A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
UOOU
Czech Data Protection Auhtority
Industry and Commerce
Unknown
2021-01-04
€118,500.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 14 GDPR
The Czech DPA (UOOU) fined 11 companies a total of EUR 118,500 for sending unrequested postal advertising messages to the mailboxes of various citizens. Based on a decision by the government of the Czech Republic at the end of October, there was introduced the possibility to send postal data messages at no charge until the end of the Covid-19 pandemic. The fined companies misused this possibility. The DPA finds that the companies had no legal ground for sending offers for goods and services, constituting a breach of Art. 6 (1) GDPR. The DPA furthermore finds that a violation of Art. 14 GDPR has also occurred, as the companies did not provide the data subjects with information about the commercial use of their data when they first contacted them.
DSB
Austrian Data Protection Authority
Finance, Insurance and Consulting
Bank
2021
€4,000,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Austrian DPA has imposed a fine of EUR 4,000,000 on a credit institution. The controller had stored an Excel file containing personal data, such as customers' account information, on an internal drive for the purpose of internal administration of bank customers. The file could be accessed and viewed by all branch employees as needed. The Excel file was neither encrypted nor protected by other adequate measures against unauthorized access or unintentional disclosure to third parties. An employee inadvertently sent the Excel list to 234 customers, disclosing the personal data of approximately 5,971 customers. The DPA therefore found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
DSB
Austrian Data Protection Authority
Industry and Commerce
Customer loyalty program
2021
€1,200,000.00
Unknown
Unknown
According to the newspaper 'Der Standard', the Austrian DPA has imposed a fine of EUR 1.2 million on a customer loyalty program in 2021. Further information has not yet been disclosed.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2021
€1,800.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer repeatedly had accessed data in a police database for private research purposes.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2021
€500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2021
€600.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer had accessed data in police databases for private research purposes in order to obtain information about his ex-wife's new address. He discovered where his ex-wife had moved to in the meantime. The officer then actually went to his ex-girlfriend's new apartment and met her in front of the entrance to the new house. This frightened his ex-wife so much that she reported the incident to the police.
Data Protection Authority of Hessen
Individuals and Private Associations
Police officer
2021
€400.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer had accessed data in police databases for private research purposes. The officer had purchased a notebook for private use on an Internet platform. Since the seller did not agree to negotiations about the method of payment, the officer used a police information system to obtain information about the seller. The police officer then sent several messages to the seller in which he provided him with certain personal data, that he had obtained through his research in the police database. The goal was to reinforce his demand for an alternative payment method by mentioning the information obtained.
Data Protection Authority of Hessen
Accomodation and Hospitalty
Restaurant
2021
€170.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
In order to identify a guest who had not paid, several visitors were contacted by employees of a restaurant. For this purpose, the telephone numbers provided by the guests as part of the Covid contact tracing tracing were used. Since the guests had provided their data solely for infection control purposes, the DPA considered the contacting for the purpose of identifying the guest to be a violation of the principle of purpose limitation (Art. 5 (1) b) GDPR).
Data Protection Authority of Berlin
Accomodation and Hospitalty
Unknown
2021
€NaN
Unknown
Unknown
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. A restaurant employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imposed a fine.
Data Protection Authority of Berlin
Public Sector and Education
Unknown
2021
€NaN
Unknown
Unknown
In order to combat the Covid 19 pandemic, a cemetery had put out an open list in which visitors had to enter their contact data. A cemetery employee obtained first names, last names, and phone numbers of women from the contact lists in order to contact the women privately and ask them about their relationship status, among other things. The DPA determined that the use of personal data from contact lists for infection control documentation outside of contact tracing was unlawful and therefore imposed a fine.
Data Protection Authority of Berlin
Individuals and Private Associations
Police officer
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer repeatedly had accessed data in a police database for private research purposes.
Data Protection Authority of Berlin
Individuals and Private Associations
Police officer
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer used a witness's personal data to contact her personally.
Data Protection Authority of Berlin
Individuals and Private Associations
Police officer
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer had accessed data in a police database for private research purposes. The police officer queried his stepson's investigative process in order to prepare him for his testimony and to convince the officer in charge of the case of a different crime sequence.
Data Protection Authority of Berlin
Individuals and Private Associations
Police officer
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer had accessed data in a police database for private research purposes. The police officer had queried the new partner of a friend's ex-wife because he feared that well-being of the common child might be in endangered by the new partner.
Data Protection Authority of Berlin
Individuals and Private Associations
Police officer
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer had accessed data in a police database for private research purposes. The police officer accused in a criminal case intended to use the information from the police database to prepare for his testimony in court.
