A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
HDPA
Hellenic Data Protection Authority
Public Sector and Education
Candidate for parliamentary elections
2021-03-22
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 11 Law 3471/2006
The Greek DPA (HDPA) has fined a parliamentary candidate EUR 2,000. The data subject had received a call from the controller on her private mobile number prior to the Greek parliamentary elections in July 2019. The call was made for the purpose of promoting the controller's candidacy. The data subject's inquiries regarding the use of her personal data were answered by the controller in a contradictory manner.
DATATILSYNET
Norwegian Supervisory Authority
Accomodation and Hospitalty
Basaren Drift AS
2021-03-21
€19,900.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 19,900 on Basaren Drift AS. The controller had installed video cameras in its premises which recorded both its employees and customers. The Norwegian DPA concluded that the controller had no legal basis for the camera surveillance. In addition, the Norwegian DPA found that the controller did not provide sufficient information on the surveillance to the data subjects.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Funeda Sp. z o.o.
2021-03-19
€4,900.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) a), e) GDPR
The Polish DPA (UODO) has fined Funeda Sp. z o.o. EUR 4,900 for failing to provide information requested by the DPA during an investigation.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Asesoría Alpi-Clúa S.L.
2021-03-18
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on Asesoría Alpi-Clúa S.L.. A client had requested documents from the controller to submit them to the tax authorities. The controller sent her an e-mail that, however, did not contain the documents she had requested, but documents from another client.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-03-16
€60,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 60,000 on Vodafone Spain. The data subject had been a customer of the controller several years ago. After receiving payment reminders from the controller via SMS for services she had never booked, she informed the controller and asked for clarification and deletion of her data. Despite a positive response, she continued to receive the same SMS. The data subject then filed two complaints with the Spanish DPA against Vodafone Spain. Both times, the controller had assured that it had corrected the reason for the incorrect sending and deleted the data of the data subject. Nevertheless, the mailing continued, leading the data subject to file a third complaint. The original fine of EUR 100,000 was reduced to EUR 60,000 due to immediate payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Public Sector and Education
Certime S.A.
2021-03-15
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Certime S.A.. The data subject had renewed her driver's license with the controller in 2009. After her address had changed in 2018, in 2019 she received mail from the controller to her new address without having informed the controller of the adress change. In the letter, the controller informed the data subject that her driver's license would soon expire. In response to a inquiry from the data subject as to where her new contact information came from, the controller informed her that its database was regularly updated using data obtained from the Spanish transport authority DGT (Dirección General de Tráfico). As the data subject had not given consent for such processing of her data, she filed a complaint against the controller with the Spanish DPA. An investigation by the DPA revealed that the company had indeed entered into a contract with DGT. However, DGT had clarified that the purpose of the processing of contact data under the contract was to ensure the accuracy of the address when renewing a driver's license or when issuing medical reports so that it could be sent to the correct address. Nevertheless, the data subjects must request and consequently consent to such a change of address. Since these criteria were not met in the specific case, the DPA found a violation of the purpose limitation principle.
APD
Belgian Data Protection Authority
Public Sector and Education
School
2021-03-15
€1,000.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 6 (1) GDPR
Art. 8 GDPR
The Belgian DPA (APD) fined a school EUR 1,000. The controller had conducted a survey on student well-being via a smartschooling system. The DPA states that the controller did not obtain the consent of the parents of the minor students and violated the principle of data minimization. The original fine of EUR 2,000 was reduced to EUR 1,000 after the controller appealed the APD's decision.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Cultural association
2021-03-15
€3,000.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 3,000 on a cultural association. The controller had published pictures of a four-year-old child on various groups of the Chinese messenger service WeChat without the consent of the child's parents. The photos show the child taking part in the controller's Chinese lessons. Although the controller tried to obscure the child's face using a digital sticker, it was still partially visible. Also the controller did not respond to the parents' request to delete the photos and apologize to them.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Heredad de Urueña S.A.
2021-03-15
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) fined Heredad de Urueña S.A. EUR 2,000 because its personal data processing policy did not comply with the requirements of Art. 13 GDPR. In addition, the controller did not provide a privacy policy on its website informing users about the processing of their personal data.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Ålesund Municipality
2021-03-15
€4,900.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 24 (1) GDPR
Art. 35 GDPR
The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Ålesund. At two schools in Ålesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA's investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example, a data protection impact assessment was not carried out, although this would have been necessary in view of the potential risk to the students. In addition, adequate technical and organizational security measures had not been implemented to ensure the protection of the processing.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Air Europa Lineas Aereas, SA.
