A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
Slovak Data Protection Office
Not assigned
Unknown
2021
€500.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Slovak DPA has imposed a fine of EUR 500 on a controller for failing to cooperate with the DPA.
Slovak Data Protection Office
Not assigned
Unknown
2021
€100.00
Unknown
Unknown
Unlawful video surveillance in a garden community.
Slovak Data Protection Office
Not assigned
Unknown
2021
€40,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 28 GDPR
The Slovak DPA has imposed a fine of EUR 40,000 on a controller. The controller had violated the principle of accountability (lack of proof that a data protection impact assessment had been carried out) and the principle of fairness and transparency. In addition, the controller had not concluded a contract with the processor.
DSB
Austrian Data Protection Authority
Individuals and Private Associations
Private individual
2021
€NaN
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
The Austrian DPA has fined a private individual. The individual had installed a video surveillance system which, among other things, also recorded the public space and stored the images excessively long.
DSB
Austrian Data Protection Authority
Individuals and Private Associations
Private individual
2021
€600.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 9 (1), (2) GDPR
The Austrian DPA imposed a fine of EUR 600 on a private individual. The individual had contacted a public institution to draw their attention to the fact that the statement of a kindergarten teacher that she was 50% disabled did not correspond to reality. For this purpose, the person submitted a court report that contained health-related data of the data subject. In the course of its investigation, the DPA found that the transmission of the court report constituted an unlawful processing of the kindergarten teacher's personal data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
ING Bank N.V. Amsterdam - Bucharest office
2020-12-30
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) - d) GDPR
Art. 6 (1) GDPR
The Romanian DPA (ANSPDCP) fined ING Bank N.V. Amsterdam - Bucharest office in the amount of EUR 3,000. The bank had contacted the data subject by e-mail for the purpose of updating his data. At that time, however, the data subject had already terminated his account with the bank, so that the contractual relationship had been terminated. As a result, the data controller had unlawfully processed personal data of the former customer without his consent such as the e-mail address and the name and of the data subject.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Qualitance QBS SA
2020-12-29
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Romanian DPA (ANSPDCP) fined Qualitance QBS SA EUR 1,000 for a violation of Art. 32 GDPR. The company had sent information by email to 295 individuals, disclosing the email addresses of the other recipients. The ANSPDCP noted that the company had not taken sufficient security measures to ensure the confidentiality of the personal data of the data subjects.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A.
2020-12-28
€18,930.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Polish DPA (UODO) fined Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR.
In May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first names, residential addresses and information on the subject of the insurance policy.
As a result, the supervisory authority asked the controller to clarify whether, regarding the sending of the electronic correspondence to an unauthorized addressee, a risk analysis on the data security of natural persons had been carried out, which is necessary to evaluate whether a data breach had occurred. Such a breach requires notification to the DPA and the individuals affected by the breach. In the letter, the supervisory authority advised the controller how to notify the breach and asked for explanations.
Despite the letter requesting explanations, the controller did not report the data breach nor did it inform the data subjects about the incident. The DPA therefore initiated administrative proceedings. Only as a result of the initiation of the procedure did the controller report the personal data breach and inform two individuals affected by the breach.
APD
Belgian Data Protection Authority
Industry and Commerce
Unknown
2020-12-23
€50,000.00
Insufficient fulfilment of data subjects rights
Art. 14 (1), (2) GDPR
Art. 12 (1), (2), (3) GDPR
Art. 15 (1) GDPR
Art. 5 (1) c), (2) GDPR
Art. 24 (1), (2) GDPR
The Belgian DPA (APD) imposed a fine of EUR 50,000 on a company for several violations of the GDPR. The controller is a company that carries out parking ticket controls. The controller controller had issued the data subject a fine for illegal parking. However, the data subject states that he or she did not receive the fine ticket. Instead, the data subject only found out about it when he or she received an official reminder letter from a law firm commissioned with debt collection, which then demanded payment of the reminder fee in addition to the original fine. The data subject then contacted the company and demanded, among others, information about which of his/her personal data had been processed. After this request was not properly fulfilled in a timely manner, the data subject filed a complaint against the controller
During its investigations the DPA discovered that the controller violated several GDPR provisions. Firstly the DPA found that the controller failed to provide a proper privacy policy. The privacy policy on the controller´s website did not contain any information regarding the processing of personal data nor any contact information of the company. Secondly, the controller violated the data subject's right to information by failing to comply with the data subject's request for information on data processing. Lastly the controller infringed the principle of minimasation by processing the data subject's data for the purpose of sending a payment reminder only one day after the ticket had been issued even though the data subject had the opportunity to pay the fine without such a reminder at that time.
APD
Belgian Data Protection Authority
Industry and Commerce
Unknown
2020-12-23
€15,000.00
Insufficient fulfilment of data subjects rights
Art. 14 (1), (2) GDPR
Art. 12 (3) GDPR
Art. 6 GDPR
Art. 5 (1) c), (2) GDPR
Art. 24 (1), (2) GDPR
The Belgian DPA (APD) imposed a fine of EUR 15,000 on a company due to insufficient fulfilment of data subject rights. The controller is a debt collection agency which was commissioned by another company to collect debts owed to it. The data subject was issued a fine for illegal parking by the last-mentioned company. However, the data subject states that he/she did not receive the fine notice. Instead, the data subject only learned about it when he/she received an official reminder letter from the controller, which then demanded payment of the reminder fees in addition to the original fine. The data subject then contacted the controller and requested, among other things, information about which of his/her personal data had been processed. After this request was not fulfilled in a timely manner, the data subject filed a complaint against the controller .
