A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vamavi Phone S.L.
2021-02-11
€24,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 LOPDGDD
Art. 28 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Vamavi Phone S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and admission of responsibility.
AP
Dutch Supervisory Authority for Data Protection
Health Care
OLVG
2021-02-11
€440,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessary for their work. Besides medical records, the patient files also contained, the social security numbers, addresses and telephone numbers of the data subjects.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Krajowa Szkoła Sądownictwa i Prokuratury
2021-02-11
€22,200.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 25 (1) GDPR
Art. 28 (3) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA (UODO) fined Krajowa Szkoła Sądownictwa i Prokuratury (National School of Justice and Prosecution) EUR 22,200. UODO launched an investigation against the controller after it reported a data breach on its training platform website. During a test migration to the new platform, the data of more than 50,000 individuals had been exposed on the Internet. Among other things, this included the names, user names, postal and e-mail addresses, telephone numbers, units and departments of the data subjects. UODO found that the controller had not taken adequate technical and organizational measures to ensure the confidentiality of the data processed. In addition, the contract that the controller had concluded with the company entrusted with the processing of the data did not comply with the legal requirements. For example, the contract did not contain information about which categories of data would be processed.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Ministero dello Sviluppo Economico
2021-02-11
€75,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
Art. 37 (1), (7) GDPR
The Italian DPA (Garante) has fined the Ministry of Economic Development (Ministero dello Sviluppo Economico) EUR 75,000 for failing to appoint a data protection officer by May 28, 2018, and for publishing personal data of more than five thousand managers on its website.
In Italy, small and medium-sized companies that had previously received a relevant voucher could book advice on technological and digital processes from experienced business professionals, through the controller. The Italian DPA launched an investigation against the controller after it became known that personal data of more than five thousand managers who had made themselves available for corresponding consultations were freely accessible on its website. The personal data, such as name, tax number, e-mail, full CV and in some cases a copy of the identity card and health card of the data subjects, was publicly visible and could be freely downloaded. On the website, it was also possible to download the directorate resolution that had approved the list, which included the data and information of all the directors. The DPA found that the processing was unlawful and that the directorate resolution referred to by the controller did not constitute an adequate legal basis for the disclosure of online data.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Fondazione di religione e di culto “Casa sollievo della sofferenza” Opera di San Pio da Pietrelcina
2021-02-11
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the Foundation for Religion and Worship 'Casa sollievo della sofferenza' Opera di San Pio da Pietrelcina. On January 31, 2020, the controller notified the DPA of a personal data breach under Art. 33 GDPR. Documents containing information about the health status of the data subject had been accidentally sent by mail to the wrong addressee. This had happened due to a mix-up: An invoice had previously been sent not to the data subject, but to another person with the same name, whose address had then been used for further correspondence with the data subject.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Roma Capitale
2021-02-11
€350,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 6 GDPR
Art. 28 GDPR
Art. 32 GDPR
The Italian DPA (Garante) fined the city of Rome EUR 350,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. In addition, the DPA found that the city of Rome had used the services of a provider for the hosting and maintenance of databases without a proper agreement as required by Art. 28 GDPR.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Roma Servizi per La Mobilita S.r.l.
2021-02-11
€60,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Italian DPA (Garante) fined Roma Servizi per La Mobilita S.r.l. EUR 60,000 for failing to take adequate technical and organizational measures regarding the data of citizens who had obtained permits to access restricted traffic areas. The controller was acting as a processor for the city of Rome. As part of this activity, it processed the data of individuals who held permits for restricted traffic areas. The permits were verified by scanning QR codes located on badges affixed to windshields. This allowed city staff to verify in real time whether the particular vehicle was allowed to be in the zone and to whom the permit had been issued. However, according to the DPA, not only city staff, but anyone could scan the codes and access the information, as it only required an ordinary QR scanner. The information stored in the system, included, for example, the name of the user or the license plate number of the vehicle. The DPA notes that the controller did not analyze the risk associated with the data processing and, as a result, did not implement adequate measures to protect the processing.