2021-03-15
€600,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
Art. 33 GDPR
The Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected. The AEPD announced that it had fined the controller EUR 500,000 for a breach of Art. 32 (1) GDPR due to the failure to take appropriate technical and organizational measures to ensure an adequate level of security, and EUR 100,000 for a breach of Art. 33 GDPR for notifying the AEPD of the security breach 41 days late. In determining the amount of the fine, the fact that the incident was not limited to a local area, but affected a large number of people not only in Spain, but also worldwide, and that sensitive banking and financial data were affected, harming several thousand people, was taken into account as an aggravating factor.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Asker Municipality
2021-03-15
€100,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 6 GDPR
Art. 32 (1) b) GDPR
Art. 24 GDPR
The Norwegian DPA (Datatilsynet) has fined the municipality of Asker EUR 100,000. On May 20, 2020, the DPA received a notice that the municipality had unlawfully published personal data on its website. On the website, users could view the names of documents that had previously been sent via the municipality's email distribution list. In addition to the names of the actual document, they also contained the names and dates of birth of 127 people, including children. Although the distribution lists were proofread daily by two people, the municipality had failed to detect the discrepancies. The Norwegian DPA concludes that the data breach occurred partly due to a lack of required routines for handling email lists.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Person
2021-03-12
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 1,500. The controller had installed a video surveillance camera facing a public thoroughfare and covering parts of the shared patio of an apartment complex. Furthermore, there was no sign in a visible place informing about the presence of the camera (responsible person, purpose, etc.). Finally, the controller had not obtained the consents of the other tenants before putting the camera into operation.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
NBQ Technology, S.A.U.
2021-03-12
€12,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U. EUR 20,000. An identity thief had obtained the data of a third party without authorization and applied for a microcredit from the controller under pretence of the data subject's identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the loan recipient, but to the data subject, the AEPD determined that the controller did not have a legal basis for processing the data. The processing was therefore unlawful, and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 20,000 was reduced to EUR 12,000 due to immediate payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-03-11
€8,150,000.00
Insufficient fulfilment of data subjects rights
Art. 28 GDPR
Art. 24 GDPR
Art. 44 GDPR
Art. 21 LSSI
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 LOPDGDD
Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone España, S.A.U. The data subjects complained about advertising calls and messages (e-mail and SMS) made on behalf of Vodafone España as part of marketing campaigns. The contact was made without the prior consent of the data subjects and continued even after they had exercised their right to object. Furthermore, many data subjects were contacted even though their numbers were on the Robinson list.
The AEPD explains that aggravatingly, it took into account that Vodafone España had regularly received fines in more than 50 cases from January 2018 to February 2020, and the fact that there had been 162 complaints received by the AEPD in just under two years.
The fine is composed as follows: EUR 4 million for a breach of Art. 28 GDPR and Art. 24 GDPR; EUR 2 million for a breach of Art. 44 GDPR; EUR 150,000 for a breach of Art. 21 LSSI; and EUR 2 million for a breach of Art. 48 (1) b) LGT, Art. 21 GDPR and Art. 23 LOPDGDD.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di San Marco in Lamis
2021-03-11
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 3,000 on the municipality of San Marco in Lamis. The municipality had uploaded documents containing personal data of the data subject and his family freely accessible on its website. The documents were two orders against the data subject. The documents were related to a proceeding against the data subject concerning construction activities without a building permit and contained the date of birth, place of birth, tax number and address of the data subject and his relatives. The data subject had already asked the municipality in advance to remove the documents from the website. However, the municipality did not comply.
AP
Dutch Supervisory Authority for Data Protection
Public Sector and Education
Municipality of Enschede
2021-03-11
€600,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
The Dutch DPA (AP) has fined the municipality of Enschede EUR 600,000. In 2017, the municipality decided to install special measurement boxes to measure crowds in the city center of Enschede. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone passed by, making it possible to track the movement of passers-by. The municipality states that it was never its intention to track passers-by. However, the DPA finds that the wifi tracking (even if it was unintentional) constitutes a serious breach of the GDPR. The DPA concludes that the municipality tracked its passers-by without an effective legal basis and thus violated Art. 5 (1) a) GDPR and Art. 6 (1) GDPR.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Mediacom s.r.l.
