A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
World Class România S.A.
2021-05-07
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on World Class România S.A.. The controller had published the termination letter of an employee in a WhatsApp group used by the controller's employees. As a result, all members of this WhatsApp group were granted unauthorized access to certain personal data of the data subject (surname, first name, address, ID number, information related to the request for termination).
DATATILSYNET
Norwegian Supervisory Authority
Media, Telecoms and Broadcasting
Disqus Inc.
2021-05-05
€NaN
Insufficient legal basis for data processing
Art. 5 (1), (2) GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
On May 5, 2021, the Norwegian DPA (Datatilsynet) announced that it intents to fine Disqus Inc. EUR 2, 500, 000 for violations of Art. 5 (1), (2) GDPR, Art. 6 GDPR, Art. 12 GDPR and Art. 13 GDPR. It is alleged that Disqus unlawfully tracked visitors of Norwegian websites which used the Disqus plugin. Their data was then passed on to third-party advertisers.
AEPD
Spanish Data Protection Authority
Transportation and Energy
EDP Comercializadora, S.A.U.
2021-05-04
€1,500,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 25 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.
AEPD
Spanish Data Protection Authority
Transportation and Energy
EDP Energía, S.A.U
2021-05-04
€1,500,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 25 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energía, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.
PERSÓNUVERND
Icelandic data protection authority
Industry and Commerce
InfoMentor ehf
2021-04-29
€23,100.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 23,100 on InfoMentor ehf. Previously, the controller had reported a data breach according to Art. 33 GDPR. The incident concerned the company's online system, which is mainly used by schools and other institutions for communication and information purposes. In the course of its investigations, the DPA determined that inadequate technical and organizational security measures on the part of the controller led to the breach. Due to a security leak that resulted in the six-digit system number of each user being visible in the URL address of a specific page within the mentor system, unauthorized persons gained access to the personal data of 424 children.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Santa Ninfa municipality
2021-04-29
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) Art. 6 (2) GDPR
Art. 6 (3) b) GDPR GDPR
Art. 2-ter (1), (3) Codice della privacy
The Italian DPA has imposed a fine of EUR 2,000 on the Santa Ninfa municipality. The municipality had published a resolution on its website that contained personal information such as the name and references about the enforcement title of the data subject.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Pagamastarde S.L.
2021-04-27
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 17 (1) GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Pagamastarde S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The controller stated that the data subject's request had not been fulfilled due to a human error. The fine is composed proportionately of EUR 3,000 for a violation of Art. 17 (1) GDPR and EUR 2,000 for a violation of Art. 21 LSSI. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Anytime Fitness Iberia S.L.
2021-04-27
€15,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
Art. 21 LSSI
The Spanish DPA (AEPD) has imposed a fine of EUR 15,000 on Anytime Fitness Iberia S.L.. A data subject had filed a complaint with the AEPD against the controller due to the fact that the controller continued to send him SMS advertisements, despite the fact that he had requested the deletion of his data and the controller had confirmed the deletion. The fine is composed proportionally of EUR 10,000 for a breach of Art. 17 GDPR and EUR 5,000 for a breach of Art. 21 LSSI.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Company
2021-04-27
€1,400.00
Insufficient legal basis for data processing
Art. 5 (1), (2) GDPR
Art. 6 GDPR
Art. 13 GDPR
The Hungarian DPA (NAIH) has imposed a fine of EUR 1,400 on a company. In the course of his professional activities, a data subject had made a telephone call to the controller on September 23, 2019. The controller had recorded the conversation without informing the data subject or obtaining his consent and then provided it to the company where the data subject was employed. The employer of the data subject subsequently terminated his employment because the recorded telephone call apparently did not meet the company's service and professional standards. The DPA finds that the controller not only processed the data subject's data without a legal basis, but also breached its accountability obligation by failing to demonstrate the lawfulness of the processing. In addition, the controller violated its duty to provide information under Art. 13 GDPR.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Company
2021-04-27
€570.00
Insufficient legal basis for data processing
Art. 5 (1) a), (2) GDPR
Art. 6 GDPR
Art. 13 GDPR
The Hungarian DPA (NAIH) has imposed a fine of EUR 570 on a company. In the course of his professional activities, a data subject had made a telephone call to a company on September 23, 2019. The company had recorded the conversation without informing the data subject or obtaining his consent, and subsequently made it available to the company where the data subject was employed (the controller). The controller then terminated the employment relationship because the recorded telephone conversation apparently did not meet the controller's service and professional standards. The DPA finds that the controller not only processed the data subject's data without a legal basis, but also breached its accountability obligations by failing to demonstrate the lawfulness of the processing. In addition, the controller violated its obligation to provide information pursuant to Art. 13 GDPR.