GARANTE
Italian Data Protection Authority
Health Care
Istituti ospedalieri bergamaschi
2021-02-11
€45,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
Art. 32 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 45,000 on Istituti ospedalieri bergamaschi. The DPA initiated an investigation against the controller after it reported a data breach to the DPA. A patient had mistakenly received medical records and clinical documentation from seven other patients in his digital medical record.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
ING Bank N.V. Amsterdam - Bucharest office
2021-02-10
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (2), (4) GDPR
The Romanian DPA (ANSPDCP) imposed a fine of EUR 1,000 on ING Bank N.V. Amsterdam - Bucharest Branch. It was found that the controller had sent files to a contractual partner in order to issue insurance policies. The sent files contained outdated information, as employees of the insurance policy monitoring department had not checked and processed the insurance policies according to the work process, which affected 270 people. Considering these aspects, it was found that the technical and organizational measures taken by the controller were insufficient, which resulted in the breach of confidentiality of personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Predase Servicios Integrales S.L.
2021-02-09
€5,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The company website did not present a privacy policy on its main page, nor did it provide the information required by Art. 13 GDPR.
DSI
Data State Inspectorate
Industry and Commerce
Lursoft IT SIA
2021-02-09
€65,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Latvian DPA (DSI) fined Lursoft IT SIA EUR 65,000 for the illegal processing of personal data by publishing documents containing personal data on its website 'www.lursoft.lv'. The DPA found that the controller made parts of the non-public company register, which contained, among other things personal data, publicly available.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Patio Ancestral S.L.
2021-02-08
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on Patio Ancestral S.L.. The complainant worked for a construction company and had carried out some renovation work for the controller. During these works, damage had been caused to the controller's properties. The controller had then sent a letter with claims for damages not only to the complainant but also to the complainant's father, who had previously been employed by the same construction company. However, the father was an uninvolved third party in this case. The Spanish DPA found that the processing of the father's personal data for this reason had taken place without a legal basis. The original fine was reduced to EUR 3,000 due to immediate payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Person
2021-02-08
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 5,000 for illegal camera surveillance. The data subject had rented two rooms in the apartment of the controller. The controller had installed a video camera in the apartment and stated that it was installed exclusively for security purposes and also only monitored the area of the entrance door. However, it turned out that the camera was oriented in such a way that it also recorded other parts of the apartment, such as the living room. The Spanish DPA states that this constitutes an unjustified invasion of the privacy of the data subject.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Person
2021-02-04
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Unauthorized use of two video surveillance cameras that also recorded parts of the public space, such as sidewalks and properties behind those.
AP
Dutch Supervisory Authority for Data Protection
Health Care
Orthodontic Clinic
2021-02-04
€12,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Dutch DPA (AP) has fined an orthodontic clinic EUR 12,000. The web form that new patients used to sign up contained mandatory fields for all sorts of patient personal data. The data that the patients (mostly children) entered into the form was then sent to the orthodontic clinic via an unencrypted - and thus unsecured - connection. This presented the risk of unauthorized third parties accessing the personal data of the data subjects.
DATATILSYNET
Norwegian Supervisory Authority
Employment
Cyberbook AS
2021-02-03
€19,300.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) fined Cyberbook AS NOK 200,000 (EUR 19,300) for the illegal automatic forwarding of e-mails from a former employee. The forwarding took place for several months without the data subject being informed.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberdrola Clientes
2021-02-03
€100,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) d) GDPR
Art. 17 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 100,000 on Iberdrola Clientes, SAU. The data subject had terminated an existing contract with the controller due to a move and therefore requested the deletion of his/her data. This request was rejected by the controller with reference to outstanding invoices. It turned out that the controller had sent the bills to the old address of the data subject. Even after the data subject informed the controller of the change of address, new notices regarding the deletion request and invoices were sent to the old address.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2021-02-01
€24,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Xfera Móviles S.A.. The data subject claimed a violation of its right to information to the AEPD. The AEPD then issued a request to the controller to comply with the data subject's request for information within a period of 10 days and to prove this to the AEPD. However, the controller did not comply with the request within the deadline. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and admission of responsibility by the controller.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
IDFINANCE Spain, S.L.
2021-02-01
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on IDFINANCE Spain S.L.. A person had received a debt collection email from IDFinance that contained a link for the payment of an invoice directly through the controller's website. Via the link, the person was able to view the personal data of another customer. The original fine of EUR 5,000 was reduced to EUR 3,000 due to immediate payment and admission of responsibility.
CNIL
French Data Protection Authority
Industry and Commerce
Unknown
2021-01-27
€150,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company's website.
Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website.