2021-03-11
€15,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 15,000 on Mediacom s.r.l.. The controller carried out advertising calls on behalf of TIM s.p.a.. Several of the calls were made even though the data subjects had not consented, had objected to the advertising calls, or had their numbers on the Robinson list. Garante found that the controller failed to verify the legitimacy of the data in contact lists acquired from third-party companies, as well as to sufficiently ensure that valid consents had been given by the data subjects for corresponding promotional activities.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Planet Group Spa
2021-03-11
€80,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 21 (2), (3) GDPR
Art. 12 (3) GDPR
Art. 25 (1) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 80,000 on Planet Group Spa. The controller made promotional calls on behalf of TIM s.p.a.. Several of these calls were made even though the data subjects had not consented or had objected to the calls. Garante found that the controller had contacted a total of 47,981 telephone numbers without consent or legal basis. In addition, Garante highlighted that the controller had not respected the data subjects' right to object. In one case, a user had been contacted 155 times in one month, even though he had exercised his right to object.
Data Protection Authority of Baden-Wuerttemberg
Individuals and Private Associations
VfB Stuttgart 1893 AG
2021-03-10
€300,000.00
Non-compliance with general data processing principles
Art. 5 (2) GDPR
The DPA from Baden-Württemberg has imposed a fine of EUR 300,000 on the soccer club VfB Stuttgart 1893 AG for negligent breach of data protection accountability under Art. 5 (2) GDPR. However, the controller has promoted the DPA's investigation and clarification measures through its own initiative and has cooperated extensively with the DPA.
AEPD
Spanish Data Protection Authority
Health Care
Hospital Campogrande DE
2021-03-10
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 10,000 on Hospital Campogrande DE. A patient filed a complaint against the controller with the DPA. The controller had performed an MRI on the patient on September 05, 2019 due to an injury of the right knee. The cost of the examination was covered by the patient's private health insurance. Due to a work-related injury, another MRI of the same knee had to be performed on September 27, 2019. Although the second MRI was performed at another hospital, albeit one belonging to the corporate group, the hospital system also linked the first, privately arranged MRI to the patient's record at the second hospital. The first MRI was provided through the hospital network without any medical justification.
This turned out to be very unfavorable for the patient when, upon presentation of the second MRI, the company physician informed him that he would have to contact his private physician or the social insurance with this injury, since the incident could not be considered an occupational accident. He justified this with the existence of the first MRI, which had a non-occupational cause.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Filigrana Comunicación S.L.U.
2021-03-10
€8,000.00
Insufficient fulfilment of information obligations
Art. 6 (1) GDPR
Art. 13 GPDR
Art. 14 GDPR
The Spanish DPA (AEPD) fined Filigrana Comunicación S.L.U. EUR 8,000. The controller operates a website that provides information on internships offered by the Spanish Ministry of Education and Sports. In addition, the results of various competitions held by the Ministry are published on the site. The controller had compiled and published the data of the participants from publicly available sources without first obtaining the consent of the data subjects. Likewise, the controller had not fulfilled its information obligations to them in accordance with Art. 13 GDPR and Art. 14 GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Equifax Iberica S.L.
2021-03-10
€50,000.00
Insufficient legal basis for data processing
Art. 6 (1) f) GDPR
The Spanish DPA (AEPD) fined Equifax Iberica S.L. EUR 50,000 for a violation of Art. 6 (1) f) GDPR. The controller had added the data subject to a debtor register without informing her beforehand. The data subject had outstanding payments of rent with her landlord, who had previously sent her corresponding requests for payment. The controller itself had also sent notices to the data subject requesting her to pay the debts. These, however, did not contain any information that the data subject would be entered in the debtors' register in the event of non-payment.
Also, the rental contract of the data subject did not contain any provisions in this regard, which led the DPA to conclude that the controller did not have a legitimate interest within the terms of the GDPR and thus had processed the personal data of the data subject without a legal basis.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2021-03-10
€90,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 17 GDPR
Art. 32 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 150,000 on Xfera Móviles S.A.. The DPA had received two complaints from a data subject.
The first complaint concerned the sending of advertising SMS messages that the data subject received from the controller, although he had objected to this and requested that his data be deleted. According to the data subject, he received over 60 SMS messages within 30 days.
