee insurance service provider)
2021-05-31
€450,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Dutch DPA (AP) has fined UWV (the Dutch employee insurance service provider - 'Uitvoeringsinstituut Werknemersverzekeringen) EUR 450,000. The UWV had not properly secured the sending of group messages via the 'My Workbook' environment. This is a personal environment on the UWV website where job seekers have contact with the UWV. As a result, there were multiple data leaks of personal information, including health information, from a total of more than 15,000 individuals.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
BRAbank ASA
2021-05-28
€39,700.00
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 (1), (2) GDPR
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,700 on BRAbank ASA. The controller had reported a data breach to the DPA on September 6, 2019. On the controller's website, some customers were able to view other customers' data on the 'My Page' section. These included credit terms and address information of other customers. The section had been activated shortly before for 500 selected customers and was intended, among other things, to provide an overview of loans taken out with the controller.
Based on investigations into the case, the DPA found that the controller had not complied with the GDPR's requirements for risk assessment and appropriate technical measures in connection with the launch of the customer portal. According to the DPA's assessment, the personal data security breach could have been prevented if the controller had conducted a risk assessment and review as required by law.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-05-27
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 2,000 on a private individual for the unauthorized use of video surveillance cameras, which also recorded parts of public space without legitimate reason, and the online publication of these recordings.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Usl della Romagna
2021-05-27
€120,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has fined Azienda Usl della Romagna EUR 120,000. The local health authority of Romagna had accidentally transmitted a patient's report regarding an abortion to a general practitioner. However, the patient had asked not to inform her general practitioner about it. The transmission of the report was made through the regional network 'Sole'. The investigation by Garante revealed that the data had been accidentally transmitted due to an error in the software that manages patient admissions, discharges and transfers.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Provinciale per i Servizi Sanitari di Trento
2021-05-27
€150,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has fined Azienda Provinciale per i Servizi Sanitari di Trento EUR 150,000. The controller had accidentally forwarded 293 medical reports of 175 patients to their general practitioners, even though the patients had asked not to forward the reports to their general practitioners. Among the patients in question had been two minors and several women who had undergone abortions. The investigation by Garante found that the data had been accidentally transmitted due to an error in the software that manages patient reports.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-05-26
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
Failure to provide information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR. The original fine of EUR 5,000 was reduced by 20% EUR 3,000 due to immediate payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Managing Director of a company
2021-05-25
€900.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on the managing director of a company. A data subject filed a complaint with the AEPD against the controller with whom he had entered into a contract. The fine is based on the fact that the controller had not properly informed the data subject about the processing of his data when collecting it. The AEPD considers this to be a violation of Art. 13 GDPR. The original fine of EUR 1,500 was reduced to EUR 900 due to immediate payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2021-05-25
€100,000.00
Insufficient technical and organisational measures to ensure information security
Art. 28 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Vodafone España, S.A.U.. A data subject had filed a complaint with the Spanish DPA against the telecommunications company. According to the complaint, the data subject had received an advertising call from a company, which was made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. According to Vodafone's commissioned processor, the advertising call to the data subject had occurred due to an error in the call number filtering system. In the course of its investigation, the DPA found that Vodafone had not established any measures to avoid advertising calls to numbers on the Robinson list. In the present case, Vodafone had not even been aware that the number of the data subject was on the Robinson list, which meant that it was not blocked for the commissioned company.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Alava Norte, S.L.
2021-05-25
€4,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has fined Alava Norte, S.L. EUR 4,000. The controller had installed three 360° video surveillance cameras on the facade of one of its buildings to secure the facility. These also captured parts of the public space. The AEPD considered this to be a violation of the principle of data minimization, as such extensive video surveillance was not necessary to fulfill the purpose of the processing (security of the facility).
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Desolasol Restauración, S.L.
2021-05-25
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) has fined Desolasol Restauración S.L. EUR 6,000. The data subject had submitted a consumer complaint form to the restaurant because he was unable to converse at the table due to the volume of the music. A copy of the form remained with the controller. Due to an error by a restaurant employee, the copies of the form were given to other guests of the restaurant who were present during the incident.
AEPD
Spanish Data Protection Authority
Health Care
Physician
2021-05-21
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has fined a physician EUR 3,000. The controller had left his/her former clinic and started working in a new clinic. The complainant had taken over the controller's former clinic. The purchase agreement explicitly stated that the selling party (the controller) was not allowed to make a copy of the patient's files under any circumstances. Nevertheless, the controller had informed his/her former patients that his/her services could be obtained at his/her new clinic in the future. The AEPD found that the controller had acted not only in breach of contract but also in breach of data protection legislation by contacting the former patients.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2021-05-21
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 12 GDPR
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica de España, S.A.U
2021-05-21
€45,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 75,000 on Telefonica de España, S.A.U.. A data subject had filed a complaint with the AEPD against the telecommunications company.