During its investigation, the DPA found that the controller had violated provisions of the GDPR, for example, by failing to comply with the data subject's request for information on the data processing.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberdrola Clientes, SAU
2020-12-22
€6,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 (4) LOPDGDD
The Spanish DPA (AEPD) fined Iberdrola Clientes, SAU EUR 6,000. The data subject had received promotional calls from two different telephone numbers of the controller although the data subject was registered in the Robinson list. The company attributes the incident to a human error, as the telephone numbers from which the data subject was called were not regularly used for advertising purposes.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
S.C. C&V Water Control S.A.
2020-12-22
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) a), e) GDPR
Art. 58 (2) i) GDPR
The Romanian DPA (ANSPDCP) fined S.C. C&V Water Control S.A. EUR 2,000 for failure to comply with the data protection authority's request for information in the course of an investigation, thus violating Art. 58 (1) a), e) GDPR and Art. 58 (2) i) GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria, S.A.
2020-12-21
€36,000.00
Non-compliance with general data processing principles
Art. 5 (1) d) GDPR
The Spanish DPA (AEPD) fined the financial and credit institution Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) with a fine in the amount of EUR 36,000. The BBVA asked the data subject to settle debts with the BBVA, although the data subject did not have any debts with the bank. As a result, BBVA had transmitted the personal data of the data subject to the debt collection company Multigestión Iberia, S.L., which, over a period of several months, contacted the data subject by telephone and e-mail on behalf of BBVA and requested the payment. The data subject then demanded the erasure of his/her data from BBVA. However, the controller refused to do so.
AP
Dutch Supervisory Authority for Data Protection
Media, Telecoms and Broadcasting
Locatefamily.com
2020-12-20
€525,000.00
Non-compliance with general data processing principles
Art. 27 GDPR
The Dutch DPA (AP) has imposed a fine of EUR 525,000 on Locatefamily.com. Locatefamily.com is a platform where people can search for the contact information of family members they have lost contact with or other people they would like to get in touch with. The data subjects complained that their contact information (name, address, phone number) was published on the website without their knowledge. The data subjects were not able to request the deletion of their data published on the site easily, because Locatefamily.com did not have any representation in the European Union. Organizations offering goods or services in the EU must have a representative to whom EU citizens can turn to obtain information or exercise their data protection rights. Accordingly, the Dutch data protection authority found a breach of Art. 27 GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Banca Transilvania SA
2020-12-17
€100,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1), (2) GDPR
The Romanian DPA (ANSPDCP) fined Banca Transilvania SA EUR 100,000 for violations of Art. 5 (1) f) GDPR, Art. 32 (1) GDPR and Art. 32 (2) GDPR.
It was found that the bank requested a declaration from a customer about the intended use of a certain amount of money wished to withdraw from its account. This statement was submitted to the bank online and forwarded to several employees of the bank. One employee photographed the declaration with his cell phone and spread it via WhatsApp. Subsequently, the document was posted on the social network Facebook and on a website.
This situation led to the disclosure and unauthorized access of certain personal data concerning four data subjects, despite the Bank's commitment to respect the principle of integrity and confidentiality of personal data as required by Art. 5 (1) f) GDPR.
The DPA notes that the occurred disclosure of the data also proves the ineffectiveness of the internal training of the Bank's employees regarding compliance with the standards for data protection. These trainings are, however, an integral part of the technical and organizational measures that the Bank was obliged to implement, Art. 32 GDPR.
CNIL
French Data Protection Authority
Health Care
Doctor
2020-12-17
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 33 GDPR
The French DPA (CNIL) fined a doctor EUR 3,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data as MRI and X-ray images as well as personal data such as the names, dates of birth and treatment data of his patients on his computer. The controller had not taken appropriate technical measures to ensure the security of the data, and as a consequence, access to his patients' data was possible for anyone without access protection. The data protection authority notes that the data had been exposed for about four months.
CNIL
French Data Protection Authority
Health Care
Doctor
2020-12-17
€6,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 33 GDPR
The French DPA (CNIL) fined a doctor EUR 6,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data such as MRI and X-ray images as well as personal data such as names, dates of birth and treatment data of his patients on a server in order to be able to access them from his home computer. A review of the controller's systems had revealed that access to the server was not properly secured. This would have allowed anyone to access his patients' data. Furthermore, the data leak had existed for about five years. The data protection authority therefore found that the doctor had failed to take adequate technical and organisational measures to ensure data security.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
ID Finance Poland Sp. z o.o.