Data Protection Authority of Berlin
Individuals and Private Associations
Job center employee
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A job center employee had accessed data in social database systems and in the civil register for private research purposes. The employee wanted to prove that two of her colleagues had a relationship with each other and checked the registration addresses of both of them.
Data Protection Authority of Berlin
Individuals and Private Associations
Job center employee
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A job center employee had accessed data in social database systems and in the civil register for private research purposes.
Data Protection Authority of Berlin
Health Care
Medical clinic
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The DPA from Berlin has imposed a fine on a medical clinic. The clinic had installed 21 cameras in its premises for the purpose of protection against crime and property damage. This made it possible to monitor employees and patients around the clock. The clinic relied on consent given by employees and information signs as the legal basis for the video surveillance. However, the DPA concluded that the clinic could not base the video surveillance on consent, as voluntary consent in the employee-employer relationship is questionable. Also, clearly visible notices of the video surveillance do not allow the conclusion that the patients, by entering the monitored premises, legally express their consent to the observation. The DPA could not find any other evidence that would justify such extensive video surveillance of the clinic.
Data Protection Authority of Berlin
Industry and Commerce
Beverage retailer
2021
€NaN
Unknown
Unknown
The DPA from Berlin imposed a fine against a beverage retailer. The retailer operated a video surveillance system in which the observation angle of the cameras extended into the public space.
Data Protection Authority of Berlin
Finance, Insurance and Consulting
Attorney
2021
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The DPA from Berlin has imposed a fine on an attorney. The attorney had been in dispute with a client for several years over a monetary claim. For two years, he published the first and last names, the residential addresses of the client and his family members, as well as various unredacted parts of files on his blog - and invoked the press privilege. However, this was not a purely exclusive journalistic publication. Rather, the attorney was concerned with accelerating the payment of the monetary amount to which he believed he was entitled. Since the attorney could therefore not refer to the press privilege as the legal basis for the data processing, the DPA found that he had unlawfully processed the data of the data subjects.
Data Protection Authority of Berlin
Health Care
Clinic
2021
€NaN
Insufficient involvement of data protection officer
Unknown
The DPA from Berlin has imposed a fine on a clinic. The clinic had appointed the clinic manager, who was also a shareholder of the clinic, as the data protection officer. A data protection officer may perform other tasks and duties, but the company must ensure that other tasks and duties do not lead to a conflict of interest. In the present case, however, there was such a conflict of interest. On the one hand, the clinic manager had to make economic decisions in his executive position, and on the other hand, he had to monitor the clinic's compliance with data protection law. The DPA also noted that such a dual role carries the risk that patients and employees would be hesitant to seek the assistance of the data protection officer, also the hospital director, with critical questions about the processing of personal data.
Data Protection Authority of Brandenburg
Health Care
Physician
2021
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 9 GDPR
The DPA of Brandenburg imposed a fine on a physician. The father of a minor patient had filed a complaint with the DPA because the physician had transmitted numerous data on his child to a central billing office. The data included information on the child's name, address, date of birth, health insurance number, medical services provided and diagnoses made. The physician had passed on the data without the parents' consent and thus without a valid legal basis.
Data Protection Authority of Brandenburg
Industry and Commerce
Company
2021
€NaN
Unknown
Unknown
The DPA of Brandenburg has imposed a fine on a company. An individual had filed a complaint with the DPA based on the fact that the company produced a video recording in which the complainant could be seen. The complainant then contacted the company and asked it to delete the video and to refrain from publishing it on the Internet. Nevertheless, the company published the video on its website as well as on several social networks.
Moreover, even when the DPA asked the company to delete the video, the company only deleted the video from its website, but not from the social networks. Only after the DPA demanded the company to delete the video again, did the company actually comply and deleted the video from the social networks as well.
Data Protection Authority of Brandenburg
Real Estate
Real estate agent
2021
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 12 GDPR
The DPA of Brandenburg has imposed a fine on a real estate agent. The real estate agent had contacted an individual and offered him to sell a property he owned.
Since the individual himself had not passed on his data to the real estate agent, he asked for information on the origin of the data and for the data to be deleted.
The real estate agent informed the data subject that she had deleted the data. However, she did not comply with the data subject's right to access the data.
Half a year later, the data subject again received a message from the real estate agent, despite the confirmed deletion of his data. For this reason, the DPA determined that the real estate agent had processed the data of the data subject without a valid legal basis and thus unlawfully.
Data Protection Authority of Brandenburg
Individuals and Private Associations
Private individual
2021
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
The DPA from Brandenburg imposed a three-digit fine on a company employee. The individual had sent an Excel spreadsheet with employee data of 56 employees to her private e-mail address from her official computer, although this was not necessary for her official activities. For this reason, the DPA determined that the employee had unlawfully transferred the other employees' data. The spreadsheet included, in addition to the full names of the employees, an overview of vacation days already taken and remaining, sick days accrued, wage data, overtime worked and social security contributions.