The second complaint was filed by the data subject because the controller repeatedly sent him messages containing confidential data of a third party. This concerned the login information of another customer to a company platform. On the portal, it was possible to view personal information as well as invoices, among other things. Although the data subject had informed the company of this, the incorrect mailing did not end.
The original fine of EUR 150,000 was reduced to EUR 90,000 due to immediate payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2021-03-09
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 15,000 on a homeowners' association. The controller had publicly displayed the record of a homeowners' meeting in the elevator of the building where the participants lived. From the records, the names, floors and apartment numbers of the meeting participants could be obtained, as well as the floors and apartment numbers of neighbors about whom the participants had complained during the meeting. The controller had justified the public notice with the fact that the results of this meeting concerned planned legal actions against some of the residential parties. They were to be informed about this so that they would not be able to claim later that they had not received the relevant notifications. The DPA considers this to be a violation of Art. 5 (1) f) GDPR, which refers to the principles of integrity and confidentiality of personal data.
DATATILSYNET
Norwegian Supervisory Authority
Transportation and Energy
Dragefossen AS
2021-03-08
€14,900.00
Insufficient legal basis for data processing
Art. 5 (1) a) GPDR
Art. 6 (1) GDPR
The Norwegian DPA (Datatilsynet) imposed a fine of EUR 14,900 on the energy company Dragefossen AS. The latter had installed a webcam on the roof of its office building in the center of Rognan which was in operation 24/7 and recorded the city center. These recordings could be viewed via a live video stream on Youtube and on the controller's homepage. In addition, the recordings could be rewound for up to twelve hours.
The area covered by the camera surveillance included a public street, the parking lot and entrance of two grocery stores, a pharmacy, a liquor store, the local bank, city hall, and a number of other buildings.
It was not possible to make out facial details or read license plates on cars due to the image quality and distance from the camera. Nevertheless, the image quality was good enough to be able to identify what type of car the data subjects were driving, what type of clothing they were wearing, what hair color they had, and other personal characteristics. This was sufficient for those watching the live broadcast to identify and track co-workers, colleagues, friends, family, or other acquaintances.
The Norwegian DPA concluded that the live broadcast constitutes a breach of Art. 6 (1) GDPR and Art. 5 (1) a) GPDR.
The decision highlights that the illegal camera surveillance involved a significant number of employees and that many were monitored repeatedly, some on a daily basis. Those who were monitored were on their way to and from work, who needed to buy groceries, medications, or alcohol, or who were in the public area for other reasons. These are activities where the data subjects do not expect to be monitored, and even less they expect the monitoring to be broadcast live on the Internet.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Public Sector and Education
Natural person holding the position of General Secretary for a political party in Bucharest
2021-03-04
€500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2) GDPR
Art. 58 (1) a), e) GDPR
The Romanian DPA (ANSPDCP) imposed a fine in the amount of EUR 500 against a natural person holding the position of General Secretary for a political party in Bucharest. The controller had published a list on a social network, which contained personal data such as names, signatures, nationalities, dates of birth, postal addresses, of ten supporters of the party. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect the processing of personal data. In addition, the controller had not sufficiently cooperated with the DPA in its investigation.
Data Protection Authority of Sachsen-Anhalt
Individuals and Private Associations
Private Individual
2021-03-03
€0.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 32 GDPR
Original summary: The DPA of Saxony-Anhalt imposed a fine of EUR 200 on a private individual. The controller had taken photos of vehicles and, in some cases, their drivers and emailed them to the city of Magedburg in an unencrypted form as part of reports of violations of the Road Traffic Regulations.
Update: The fine proceedings have been closed.
Cypriot Data Protection Commissioner
Finance, Insurance and Consulting
Hellenic Bank
2021-03-03
€25,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) e), f) GDPR
Art. 32 (1) b), c) GDPR
Art. 33 (1) GDPR
The Cypriot DPA imposed a fine of EUR 25,000 on Hellenic Bank. The bank had closed one of its branches in the city of Nicosia in 2015. When moving out of the space, a safe containing old documents of still existing customers, installed in one of the walls, had been forgotten. As the building was vacant in the following years, the controller only learned about this incident when the property was rented out again for the first time in 2019. The new tenant had found the safe and informed the controller. Bank staff had then retrieved the documents and reported the data breach to the Cypriot DPA. The DPA ultimately concluded that the controller had violated Art. 5 (1) e), f) GDPR, Art. 32 (1) b), c) GDPR, and Art. 33 (1) GDPR.