UODO
Polish National Personal Data Protection Office
Not assigned
PNP S.A.
2021-04-27
€5,050.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) e) GDPR
The controller failed to provide information requested by the Polish DPA (UODO) for investigative purposes.
APD
Belgian Data Protection Authority
Finance, Insurance and Consulting
Financial company
2021-04-26
€100,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proceedings. As the DPA noted, the data protection violations occurred due to the fact that the controller had not taken adequate organizational measures to protect personal data from unauthorized processing.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Equifax Iberica S.L.
2021-04-23
€1,000,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), b), c), d) GDPR
Art. 6 (1) GDPR
Art. 14 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Ibérica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ('FIJ') without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several data protection principles of data processing (lawfulness and transparency, purpose limitation, data minimization, and accuracy). In addition, the controller had not properly informed the data subjects about the processing of their data, thus violating its duty to inform them.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-04-22
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, the public space and neighboring properties. According to the controller, he had installed the camera for security purposes regarding his property. The AEPD considered this to be a violation of the principle of data minimization, as such extensive monitoring was not necessary to protect the controller's property
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
HazteOir.Org
2021-04-22
€4,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on HazteOir.Org. The controller had published a brochure on sex education in schools which unlawfully contained the photos and names of three data subjects who had not given their consent. The original fine of EUR 5,000 was reduced by 20% to EUR 4,000 due to immediate payment.
UODO
Polish Data Protection Authority
Media, Telecoms and Broadcasting
Cyfrowy Polsat S.A.
2021-04-22
€245,000.00
Insufficient technical and organisational measures to ensure information security
Art. 24 (1) GDPR
Art. 32 (1), (2) GDPR
Art. 34 (1) GDPR
The Polish DPA (UODO) has fined Cyfrowy Polsat S.A. EUR 245,000. The fine was based on a large number of data breaches reported by the controller to the DPA. Frequently, postal correspondence containing personal data was lost or delivered to the wrong recipient. The DPA notes that although the data breaches were caused by the courier company contracted by the controller, the controller had to ensure that such breaches did not occur. The controller failed to implement technical and organizational measures appropriate to the risk to protect the processing of the data. Furthermore, the controller did not notify the data subjects about the data breaches until two to three months later.
Deputy Data Protection Ombudsman
Industry and Commerce
ParkkiPate Oy
2021-04-21
€75,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) c) GDPR
Art. 12 (3), (4), (6) GDPR
Art. 14 (2) a) GDPR
Art. 14 (3) GDPR
Art. 15 GDPR
Art. 17 (1) a) GDPR
Art. 25 (2) GDPR
The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data.
However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not sufficient to verify their identity. According to the DPA, the controller has not only violated its duty to inform the data subjects and the right to delete their data, but has also violated the principle of data minimization. The DPA stressed that it is permitted to request further proof of identification if there are reasonable doubts about the identity of the data subject. However, in the cases in question, no such doubts had existed. Furthermore, the DPA found a violation of the principle of storage limitation. The controller had stored photos of incorrectly parked cars and copies of parking tickets for possible future disputes in court without having defined a deadline for the deletion of the data.
GARANTE
Italian Data Protection Authority
Health Care
Fondazione Policlinico Tor Vergata di Roma
2021-04-21
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 15,000 on Fondazione Policlinico Tor Vergata di Roma. In February 2020, a data subject filed a complaint with Garante alleging a breach of data protection laws in relation to the booking services for medical specialists offered by the controller. In order to book a relevant appointment on the booking portal, visitors had to fill out an online form in which various personal data was requested. As the DPA found, the controller had not implemented adequate technical and organizational measures to ensure the protection of data processing. In addition, the controller did not comply with its information obligations pursuant to Art. 13 GDPR, as it had not properly informed the data subjects about the processing of their personal data at the time of the data collection.