In the course of its investigations, the CNIL found that the website in question had been subjected to numerous waves of credential stuffing attacks. In this type of attack, a malicious person obtains lists of 'unencrypted' identifiers and passwords published on the Internet, usually after a data breach. Assuming that users frequently use the same password and username (email address) for different services, the attacker will use 'bots' to try to log in to a large number of websites. If the authentication is successful, this will allow the attacker to see the information associated with those accounts.
The CNIL found that the attackers were able to obtain the following information: Surname, first name, email address and date of birth of customers, as well as their loyalty card number and balance, and information related to their orders.
The CNIL considers that the two companies had breached their obligation to maintain the security of customers' personal data under Article 32 of the GDR.
In fact, the companies took slow action to effectively combat these repeated attacks. They had decided to focus their response strategy on developing a tool to detect and block attacks launched by robots. However, the development of this tool took a year from the first attacks. In the meantime, however, a number of other measures with faster impact could have been considered to prevent further attacks or mitigate the negative impact on individuals. As a result of this lack of diligence, the data of approximately 40,000 website customers was made available to unauthorized third parties between March 2018 and February 2019.
CNIL
French Data Protection Authority
Industry and Commerce
Unknown
2021-01-27
€75,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company's website.
Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website.
In the course of its investigations, the CNIL found that the website in question had been subjected to numerous waves of credential stuffing attacks. In this type of attack, a malicious person obtains lists of 'unencrypted' identifiers and passwords published on the Internet, usually after a data breach. Assuming that users frequently use the same password and username (email address) for different services, the attacker will use 'bots' to try to log in to a large number of websites. If the authentication is successful, this will allow the attacker to see the information associated with those accounts.
The CNIL found that the attackers were able to obtain the following information: Surname, first name, email address and date of birth of customers, as well as their loyalty card number and balance, and information related to their orders.
The CNIL considers that the two companies had breached their obligation to maintain the security of customers' personal data under Article 32 of the GDR.
In fact, the companies took slow action to effectively combat these repeated attacks. They had decided to focus their response strategy on developing a tool to detect and block attacks launched by robots. However, the development of this tool took a year from the first attacks. In the meantime, however, a number of other measures with faster impact could have been considered to prevent further attacks or mitigate the negative impact on individuals. As a result of this lack of diligence, the data of approximately 40,000 website customers was made available to unauthorized third parties between March 2018 and February 2019.
APD
Belgian Data Protection Authority
Industry and Commerce
Family Service / N.D.P.K. nv.
2021-01-27
€50,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 25 GDPR
Art. 28 GDPR
The Belgian DPA imposed a fine of EUR 50,000 on Family Service / N.D.P.K. nv. The controller is an advertising agency that, among other things, sends expectant mothers gift boxes containing various discount vouchers, product samples and information about pregnancy and birth. The box items are provided by third parties, to whom the controller subsequently transfers the recipients' contact data for marketing purposes. The consent of the recipients to this transfer and to subsequent advertising measures by the third parties is obtained in advance by the controller for this purpose. A data subject filed a complaint with the Belgian DPA because, although she had revoked her previously given consent, she nevertheless continued to receive advertising calls from third parties to whom the controller had transmitted her data.
GARANTE
Italian Data Protection Authority
Health Care
Azienda USL della Romagna
2021-01-27
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), d), f) GDPR
Art. 9 GDPR
Art. 32 (1) b) GDPR
The Italian DPA (Garante) imposed a fine of EUR 50,000 on Azienda USL della Romagna. Upon her arrival at the gynecology unit of a hospital operated by the controller (for the purpose of an abortion), a patient had explicitly asked the controller not to share her health data with third parties. She had separately left a telephone number for the purpose of being contacted. After the patient was discharged, a nurse tried to contact her in order to inform her about further therapy. However, the nurse did not use the telephone number provided by the patient specifically for this purpose, but instead used her home telephone number, which she was able to obtain from her patient file. When her husband took the call instead of the patient, the nurse informed him about her treatment, contrary to the patients request. Even though no further medical information was provided, it was clear from the conversation that the data subject had been admitted to this unit and was to receive further therapy.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliero Universitaria Senese
2021-01-27
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) fined Azienda Ospedaliero Universitaria Senese EUR 50,000. The controller, a hospital, had reported to the Italian DPA that a couple's medical report had been mistakenly sent to an uninvolved third party. The report contained information about a genetic consultation and the health status and sex life of the data subjects. The incident occurred due to an error in packaging the letter, according to a statement from the controller.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliero Universitaria di Parma
2021-01-27
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) fined Azienda Ospedaliero Universitaria di Parma EUR 50,000. The controller, a hospital, had reported two data breaches to the Italian DPA in which patient data was mistakenly disclosed to third parties. In the first incident, parents found the report of a microbiological examination of another patient in the file of their minor child. The report revealed the data subject´s name, tax number, address, birth date and various health data. In the second incident, the heir of a patient received the health report of another patient, which contained the name and birth date as well as data on the health status of the data subject.