Cypriot Data Protection Commissioner
Public Sector and Education
Cypriot Real Estate Registration Authority
2021-03-03
€10,000.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 15 GDPR
Art. 31 GDPR
Art. 58 (1) e) GDPR
The Cypriot DPA imposed a fine of EUR 10,000 on the Cypriot Real Estate Registration Authority. The data subject submitted a written request to the controller requesting various information relating to him personally, exercising the right of access granted to him under Art. 15 GDPR. After the controller failed to respond to the request for information, the data subject filed a complaint with the DPA. In the course of the subsequent investigation by the DPA, the controller also failed to respond to requests by the DPA to comment on the allegation.
Cypriot Data Protection Commissioner
Real Estate
KEPIDES
2021-03-03
€6,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (4)
The Cypriot DPA imposed a fine of EUR 6,000 against KEPIDES (real estate company). The controller had submitted a list of buyers of the properties it manages to a parliamentary committee. However, the controller had failed to anonymize the list, as a result of which the names of the data subjects were transmitted.
Cypriot Data Protection Commissioner
Employment
Electricity Authority of Cyprus
2021-03-03
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 9 (2) GDPR
The Cypriot DPA imposed a fine of EUR 40,000 on the Electricity Authority of Cyprus. The controller used an automated system based on the so-called Brad-Factor to manage, monitor and control employee absences due to illness using a tool assessment. The DPA found that such an assessment mechanism was not covered by Cypriot labor law and had therefore been used unlawfully. Furthermore, an option for data subjects not to consent to such automated processing of their personal data should have been provided.
DATATILSYNET
Norwegian Supervisory Authority
Employment
Unknown
2021-03-02
€24,400.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) fined a company NOK 250,000 (EUR 24,400). The controller ordered an employee to set up an automatic forwarding of his/her employee email account to a shared company account. The reason given for this was to improve the company's operations. The DPA found that the controller had no legal basis to order such automatic forwarding. It therefore acted unlawfully.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2021-03-02
€9,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 9,000 on a website operator. The controller had published photos of the data subject on its website without the consent of the data subject. Also, the website in question did not contain a privacy statement. The fine is composed as follows: EUR 5,000 for a violation of Art. 6 GDPR and EUR 4,000 for a violation of Art. 13 GDPR.
VDAI
Lithuanian Data Protection Authority
Public Sector and Education
Registrų Centras
2021-03-02
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), c) GDPR
The Lithuanian DPA (VDAI) imposed a fine of EUR 15,000 on Registrų Centras. The controller is a company which manages several Lithuanian registers. The company suffered a data breach that affected 22 of these registers. During its investigation, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing of personal data. The measures implemented by the controller were clearly not sufficient to ensure the continuous integrity, availability and resilience of the data, nor to restore the availability of the data after incidents.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
I-DE Redes Eléctricas Inteligentes, S.A.U
2021-03-02
€200,000.00
Non-compliance with general data processing principles
Art. 5 (1) b), c) GDPR
Art. 6 (1) b) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Eléctricas Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and Servicios Aby 2018, S.L. because their customers had received letters from the controller. Both companies had previously transferred their customers' personal data to the controller under a network access agreement entered into with the controller. Under this agreement, the two companies acted as representatives of their respective customers, who were supplied with electricity by the controller. In the letters sent, the controller mentioned, among other things, alleged breaches of contract and non-payment by the companies to the controller.
In the course of its investigations, the DPA determined that the sending of these letters was neither related to nor necessary for the performance of the respective contract. The controller had therefore violated the principles of purpose limitation and data minimization, so that the sending of these letters constituted unlawful processing of the customers' personal data.
VDAI
Lithuanian Data Protection Authority
Public Sector and Education
Nacionaliniam visuomenės sveikatos centrui (NVSC)
2021-02-26
€12,000.00
Non-compliance with general data processing principles
Art. 5 (1), (2) GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 32 GDPR
Art. 35 GDPR
Art. 58 (2) f) GDPR
The Lithuanian DPA (VDAI) imposed a fine of EUR 12,000 on the Lithuanian National Health Service (NVSC). The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The IT company 'IT sprendimai sėkmei' had developed the app, which was then used by the NVSC.
In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.