Data Protection Authority of Brandenburg
Individuals and Private Associations
Private individual
2021
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
The DPA of Brandenburg has imposed a three-digit fine on a company employee. The employee had forwarded application documents received by his employer from his work e-mail address to his private e-mail address without authorization in order to get suggestions for the design of his own applications. He had not previously anonymized the resumes, so they continued to include all of the applicants' personal and professional data. Since sending the application documents to his private e-mail address was not part of his work duties, the DPA determined that the forwarding was unlawful.
Data Protection Authority of Brandenburg
Health Care
Physician
2021
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
The DPA of Brandenburg has imposed a four-digit fine on a doctor of child and adolescent psychotherapy. The doctor had set up a Whatsgroup with 230 participants to communicate their new office address. A mother of a former minor patient had filed a complaint with the DPA over this, because the doctor had not obtained consent for the group. All group members were disclosed the phone numbers of other members. In some cases, group members were able to draw conclusions that children from families known to them were or had been in treatment with the physician. For this reason, the DPA determined that the doctor had unlawfully processed the data of the WhatsApp group members due to a failure to obtain consent.
Data Protection Authority of Brandenburg
Public Sector and Education
Police department
2021
€NaN
Insufficient legal basis for data processing
§ 32 Absatz 1 BbgDSG
A police officer had accessed data in a police database for private research purposes. The police officer queried the investigation process of a friend against the background of a judicial hearing. Via WhatsApp, he shared what information he had become aware of through his unauthorized retrievals. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDPR.
Data Protection Authority of Brandenburg
Public Sector and Education
Police department
2021
€NaN
Insufficient legal basis for data processing
§ 32 Absatz 1 BbgDSG
A police officer had unlawfully disclosed personal data of a drunk driving incident to the offender's mother during a chance encounter. He thought that the mother, as his employer, could prevent a repeat offense by withdrawing the offender's car. However, the mother constitutes an unauthorized third party, meaning that the police officer was not allowed to disclose the information. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDPR.
Data Protection Authority of Brandenburg
Public Sector and Education
Police department
2021
€NaN
Insufficient legal basis for data processing
§ 32 Absatz 1 BbgDSG
A police officer had unlawfully accessed data in a police database. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDPR.
Data Protection Authority of Hamburg
Health Care
Company
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector.
The company had failed to take appropriate technical and organizational measures to ensure a level of data security protection appropriate to the risk when sending doctors' letters. As a result, doctor's letters were to a person who, although practicing a medical profession, was not the doctor providing further treatment for the affected patients. Instead, the letters were intended for a general practitioner with the same name as the recipient.
The company had been informed of the incorrect mailing several times in the past by the unauthorized recipient. Nevertheless, it had failed to take organizational and technical measures to ensure that these incidents would not recur.
In assessing the fine, the DPA took into aggravating account the fact that the data processed involved health data and that such data is particularly sensitive.
Data Protection Authority of Hamburg
Individuals and Private Associations
Private individual
2021
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
The DPA of Hamburg imposed a fine of EUR 5,000 on a private individual. The individual had filmed numerous young women in public. Some of the recorded female persons were apparently younger than 14 years. In several cases, the individual approached the filmed persons to within a few centimeters and followed them with the camera for up to 38 minutes. During a search of the backpack, the police officers found a digital camera and eight memory cards. The seized memory cards contained a total of 156 video files. In the course of its investigation, the DPA found that the individual had processed the personal data of the young women he had filmed, although no effective consent had been given.
Data Protection Authority of Hamburg
Transportation and Energy
Energy supplier
2021
€12,500.00
Unknown
Unknown
The DPA of Hamburg has imposed a fine of EUR 12,5000 on an energy supplier. The company had outsourced and sold its heating energy division. Customers affected by the transfer were informed about the transfer of their electricity supply contracts and given the right to object. In the event of a declared objection, no personal data of the customers should be transferred to the new company. However, despite customers having duly declared their objection, their data was transferred to the new company.
Data Protection Authority of Hamburg
Transportation and Energy
Energy supplier
2021
€12,500.00
Unknown
Unknown
The DPA of Hamburg has imposed a fine of EUR 12,5000 on an energy supplier. The company had outsourced and sold its heating energy division. Customers affected by the transfer were informed about the transfer of their electricity supply contracts and given the right to object. In the event of a declared objection, no personal data of the customers should be transferred to the new company. However, despite customers having duly declared their objection, their data was transferred to the new company.