AEPD
Spanish Data Protection Authority
Real Estate
Highcliffe Estates Marbella S.L.
2021-04-20
€8,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 8,000 on Highcliffe Estates Marbella S.L.. The controller had published a photo of the data subject on its website without his consent.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Not assigned
Website operator
2021-04-20
€2,800.00
Non-compliance with general data processing principles
Art. 5 (2) GDPR
Art. 24 GDPR
The Hungarian DPA (NAIH) has imposed a fine of EUR 2,800 on a website operator. The controller had failed to prove the lawfulness of its processing of personal data upon request by the DPA. The DPA considered this to be a breach of the controller's duty of accountability.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Lugera & Makler Broker S.R.L.
2021-04-19
€1,500.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (2), (4) GDPR
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 1,500 on Lugera & Makler Broker S.R.L.. The controller had accidentally destroyed data of customers of Raiffeisen Bank S.A., for which it acted as processor. The ANSPDCP states that the incident occurred due to the fact that the controller had not taken sufficient technical and organizational measures to ensure an adequate level of protection of the data processing.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Pub owner
2021-04-19
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined the owner of a pub EUR 1,500 due to the unauthorized use of two video surveillance cameras covering parts of the public space.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
Candidate for parliamentary elections
2021-04-16
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 11 Law 3471/2006
The Greek DPA (HDPA) has fined a parliamentary candidate EUR 2,000. The data subject had received a call from the controller on her private mobile number prior to the Greek parliamentary elections in July 2019. The call was made for the purpose of promoting the controller's candidacy. The data subject's inquiries regarding the use of her personal data were answered by the controller in a contradictory manner.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
S.C. Tip Top Food Industry S.R.L
2021-04-15
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) b), c) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
Art. 7 GDPR
The Romanian DPA (ANSPDCP) has fined S.C. Tip Top Food Industry S.R.L. EUR 5,000. The controller had installed several video cameras in the food areas and changing rooms to surveil its employees. The CCTV was intended to deter theft and protect the manufactured goods. The Romanian DPA stated that the controller violated the principle of data minimization, as such extensive surveillance was not necessary. The goods produced could had been protected by methods less intrusive to the privacy of the employees.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2021-04-15
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller resides on the 1st floor of an apartment building, where he is the owner of apartments on the 2nd and 3rd floors. He regularly rents out these apartments to tourists. The controller had installed four video cameras on the three floors and in the entrance area of the building. He justified their operation with security concerns related to the rental to tourists. The owners' association had not granted permission for the operation of the cameras. Also, the controller did not put up a sign in the building informing about the operation of the camera. The DPA found this to be a violation of the principle of data minimization, as the cameras covered areas of the building used by the community, whose monitoring was not necessary for the protection of the controller's property. Furthermore, the controller violated its obligation to provide information, as he failed to inform the other residents of the building about the processing of their data.
GARANTE
Italian Data Protection Authority
Health Care
Società triveneta di chirurgia
2021-04-15
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Società triveneta di chirurgia. A physician had shown slides of a clinical case at a congress, which were subsequently published on the controller's website. The slides contained personal data of a patient, such as the patient's initials, age, gender, a detailed history of the pathology suffered by the patient, details of admissions from 1980 to 2016 and the surgical procedures performed during this period, indicating the date of admission and surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images, and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his personal data.