The controller had booked a service for the data subject without the data subject having concluded a contract for it. After the data subject had accordingly not made any payments for this service, the service was canceled in the same year and a collection agency was commissioned to collect allegedly outstanding debts. The AEPD determined that neither the data processing for the service booking nor the transfer of the data subject's personal data to the collection agency had taken place lawfully. The original fine of EUR 75,000 was reduced to EUR 45,000 due to immediate payment and admission of responsibility.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Municipality of Oslo
2021-05-20
€39,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 39,000 on the Municipality of Oslo. On a website of the controller a subpoena from the public prosecutor's office concerning the data subject had been published. The subpoena contained, among other things, personal information such as health data. The incident occurred because the subpoena was not originally classified as confidential and accordingly was not exempted from public disclosure. The document was publicly available for five hours before it was removed.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Owners Association of Iasi Municipality
2021-05-19
€500.00
Insufficient cooperation with supervisory authority
Art. 58 (1) a), e) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 500 on Asociație de Proprietari din municipiul Iași (Owners Association of Iasi Municipality). The controller did not provide the DPA with the information it had requested.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Banca Comercială Română S.A.
2021-05-19
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), d), (2) GDPR
Art. 6 GDPR
The Romanian DPA (ANSPDCP) has fined Banca Comercială Română S.A. EUR 2,000. A data subject had initiated a complaint with the DPA because the controller had used his personal data in the context of an enforcement procedure for debts arising from a credit agreement of which he was unaware.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
Innovasjon Norge
2021-05-18
€95,500.00
Insufficient legal basis for data processing
Art. 5 (1) GDPR
Art. 6 (1) GDPR
The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out several credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject without the data subject's consent.
HDPA
Hellenic Data Protection Authority
Individuals and Private Associations
Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato
2021-05-17
€10,000.00
Insufficient legal basis for data processing
Art. 6 (1) c) GDPR
Art. 12 (3), (4) GDPR
Art. 17 (1) d) GDPR
The Hellenic DPA has fined the Municipal Organization for Pre-School Education and Social Solidarity (DOPAKA) of the municipality of Tavros Moschato EUR 10,000. The controller had published documents containing personal data of the data subject without legal basis. The documents contained, besides his name, information about his profession, his place of work and an evaluation of his behavior. The controller also failed to respond to a subsequent deletion request from the data subject.The fine is composed proportionately of EUR 7,000 for a violation of Art. 6 (1) c) GDPR and EUR 3,000 for a violation of Art. 12 (3), (4) GDPR and Art. 17 (1) d) GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Website operator
2021-05-14
€200.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), (2) GDPR
Art. 6 (1) GDPR
Art. 13 (1), (2), (3) GDPR
Art. 32 (2) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 200 on the operator of the website declaratieppr.ro. During the Covid19 pandemic, visitors to the site were able to fill out a form that was required to leave their place of residence. Personal data such as name, address and ID number were collected for this purpose. However, the controller was unable to prove that it was processing the data lawfully. In addition, the controller had not sufficiently informed the data subjects about the processing of the data when collecting their personal data and had not implemented sufficient technical and organizational measures to ensure the security of the data processing.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Allianz Compañia de Seguros y Reaseguros, S.A.
2021-05-14
€30,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has fined Allianz Compañia de Seguros y Reaseguros, S.A. EUR 30,000. The controller had sent an invoice to the data subject although no contractual relationship existed. The data subject had concluded a motorcycle insurance policy with the controller in 2016, but had terminated the policy in 2017.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Telekom Romania Communications SA
2021-05-13
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 6 GDPR
Art. 21 GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Telekom Romania Communications SA. The controller had made an advertising call to the data subject although the latter had exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and e-mail address from the Telekom database.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Iren Mercato S.p.A.
2021-05-13
€2,856,169.00
Insufficient legal basis for data processing
Art. 5 (1), (2) GDPR
Art. 6 (1) GDPR
Art. 7 (1) GDPR
The Italian DPA (Garante) fined Iren Mercato S.p.A. EUR 2,856,169 for failing to verify that all transfers of data of recipients of promotional activities were covered by consent. Several data subjects filed complaints with the DPA against the controller because they had received unsolicited advertising to which they had never consented. In its investigation against the cotroller, the DPA found that the cotroller had in fact processed personal data for telemarketing activities that it had not collected directly but had acquired from other sources. It had not checked whether valid consents had been obtained from the advertising addressees for all transfers of the data. The controller had received lists of personal data from one company, which in turn had acquired them from two other companies. The latter companies had obtained the consent of potential customers for the telemarketing carried out by them and by third parties, but this consent did not include the transfer of customer data to the controller. In this context, the DPA emphasized that consent given by a customer to a company for third-party promotional activities cannot extend its effectiveness to subsequent transfers to other operators.