GARANTE
Italian Data Protection Authority
Public Sector and Education
City of Rome (Roma capitale)
2021-01-27
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) Art. 6 (2) GDPR
Art. 6 (3) b) GDPR GDPR
Art. 2-ter (1), (3) Codice della privacy
The Italian DPA has imposed a fine of EUR 10,000 on the city of Rome (Roma capitale). The city had published a document on the municipal website stating that a mother had not paid canteen fees. The document contained personal data of the mother and her minor child. The city stated that, in the absence of a permanent address of the mother to which the notice could have been sent, it had published the document to notify the homeless mother of the debt. However, the DPA found that this could not be considered a sufficient legal basis for processing the personal data, and thus the city unlawfully processed the data.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
Unknown
2021-01-22
€25,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f), (2) GDPR
Art. 24 GDPR
Art. 32 GDPR
Art. 33 (1), (5) GDPR
Art. 34 (1) GDPR
The Belgian DPA fined a mobile operator EUR 25,000. The controller had assigned the data subject's phone number to an unauthorized third party, causing the data subject to lose access to his/her phone number. As the SIM card of the data subject had been deactivated, that would have allowed the third party to access various personal data of the data subject in the period between September 16 and September 19, 2019, such as call history and accounts of various services (e.g. Paypal, WhatsApp and Facebook) associated with the number.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Alterna Operador Integral S.L.
2021-01-21
€50,000.00
Insufficient legal basis for data processing
Art. 6 (1) b) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 50,000 on Alterna Operador Integral S.L.. A switch of the electricity supplier had taken place without the consent of the data subject. However, the personal data of the data subject were incorporated into the information systems of the controller (the new electricity supplier) without the controller having verified that a valid contract had been concluded. The processing of the data subjects' personal data thus took place without a legal basis.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, SAU
2021-01-21
€75,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 75,000 on Telefónica Móviles España, SAU. The controller had assigned five telephone lines with five numbers to the data subject as part of a mobile phone contract. One of the numbers was used by her son. When he was no longer able to use the mobile data, he contacted the controller. The controller informed him that the mobile data had been deactivated because the number was no longer in his possession. It turned out that unauthorized third parties had pretended to be the data subject and had the number transferred to a third party without the controller requiring authentication for this. Thereupon the unauthorized third parties had requested and received a replacement SIM card under the pretense of an alleged loss or theft. As a result, the son's SIM card was blocked.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Individual
2021-01-20
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The controller installed cameras on his building, which were directed towards parts of the public space. However, no recording took place, as the cameras only served as a deterrent and remained inactive. The DPA notes, however, that even simulated video surveillance has an impact on the privacy of the data subjects, as they are led to believe that they are being permanently recorded by the cameras. According to the DPA, this has an intimidating effect. Therefore, the orientation of the cameras to the public space was also improper in this case. The DPA imposed a fine of EUR 2,000 on the controller, which was reduced to EUR 1,200 due to immediate payment and acknowledgement of guilt.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Aquateknikk AS
2021-01-19
€9,700.00
Insufficient legal basis for data processing
Art. 5 GPDR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) fined Aquateknikk AS NOK 100,000 (EUR 9,700). The controller had carried out a credit rating on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Anwara Sp. z.o.o.
2021-01-15
€4,600.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 (1) a) GDPR
The Polish DPA (UODO) fined the company Anwara Sp. z.o.o. EUR 4,600. The controller had not cooperated with the DPA and had not provided it with all the information necessary for an investigation. The controller twice ignored written requests for explanations regarding a procedure to investigate a complaint filed by an individual. Although the letters were properly sent, the company did not provide reasons for its failure to do so.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Coop Finnmark SA
2021-01-14
€38,600.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) fined Coop Finnmark SA NOK 400,000 (EUR 38,600). The manager of the store in question recorded CCTV footage with a mobile phone and shared the video. The Norwegian DPA states that Coop Finnmark had no legal basis for sharing the CCTV footage. The DPA notes that the case is very serious as the footage showed children, which poses a potentially high risk to their privacy.