GARANTE
Italian Data Protection Authority
Health Care
Physician
2021-04-15
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 5,000 on a physician. The controller had shown slides of a clinical case at a congress, which were subsequently published on the website of the Società triveneta di chirurgia. The slides contained personal data of a patient, such as the patient's initials, age, gender, a detailed medical history of the patient, details of admissions from 1980 to 2016 and surgical procedures performed during that period, indicating the date of admission and the date of surgery, the surgical department that performed the procedures, the days spent in hospital, numerous diagnostic images and 22 photographs showing the patient during the surgeries. At no time had the data subject consented to such processing of his or her personal data.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Palermo
2021-04-15
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 25 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 40,000 on the municipality of Palermo. A data subject had filed a complaint with the Italian DPA against the municipality of Palermo. His complaint was based on the fact that his personal data from a food subsidy application he had submitted had been acquired by an unauthorized person and processed for his own purposes. As the DPA determined in the course of its investigations, such processing had occurred because the municipality had not implemented adequate technical and organizational measures to ensure the security and confidentiality of the processing.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Istituto Nazionale Previdenza Sociale (INPS)
2021-04-15
€12,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 12 GDPR
Art. 15 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 12,000 on the Italian National Institute for Social Security (Istituto Nazionale della Previdenza Sociale). That fine was based on the fact that the controller failed to respond properly to two requests for information that the data subject had submitted to the controller. The requests were related to the disclosure of personal data of the data subject to third parties. Initially, the data subject had received no response to either request. In the course of the investigation, the controller then provided him with information and explained that the previous requests had not been answered due to a technical error in its e-mail system
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-04-13
€90,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 150,000 on Vodafone España S.A.U.. Three data subjects had filed complaints with the AEPD against the controller. They complained about receiving unsolicited text messages from the controller informing them of new invoices, even though there was no longer a contractual relationship between them and the controller. Moreover, there were no outstanding invoices, as the amount to be paid was always zero euros. The data subjects had asked the controller several times to stop sending them text messages and to delete their data. The controller had explained that the messages had been sent due to a technical error and assured the data subjects that they would no longer receive such notifications in the future. However, the sending continued. The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Miljø- og Kvalitetsledelse AS
2021-04-09
€3,400.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 3,400 on Miljø- og Kvalitetsledelse AS. At one of the carwashes operated by the controller, incidents of vandalism had occurred at the payment terminal. The controller thereupon sent footage of the incident from a surveillance camera to the employer of the alleged vandal. The Norwegian DPA concluded that the sharing of the video footage had taken place without a legal basis and the controller had thus violated Art. 6 (1) GDPR and Art. 5 (1) a) GDPR. Furthermore, the DPA emphasizes that the disclosure of the recordings was not necessary to clarify the incident, as the recordings had already been provided to the police.
AP
Dutch Supervisory Authority for Data Protection
Media, Telecoms and Broadcasting
TikTok
2021-04-09
€750,000.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
The Dutch DPA (AP) has fined the video portal TikTok EUR 750,000 for violating the privacy of young children. The information that Dutch users - mostly young children - received from TikTok when installing and using the app was in English and therefore not easy to understand. By not providing the privacy policy in Dutch, TikTok did not adequately explain how the app collects, processes, and reuses personal data. The DPA considered this to be a violation of the company's duty to provide information.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Kutxabank, S.A.
2021-04-08
€60,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 100,000 on Kutxabank, S.A.. Following a complaint from a former customer, claiming that the bank did not comply with his request to erasure of his data, the DPA started an investigation against the controller. The data subject had already been a customer of the bank in the past. At that time, he had exercised his right to erasure of his data. When he tried to open a new account with the controller, he was informed that this was not possible as his data was still blocked (due to his previous erasure request). The controller further informed the data subject that he would have to unblock the data if he wanted to open an account. For this purpose, a form was attached to the letter. The form stated that by signing it, the data subject was revoking his right to erasure and allowing his data to be used (again) by the controller. The DPA found that temporarily blocking the data, does not correspond to the right to erasure. The DPA also emphasized that deleted or blocked data may not be processed again when a new contractual relationship is entered into with the controller, even if the new processing purpose is the same as the previous one. The original fine of EUR 100,000 was reduced to EUR 60,000 euros due to the immediate payment and acknowledgement of guilt.
CNPD
National Commission for Data Protection
Not assigned
Unknown
2021-04-08
€2,800.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 13 GDPR
The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,800 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, monitor the transport of goods and the drivers' working hours, among other things. Some of the location data collected by the controller was stored for two years and four months. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violation of the principle of storage limitation. In addition, the DPA found that the controller had not sufficiently informed the data subjects about the processing of the location data and had thus violated its information obligations pursuant to Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Promotech Digital S.L.