VDAI
Lithuanian Data Protection Authority
Industry and Commerce
IT sprendimai sėkmei
2021-02-26
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1), (2) GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 32 GDPR
Art. 35 GDPR
Art. 58 (2) f) GDPR
The Lithuanian DPA (VDAI) imposed a fine of EUR 3,000 on the company 'IT sprendimai sėkmei'. The DPA had opened an investigation regarding a quarantine app introduced in Lithuania during the COVID-19 pandemic in spring 2020. The controller had developed the app, which was then used by the Lithuanian National Health Service.
In the course of the investigation, the DPA found that during the app's period of use, the data of a total of 677 individuals had been processed in varying degrees. The app was able to collect data such as the name, address and phone number of the data subjects. The DPA concluded that the controller had not taken sufficient technical and organizational measures to protect the data processing. Furthermore, a data protection impact assessment was not carried out, although this would have been necessary in particular because the app also processed special categories of personal data including health data. The DPA further stated that the controller had provided non-transparent and incorrect information in the app's privacy policy.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Istituto Nazionale Previdenza Sociale (INPS)
2021-02-25
€300,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), d) GDPR
Art. 25 GDPR
Art. 35 GDPR
Original fine summary: The Italian DPA (Garante) imposed a fine of EUR 300,000 on the Istituto Nazionale Previdenza Sociale (INPS). The Italian National Institute for Social Security had been tasked with anti-fraud investigations related to COVID-19 relief funds. After press reports raised problems with the institute's data processing practices around the application review of politicians, the Italian DPA opened an investigation against INPS in August 2020. During that investigation, the DPA identified several violations.
The controller had collected data on tens of thousands of politicians from public sources and cross-checked it with data from applicants. In doing so, however, the controller had failed to ensure that data was collected only from those politicians who were eligible to receive the assistance funds. In doing so, the controller violated the principles of lawfulness, fairness, and transparency as set out in the GDPR.
Furthermore, the controller had violated the principle of data minimization by initiating checks on reimbursements even for individuals whose applications had been rejected and who had therefore never received payments.
Furthermore, the controller had not adequately assessed the risks associated with a data processing operation as sensitive as that on applications for social benefits, since it had not carried out an impact assessment on the rights and freedoms of the data subjects. Update: Following an appeal presented by INPS the judge of the XVIII civil section of the Court of Rome annulled the fine of EUR 300,000.
GARANTE
Italian Data Protection Authority
Employment
Comune di Conflenti
2021-02-25
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
The Italian DPA (Garante) imposed a fine of EUR 2,000 on the municipality of Conflenti. A former employee of the municipality filed a complaint with the DPA because a document containing her personal data, including information about her employment with the municipality and an excerpt from the termination letter, was published on the municipality's website.
GARANTE
Italian Data Protection Authority
Employment
Comune di Commezzadura
2021-02-25
€6,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 9 GDPR
The Italian DPA (Garante) imposed a fine of EUR 6,000 on the municipality of Commezzadura. A former employee of the municipality filed a complaint with the DPA because a document containing his personal data was published on the municipality's website. The document contained the confirmation and acceptance of the employee's voluntary termination of employment and information about the employment relationship at that time, including evaluations of his work and information about his health. The data subject also complained that this information had been mentioned in an article in a newspaper. In particular, the article discussed the end of employment and quoted a statement by the mayor of the municipality referring to the fact that the data subject had asked for flexible working hours and had been absent from work during the Christmas vacations due to illness.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Gedi Gruppo Editoriale S.p.A.