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA (Garante) imposed a fine of EUR 8,000 on the Regional Environmental Protection Agency of Campania (ARPAC). An external hard drive containing personal data had been stolen from the controller. Among other things, it contained copies of identity documents, tax records and payroll records. During the investigation, the DPA discovered that the hard drive had been located in a room to which all of the controller's employees had access. In addition, the controller did not back up the affected data, so it was irrevocably lost. Consequently, the DPA concluded that the controller violated the duty to implement appropriate technical and organizational measures to ensure the security of data processing.
GARANTE
Italian Data Protection Authority
Employment
Azienda sanitaria provinciale di Enna
2021-01-14
€30,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 GDPR
The Italian DPA (Garante) imposed a fine of EUR 30,000 on Azienda sanitaria provinciale di Enna. The controller processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis.
GARANTE
Italian Data Protection Authority
Health Care
Poliambulatorio Talenti S.r.l.
2021-01-14
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
The Italian DPA (Garante) fined Poliambulatorio Talenti S.r.l. EUR 2,000 for failing to respond to the data subject's request for access to his and his daughters' data in a timely manner.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Usl di Bologna
2021-01-14
€18,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) fined Azienda Usl di Bologna EUR 18,000. In a hospital operated by the controller, 49 patients in the oncology ward received discharge letters with detailed pharmacological therapy information that originated from other patients. Fourteen of these patients had already accessed this incorrect documentation before it was corrected. The breakdown had occurred due to a manual error by a technician.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Regione Lazio
2021-01-14
€75,000.00
Insufficient data processing agreement
Art. 5 (2) GDPR
Art. 28 GDPR
The Italian DPA (Garante) has fined Regione Lazio (Lazio Region) EUR 75,000 for failing to designate Capodarco, the company it entrusted with the management of reservations for healthcare services in 1999, as a data processor. The controller had not entered into a contract with Capodarco that would have governed its role as data processor in accordance with the requirements of data protection law. Thus, a proper contract for commissioned processing had not been concluded until 2019, which meant that data had been processed unlawfully for a period of about 20 years.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Caixabank S.A.
2021-01-13
€6,000,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
Art. 14 GDPR
The Spanish DPA (AEPD) fined Caixabank S.A. EUR 6,000,000 for violations of Art. 6 GDPR, Art. 13 GDPR and Art. 14 GDPR.
Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the CaixaBank Group. At the same time, the data subjects were not given the option of specifically not consenting to this transfer. Instead, if they wished to disagree with the transfer of their data, they were required to send a letter of disagreement to each individual company in the group.
The DPA concluded that the bank had violated its information obligations as set out in Art. 13 GDPR and Art. 14 GDPR, as the information provided to customers under the privacy policy was not consistent, contained imprecise terminology, and did not provide sufficient information on the type of personal data processed and the nature of the processing. Also, the information on the rights of the data subjects as well as the contact information of the controller were not provided in a consistent manner.
Furthermore, the DPA notes that the controller had processed its customers' data beyond its legitimate interests, partly without a legal basis, and that the consent it obtained from customers did not meet the requirements of an effective consent. In addition, deficiencies in the company's procedures allowed it to obtain the consent of customers to process their personal data. The DPA further concludes that, as a result, the data was unlawfully transferred to the companies of the CaixaBank Group. This constitutes a violation of Art. 6 GDPR.
DATATILSYNET
Norwegian Supervisory Authority
Employment
Unknown
2021-01-12
€38,600.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) fined a company NOK 400,000 (EUR 38,600) for the illegal automatic forwarding of an employee's email inbox. The automatic forwarding was activated in connection with the employee's sick leave and lasted for more than a month.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
Unknown
2021-01-12
€10,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 12 (3) GDPR
Art. 21 (1) GDPR
Managing a fan page on Facebook without the data subject's permission and failing to comply with the data subject's request after exercising his or her right to object.
UODO
Polish National Personal Data Protection Office
Transportation and Energy
Enea S.A.
2021-01-11
€30,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
The Polish DPA (UODO) fined Enea S.A. EUR 30,000 for the controller's failure to report a personal data breach, in violation of Art. 33 (1) GDPR. The DPA received information about a personal data breach from a person who had become an unauthorized recipient of personal data. The breach consisted of sending an email with an unencrypted, non-password protected attachment that contained personal data of several hundred individuals. The sender of the email was an employee of the sanctioned controller.