2021-04-06
€2,400.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
The Spanish DPA (AEPD) has fined Promotech Digital S.L. EUR 2,400 for repeatedly sending the data subject advertising SMS, even though he never subscribed or agreed to receive SMS. Furthermore, the SMS did not offer a direct option to unsubscribe from the advertising. Instead, reference was made to the possibility of cancellation by e-mail. Even though the data subject had objected to receiving further SMS, he continued to receive SMS from the controller. The original fine of EUR 3,000 was reduced by 20% to EUR 2,400 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Kukimbia S.L.
2021-04-05
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Spanish DPA (AEPD) has fined Kukimbia S.L. EUR 3,000. The controller is a company that stores, transports and distributes goods. Documents containing personal data about the controller's customers and suppliers were found freely accessible next to a trash can near one of the controller's warehouses. The DPA determined that the controller had violated Art. 32 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Electrotecnica Bastida S.L.
2021-04-05
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Spanish DPA (AEPD) has fined Electrotecnica Bastida S.L. EUR 3,000. Police officers had found 29 envelopes addressed to the controllers' respective employees on a vacant lot in the local industrial area. Two envelopes had already been opened. The envelopes contained results of medical examinations. The AEPD considered this to be a breach of the controller's duty to implement adequate technical and organizational measures to protect the processing of personal data.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Stockhunters S.L.
2021-04-05
€4,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 4,000 on Stockhunters S.L.. The controller was not able to answer the data subject's requests regarding the use of his personal data. In addition, the data protection policy of the controller's website did not comply with the provisions of Art. 13 GDPR. The data subject was therefore unsure of how his personal data was being used.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Telekom Romania Mobile Communications S.A.
2021-03-30
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2) GDPR
The Romania DPA (ANSPDCP) has fined Telekom Romania Mobile Communications S.A. EUR 10,000 for failing to implement adequate security measures to ensure the security of personal data processing. In particular, the ANSPDCP's investigation revealed that the controllers' failure to implement adequate security measures resulted in the unauthorized disclosure of the data of 99,210 data subjects, including their customer number, gender and telephone number, as well as unauthorized access to the personal data stored in the accounts of 413 customers. On this basis, the ANSPDCP ruled that the controller violated Art. 32 (1) and (2) GDPR.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Fastweb S.p.A.
2021-03-25
€4,500,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 21 GDPR
Art. 24 GDPR
Art. 25 GDPR
Art. 32 GPDR
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Italian DPA (Garante) has fined Fastweb S.p.A. EUR 4,500,000 for aggressive telemarketing. Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA finds that the controller illegally processed the personal data of millions of users for telemarketing purposes.
Namely, the call centers working for Fastweb largely acted in disregard of data protection regulations. They often used telephone numbers for their calls that were not registered in the Italian register for communications operators (Registro degli Operatori di Comunicazione).
Moreover, they processed contact data for promotions Fastweb had received from external partners without the data subjects having given valid consent for their data to be shared.
In addition, many users reported being contacted by 'self-proclaimed Fastweb operators' who attempted to obtain contractors' identity documents via WhatsApp, likely for the purpose of spamming, phishing and other fraudulent activities.