2021-02-25
€20,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
The Italian DPA (Garante) has fined Gedi Gruppo Editoriale S.p.A. 20,000 euros. The controller had published photos in its newspaper of people who were in custody in connection with a murder. The photos showed the accused in handcuffs and had been taken without their consent. Although some of the photos had been pixelated around the handcuffs, the faces of the defendants remained visible, allowing them to still be identified. The DPA had ordered the controller in advance to refrain from further use of these photos. The DPA imposed the fine because the controller had not complied with this order.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Ministero dell’Istruzione, Ufficio Scolastico Regionale per il Lazio
2021-02-25
€4,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 4,000 on the Lazio Region School Authority. A parent had filed a complaint against the school authority for forwarding data of his disabled son to the Office of Public Administration. The data forwarded included, among other things, information about the child's health condition. The parent had previously complained of irregularities in the allocation of support hours for students with disabilities at the school I.C.G. Pitocco of Castelnuovo di Porto. The school authority had then transmitted the data in order to clarify the allegation. The DPA, however, found that the transfer had taken place without a legal basis.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliera Universitaria Careggi
2021-02-25
€6,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 6,000 on Azienda Ospedaliera Universitaria Careggi for a breach of Art. 5 GDPR and Art. 9 GDPR. Azienda Ospedaliera Universitaria Careggi had notified the DPA of a data breach under Art. 33 GDPR regarding the transfer of health data to the wrong person. Medical documents of a patient had been sent by mail both to the affected patient and to another patient. The controller states that the incident occurred due to an error in the printing process. The ward where the affected patient was treated was only equipped with two printers, and one doctor had unknowingly also taken a colleague's print job (the affected patient's documents) when taking out his print job (the documents of the wrong recipient).
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Avilon Center 2016 S.L.
2021-02-24
€12,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 (4) LOPDGDD
The Spanish DPA (AEPD) imposed a fine of EUR 20,000 on Avilon Center 2016 S.L. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list. The original fine of EUR 20,000 was reduced to EUR 12,000 due to immediate payment and admission of responsibility.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Security company (name not available at the moment)
2021-02-22
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), d) GDPR
Art. 32 (2), (4) GDPR
A data controller using the services of the security company reported the breach of personal data to the DPA, arising after an employee of the security company recorded the video surveillance footage with a phone and shared it with third party. The recording was ultimately made available on social media and in the media. The DPA found that the security company as a data processor enabled the breach by not maintaining adequate and sufficient technical and organizational measures for personal data security for more than two and a half years. Moreover, the processor has not foreseen or implemented adequate technical security measures following the incident to prevent or minimize the risks. One data subject was consequently exposed to insults and ridicule in the public and the security company has not taken any action to remove the recording from social networks and media. The amount of the fine is unknown at the moment, but the DPA clarified which aggravating circumstances it has taken into consideration when determining the fine – (i) the fact that the processor did not fulfil its obligation to inform the controller of the incident as required by the Art 33 (2) GDPR and (ii) the fact that the basic activity of the company is the provision of physical and technical protection, which includes the use of video surveillance. The DPA also noted that the fined security company is one of the leading companies in Croatia in that activity and as such should be the relevant entity in providing opinions, guidelines, advice and propose solutions to controllers on the use of the video surveillance system and give an example to its work and pay greater attention to it than others.
AEPD
Spanish Data Protection Authority
Industry and Commerce
The Washpoint S.L.
2021-02-16
€1,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 1,000 on The Washpoint S.L. for the lack of a privacy policy on its website, in violation of Art. 13 GDPR.
DATATILSYNET
Danish Data Protection Authority
Industry and Commerce
IDdesign A / S
2021-02-12
€13,450.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 5 (2) GDPR
Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures.
Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.
Update: On February 12, 2021 the Aarhus District Court decided to impose a fine against IDdesign in the amount of EUR 13,450. With regard to the calculation of the fine, the court disagreed with the proposed amount of the fine. It concluded that the amount should be calculated on the basis of the company's own turnover and not that of the entire group. In addition, the court considered that the mitigating circumstances under Art. 83 (2) GDPR should be taken into account when calculating the fine. Such as that the company had not previously breached the GDPR, as well as that the breach concerned only general personal data. In addition, no data subject suffered damages as a result of the breach. Finally, the court considers that the negligent nature of the breach should be taken into account.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2021-02-12
€120,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on Vodafone España, S.A.U. A former customer had received e-mails containing electronic bills even after he had terminated his contract with the controller resulting in a processing of personal data without sufficient legal basis. The data subject states that he still receives e-mails from the controller, although he has already objected to this several times and the controller has already received a fine twice for exactly these facts. The fine imposed this time is this high because the infringement was classified as very serious by the Spanish DPA. Among other things, because this was already the third violation in this matter. The original fine of EUR 200,000 was reduced for both immediate payment and admission of responsibility to EUR 120,000.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Ripobruna 207, S.L.
2021-02-12
€1,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 2,000 against Ripobruna 207, S.L. (restaurant) for the unauthorized use of two video surveillance cameras that also recorded parts of the public space without any justified cause. The original fine of EUR 2,000 was reduced for immediate payment to EUR 1,600.