Data Protection Authority of Niedersachsen
Employment
notebooksbilliger.de
2021-01-08
€10,400,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The DPA of Lower Saxony (LfD Niedersachsen) imposed a fine of EUR 10,4 million on the electronics retailer notebooksbilliger.de.The company had video-monitored its employees for at least two years without having a legal basis for doing so. Among others, the cameras covered workplaces, sales areas, warehouses and recreation areas. The company stated that the purpose of the installed video cameras was to prevent and investigate criminal acts and to track the movement of goods in the warehouses. However, to prevent theft, a company must first consider milder methods. Moreover, video surveillance to detect criminal acts is only permitted if there is a reasonable suspicion against specific persons. If this is the case, it may be permissible to monitor them with cameras for a limited period of time. At notebooksbilliger.de, however, the video surveillance was neither limited to a specific period nor to specific employees. In addition, the recordings were stored for 60 days in many cases, which was significantly longer than required. Customers of notebooksbilliger.de were also affected by the unlawful video surveillance, as some cameras were pointed at seating areas in the sales area. So far, the fine against notebooksbilliger.de is the highest fine that the LfD Niedersachen has issued under the GDPR.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
Gveik AS
2021-01-07
€7,250.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) fined Gveik AS EUR 7,250. The controller had carried out a credit check on an individual, although there was no legal basis for doing so.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
Lindstrand Trading AS
2021-01-06
€9,700.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) has fined Lindstrand Trading AS EUR 9,700. The controller had carried out four credit checks on individuals and individual companies, although there was no legal basis for doing so.
CNIL
French Data Protection Authority
Industry and Commerce
Nestor SAS
2021-01-05
€20,000.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
The French DPA (CNIL) fined the company Nestor EUR 20,000.
The CNIL notes that the privacy policy provided during the registration process on the company´s website did not contain the necessary information required by the GDPR. In addition, the controller provided insufficient information on data processing during app registration.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Śląski Uniwersytet Medyczny (Medical University of Silesia)
2021-01-05
€5,500.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during identification via a direct link. The University failed to report the data breach to the DPA and notify the data subjects.
UODO
Polish National Personal Data Protection Office
Health Care
Unknown
2021-01-05
€19,000.00
Insufficient fulfilment of data breach notification obligations
Art. 34 (1), (2) GDPR
Art. 58 (2) e) GDPR
The Polish DPA (UODO) imposed a fine of EUR 19,000 on a hospital operator. A former employee had unlawfully copied the personal data of 100 patients from the hospital's computer network. The leaked data included the social security number, name, date of birth, address and telephone number of the data subjects. Although the controller considered the potential risk to the data subjects to be high, she had not informed the data subjects about the incident. The DPA then requested the controller to immediately inform the data subjects about the incident and provide them with advice on how to minimize the potential negative impact of the breach. However, the controller did not comply with this request.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-01-04
€54,000.00
Non-compliance with general data processing principles
Art. 5 (1) d), f) GDPR
The data subject had concluded a contract with the controller (Vodafone España, S.A.U.). However, the products provided under this contract were not delivered in the name of the data subject, but in the name of a third party. Subsequently, the data subject contacted the company's data protection officer by e-mail in order to restore the accuracy of his/her data stored at Vodafone. However, no response was received to this request. When the data subject finally contacted the telecommunications company by telephone, he/she was addressed by the name of the third party. His/her inquiry was answered with a response that did not refer to his/her inquiry, but to the inquiry of the third party. According to the telecommunications company, the incident was caused by a defect in their system due to a system migration. The Spanish DPA (AEPD) initially fined Vodafone España, S.A.U. EUR 90,000, but the original fine was reduced to EUR 54,000 due to the timely payment and admission of guilt.
DATATILSYNET
Norwegian Supervisory Authority
Finance, Insurance and Consulting
Innovasjon Norge
2021-01-04
€95,500.00
Insufficient legal basis for data processing
Art. 5 (1) GDPR
Art. 6 (1) GDPR
The Norwegian DPA (Datatilsynet) fined the national development bank Innovasjon Norge NOK 1,000,000 (EUR 95,500). The controller had carried out four credit checks on the data subject without any contractual basis for doing so. For this purpose, the bank had analyzed numerous financial data of the data subject over a period of three months without the data subject's consent.