Data Protection Authority of Hamburg
Industry and Commerce
Car trading group
2021
€10,100.00
Insufficient legal basis for data processing
Unknown
The DPA of Hamburg has imposed a fine of EUR 10,110 on a car trading group. The company had informed the customer base that the reasons for the restructuring there was the absence of an employee due to illness. The company informed approximately 3,000 customers, among other things, of the exact date on which the employee's inability to work occurred and that the situation would continue for an indefinite period of time. The DPA found that the company did not present a valid legal basis for such transfer of personal health data, and therefore transferred the data unlawfully.
Data Protection Authority of Niedersachsen
Industry and Commerce
Electronics store
2021
€16,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 17 GDPR
Art. 35 (3) GDPR
The DPA from Lower Saxony has imposed a fine of EUR 16,000 on an electronics store. The company had installed a video surveillance system which permanently recorded employees, customers as well as the company's premises and technical equipment. The CCTV was installed for the purpose of protecting customers, employees, safeguarding the company's property rights and prosecuting criminal acts and vandalism. The DPA stated that the recording of employees was not necessary to ensure the purposes associated with the CCTV and was therefore disproportionate. The DPA therefore found that the controller violated the principle of data minimization under Art. 5 (1) c) GDPR. The DPA also found that the company stored the recordings excessively long and, in addition, had not conducted a data protection impact assessment.
Data Protection Authority of Niedersachsen
Not assigned
Company
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 25 GDPR
Art. 32 GDPR
A company had stored telecommunications hardware, a server and backup technology in a guest bathroom. The server cabinet, which did not have an intact lock, also served as a changing table.
Data Protection Authority of Niedersachsen
Not assigned
Unknown
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Live video surveillance which was accessible via the Internet and, due to a lack of sufficient pixelation or redaction, allowed persons to be recognized.
Data Protection Authority of Niedersachsen
Not assigned
Unknown
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The camera images of a store were distributed without the knowledge and intention of the controller due to a faulty configuration. The distribution involved recordings of employees as well as customers.
Data Protection Authority of Saxony
Individuals and Private Associations
Private individual
2021
€NaN
Insufficient legal basis for data processing
Art. 6 GDPR
Nineteen fines between EUR 100 and EUR 1,000 for unlawful use of a dashcam.
Data Protection Authority of Saxony
Individuals and Private Associations
Private individual
2021
€NaN
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
A private individual had installed video surveillance cameras which, among other things, also covered the public space
Data Protection Authority of Saxony
Individuals and Private Associations
Private individual
2021
€NaN
Unknown
Unknown
A resident of a residential building had unlawfully made video recordings which, among other things, covered parts of the jointly used inner courtyard.
Data Protection Authority of Saxony
Individuals and Private Associations
Private individual
2021
€NaN
Unknown
Unknown
A private individual had taken secret video recordings during a court hearing with their mobile phone.
Data Protection Authority of Saxony
Employment
Gym owner
2021
€NaN
Unknown
Unknown
The owner of a gym had apologized for the late opening of the gym, but at the same time shifted the responsibility to an employee who was named. As a result, their personal data were unlawfully disclosed.
Data Protection Authority of Schleswig-Holstein
Health Care
Physician
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
A physician's office had disposed of patient records in a waste paper container used by several offices.
Data Protection Authority of Schleswig-Holstein
Health Care
Physician
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
A physician had stored patient records in an open carport and not in a locked room.
Data Protection Authority of Schleswig-Holstein
Health Care
Unknown
2021
€NaN
Unknown
Unknown
An employee at a Covid testing center had used a test subject's phone number to contact them privately.
Data Protection Authority of Schleswig-Holstein
Finance, Insurance and Consulting
Bank employee
2021
€NaN
Insufficient legal basis for data processing
Unknown
An employee of a bank had regularly accessed the bank account data of a bank customer for private purposes over a period of about a year.
Data Protection Authority of Saarland
Accomodation and Hospitalty
Restaurant
2021
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 GDPR
A restaurant had disposed of 120 completed guest registration forms for contact tracing purposes during the Covid-19 pandemic in a publicly-accessible dumpster. During its investigation, the DPA also found that already during the restaurant's operation, the restaurant had not implemented adequate safeguards to protect the data processed during the guest registration process. For example, the completed guest registration forms were kept in an adjoining room accessible to all employees without special security measures, such as a locked cabinet.
Data Protection Authority of Saarland
Individuals and Private Associations
Political organization
2021
€NaN
Unknown
Unknown
An employee of a political organization had sent an e-mail to 400 people in an open distribution list. This not only made the e-mail addresses of all recipients visible to the other recipients but also revealed the political orientation of the recipients.