GARANTE
Italian Data Protection Authority
Employment
Comune di Bolzano
2021-05-13
€84,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 13 GDPR
Art. 35 GDPR
The Italian DPA (Garante) has fined the municipality of Bolzano EUR 84,000. A former employee of the municipality filed a complaint with the DPA against the municipality.
In particular, the former employee complained that the municipality processed personal data related to his internet use during working hours and that he later received a notice of initiation of disciplinary proceedings accusing him of accessing Facebook for more than 40 minutes and YouTube for more than 3 hours during his working hours and of using the municipality's computer for private purposes. The DPA's investigation revealed that the municipality had been using a system to control and filter employees' internet browsing for about a decade, with monthly retention of data and creation of special reports for network security purposes. The system also collected information that had nothing to do with professional activities and, in any case, concerned the private life of the person in question.
The DPA finds that the controller thus violated the principle of data minimization, lawfulness and purpose limitation. The controller should rather have taken less intrusive measures to prevent the private use of the Internet. The DPA pointed out that the need to reduce the risk of misuse of Internet navigation cannot lead to the complete elimination of any privacy of the data subject at the workplace, even in cases where the employee uses network services provided by the employer. In addition, the controller had not adequately informed employees about the collection of Internet history, in violation of its obligation under Article 13 of the GDPR.
Furthermore, the investigation identified other violations in the processing of data related to employees' requests for extraordinary medical examinations, which were made using a special form. The form provided by the controller had to be checked by the head of the organizational unit, a circumstance that led to the unlawful processing of health data.
GARANTE
Italian Data Protection Authority
Health Care
Synlab Med srl
2021-05-13
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has fined Synlab Med srl EUR 20,000. The company conducted Covid-19 tests for various regional health authorities. In this context, the company had inadvertently sent the test results of 31 people to the wrong health authority.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Solram T Y R S.L.
2021-05-12
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Solram T Y R S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him advertisements via WhatsApp, despite the fact that he had requested the deletion of his data.
HDPA
Hellenic Data Protection Authority
Not assigned
A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ
2021-05-12
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 12 (3) GDPR
Art. 15 GDPR
Art. 17 GDPR
The Hellenic DPA has fined A. ΕΠΙΛΟΓΗ ΙΔΙΩΤΙΚΗ ΚΕΦΑΛΑΙΟΥΧΙΚΗ ΕΤΑΙΡΕΙΑ EUR 5,000. The controller had not responded to requests for information and deletion from the data subject. During the DPA´s investigation, the controller informed the DPA that it had deleted the data of the data subject. However, the data subject had not been informed of this. Furthermore, the DPA determined that the data subject's data had been collected for a purpose other than the agreed purpose. A corresponding consent of the data subject for this new processing purpose had not been obtained.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
KARIERA A.E.
2021-05-12
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
Art. 21 GDPR
Art. 25 GDPR
The Hellenic DPA has imposed a fine of EUR 5,000 on ΚARIERA A.E.. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send him e-mail advertisements even though he had requested the deletion of his data and the controller had confirmed the deletion. Due to a technical error, the data subject's data had not been deleted.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-05-12
€1,900.00
Non-compliance with general data processing principles
Art. 5 (1) c), e) GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,900 on a company. The controller had installed a video surveillance system to protect the company's assets and prevent entry by unauthorized persons. However, the cameras also excessively captured parts of the public space. The DPA finds that the controller thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the DPA finds that the controller stored the recordings longer than legally permitted and thus violated Art. 5 (1) e) GDPR.
CNPD
National Commission for Data Protection
Employment
Unknown
2021-05-12
€2,400.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,400 on a company. The controller had installed a video surveillance system to protect the company's assets and prevent entry by unauthorized persons. However, the cameras also excessively captured parts of the canteen terrace which serves as a recreation area for employees. The DPA finds that recording employees during their break is not necessary to ensure the purposes related to the video surveillance and was therefore disproportionate. The DPA finds that the controller has thus violated the principle of data minimization under Article 5 (1) c) GDPR.
CNPD
National Commission for Data Protection
Employment
Unknown
2021-05-12
€2,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,600 on a company. The controller had installed a video surveillance system to protect the company's assets and prevent entry by unauthorized persons.However, the cameras also excessively captured parts of the canteen which serves as a break location for employees. The DPA finds that recording employees during their break is not necessary to ensure the purposes related to the video surveillance and was therefore disproportionate. The DPA finds that the controller has thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-05-12
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 1,000 on a company. The controller had installed a video surveillance system with the purposes of the protection of property, securing access to private and risky places, as well as the safety of users and the prevention of accidents. However, the cameras also excessively captured parts of the public space. The DPA finds that the controller thus violated the principle of data minimization under Article 5 (1) c) GDPR. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.