Other breaches involved procedures for the 'call me back' service that made it impossible for users to give free, specific and informed consent and to deactivate the service in an automated manner.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
OneDirect Srl
2021-03-25
€30,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 7 (1) GDPR
Art. 30 GDPR
Art. 31 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 30,000 on OneDirect Srl. A data subject had filed two complaints with the DPA after receiving advertisements by e-mail from the controller, even though he had not consented to it. Even after the data subject had repeatedly objected to the sending, the controller had not stopped the mailings. Moreover, the controller did not respond to the data subject's objections. Furthermore, the controller did not maintain a register of its processing activities and had not sufficiently cooperated with the DPA in the course of the investigation.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
GEDI News Network Spa
2021-03-25
€20,000.00
Insufficient legal basis for data processing
Art. 12 (3), (4) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 20,000 on GEDI News Network Spa. A data subject filed a complaint with the Italian DPA against the controller regarding an article published by the latter in which he was referred to. In this context, the data subject exercised his right under Art. 17 GDPR and requested the deletion of the article, considering it no longer relevant. However, the controller did not respond to the data subject's request in a timely manner.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Castellanza
2021-03-25
€4,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 4,000 on the municipality of Castellanza. The municipality had uploaded documents containing personal data of the data subject on its website, which were freely accessible. The documents concerned a legal proceeding of the data subject.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Operator of a care facility
2021-03-25
€1,425.00
Insufficient legal basis for data processing
Art. 5 (1) a), b), c) GDPR
Art. 6 GDPR
Art. 13 (1), (2) GDPR
The Hungarian DPA (NAIH) has imposed a fine of EUR 1,425 on the operator of a care facility. The operator had installed a total of 25 cameras in all rooms of the facility, with the exception of the restrooms, locker rooms and the main nurses' station. Both the residents of the facility and the employees were recorded by the video surveillance. The controller states that the cameras were installed for security purposes. These included preventing unauthorized persons from gaining access to the facility and deterring theft. The DPA states that such extensive video surveillance was not necessary for the processing purpose (security of the facility). Furthermore, the controller did not sufficiently inform the data subjects about the data processing.
GARANTE
Italian Data Protection Authority
Health Care
TECNOMEDICAL S.r.l.
2021-03-25
€7,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 7,000 on TECNOMEDICAL S.r.l.. A data subject filed a complaint with the DPA after the controller failed to properly respond to his request for information. The data subject had requested access to his personal data. For this purpose, he demanded a copy of his medical records and the medical documentation of his dental implant surgery that had taken place. However, the controller did not provide the information in due time and in its entirety.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Convitto Nazionale Statale 'Giordano Bruno' di Maddaloni (boarding school)
2021-03-25
€6,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 2-ter (1), (3) Codice della privacy
The Italian DPA has imposed a fine of EUR 1,000 on the Convitto Nazionale Statale 'Giordano Bruno' di Maddaloni (CE) boarding school. The boarding school had published a document on its website containing personal data of the data subject without legal basis.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Budapest Főváros Kormányhivatala XI. kerületi Hivatalát (11th District Public Health Department of the Government Office of the Capital City Budapest)
2021-03-24
€27,700.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) a), b) GDPR
Art. 32 (2) GDPR
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Hungarian DPA (NAIH) has fined the XI District Office of the Government of Budapest EUR 27,700.The controller had emailed health data regarding Covid-19 rapid tests, as well as the contact details of the people tested, to doctors in a single Excel file, unencrypted and without any further measures to ensure confidentiality. The DPA found that the controller had failed to implement technical and organizational measures that ensured the protection of personal data. In addition, the controller failed to inform the DPA and the data subjects about the data violations.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
S.C. Medicover S.R.L.
2021-03-23
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2), (4) GDPR
In February, the Romanian DPA (ANSPDCP) closed an investigation against S.C. Medicover S.R.L. and found a violation of Art. 32 (1) b), (2), (4) GDPR. The DPA imposed a fine of EUR 2,000 on the controller. The investigation was initiated following successive notifications by the controller regarding personal data breaches related to unauthorized disclosure and unauthorized access to personal data such as name, correspondence address, email and health data of the data subjects. On several occasions, documents containing personal data had been sent to the wrong recipients. The DPA found that the incidents occurred due to the controller's failure to implement appropriate technical and organizational measures to protect the processing of personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Laboratorio Octogón, S.L.
2021-03-23
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization).
Data Protection Authority of Ireland
Finance, Insurance and Consulting
Irish Credit Bureau DAC
2021-03-23
€90,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (2) GDPR
Art. 24 (1) GDPR
Art. 25 (1) GDPR
The Irish DPA (DPC) has imposed a fine of EUR 90,000 on Irish Credit Bureau (ICB). The fine follows a data breach reported by the controller to the DPA on August 31, 2018. The controller is a credit reporting agency that maintains a database of credit contract performance between financial institutions and borrowers. The data breach occurred when the controller made a code change to its database that contained a technical error. As a result, between June 28, 2018 and August 30, 2018, the ICB database inaccurately updated the records of 15,120 closed accounts. The controller disclosed 1,062 inaccurate account records to financial institutions or affected individuals before the issue was resolved.