2020-12-17
€235,300.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 25 (1) GDPR
Art. 32 (1) b), d), (2) GDPR
The Polish DPA (UODO) imposed a fine of EUR 235,300 on ID Finance Poland Sp. z o.o. Due to an error while restarting a server, the settings of the software responsible for the server's security were reset, making the personal data of 140 699 customers publicly available. These data contained, for example, information about the first and last name, address, nationality or even marital status of the data subjects. The database located on this server was downloaded and deleted by an unspecified third party, who demanded a fee from the company for the return of the database. The DPA noted that the controller had taken insufficient technical and organizational measures to ensure the protection of the processing, even though there was a high risk for the data subjects due to the nature of the data processed.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Roma Capitale (Rome Municipality)
2020-12-17
€500,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 28 (2), (3) GDPR
Art. 32 GDPR
The Italian DPA (Garante) fined the municipality of Rome EUR 500,000 for the unlawful processing of users' and employees' personal data. The municipality of Rome had been using the 'TuPassi' booking system to manage appointments and other services since 2015. In the course of a detailed investigation, the Italian DPA found that the controller had violated several data protection regulations with regard to the processing of personal data of customers and employees with whom they had made appointments. For example, the municipality had not properly informed the data subjects prior to processing their data, nor had it taken appropriate technical and organizational measures to protect the processing.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Miropass S.r.l.
2020-12-17
€40,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), e) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 28 GDPR
The Italian DPA (Garante) fined Miropass S.r.l. EUR 40,000. Miropass is the provider of the TuPassi booking system, which among others has been used by the Municipality of Rome since 2015. The booking system enables the booking of appointments both on the website of the controller (www.tupassi.it) as well as via the corresponding app. For this purpose, the company collects and processes the personal data of the users. In the course of its investigation, the Italian DPA found that Miropass, particularly in the context of health data resulting from appointment bookings at health care facilities, had no legal basis for the processing and violated the principle of storage limitation.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Unità Sanitaria Locale Toscana Sud Est
2020-12-17
€100,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 28 GDPR
Art. 30 GDPR
Art. 32 GDPR
Art. 35 GDPR
The Italian DPA (Garante) imposed a fine of EUR 100,000 on Azienda USL Toscana Sud Est. The controller is a company in the healthcare sector that, among other things, launched the so-called 'Sanità di iniziativa' (Health Initiative) program. Within the framework of this program, participating healthcare companies transmit data on chronically ill patients to the controller. On the basis of this data, the controller then develops health plans for the patients.
The Italian DPA notes several violations of data protection provisions related to this program.
For example, when giving consent to the processing of their data, the data subjects were not adequately informed about how long their data would be stored, what rights they had (in particular their rights of complaint and access), and how exactly their data would be processed and for what purpose. In addition, the controller had not kept a register of processing activities. Finally, the controller had neither implemented adequate technical and organizational measures to protect the processing nor conducted a data protection impact assessment, although this would have been necessary due to the nature of the data processed (health data).
Data Protection Authority of Ireland
Public Sector and Education
University College Dublin
2020-12-17
€70,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) e), f) GDPR
Art. 32 (1) GDPR
Art. 33 (1) GDPR
The Irish DPA (DPC) fined University College Dublin (UCD) EUR 70,000 due to seven personal data breaches. Unauthorized third parties were able to access UCD e-mail accounts, and login credentials for UCD e-mail accounts were posted online. It was found that the controller did not take appropriate technical and organisational measures to protect data security when processing personal data in its email service. In addition, the controller stored certain personal data in an email account in a form that allowed identification of the data subjects for longer than necessary for the purpose for which the personal data were processed. Also, the controller did not notify the DPC of a personal data breach in a timely manner.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Santo Stefano Belbo
2020-12-17
€4,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
The Italian DPA (Garante) imposed a fine of EUR 4,000 on the municipality of Santo Stefano Belbo. The reason for this was that the controller had published two documents on a legal settlement of the data subject on its website. The documents were not only freely accessible, but could also be downloaded. The documents contained personal data and information about the data subject, including, in addition to his first and last name, a confirmation of the payment of legal costs, the IBAN code of his checking account, information about the lawsuit and the amounts paid in favor of the data subject.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Luino
2020-12-17
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 (1) c), e) GDPR
Art. 6 (2) GDPR
Art. 6 (3) b) GDPR
Art. 37 (1) a) GDPR
Art. 37 (7) GDPR
The Italian DPA (Garante) imposed a fine of EUR 10,000 on the municipality of Luino. The controller had published a document containing personal data of a local council member. In addition to personal data, the document also contained information about a complaint procedure filed against him by the mayor. The freely accessible document could be downloaded without further authentication. Furthermore, the municipality had failed to name a data protection officer and to provide the DPA with his/her contact details.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Ordine degli Assistenti Sociali della Regione Lazio
2020-12-17
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3), (4) GDPR
The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Ordine degli Assistenti Sociali della Regione Lazio. On November 27, 2019, a data subject had sent an email to the controller requesting what data was being processed regarding him and his daughters. After initially receiving no response to his request for information, on January 10, 2020, the data subject filed a complaint against the controller with the Italian DPA. His request for information was subsequentely complied with on June 17, 2020, but without explaining the delay and, in particular, the initial non-response to the request.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Employment
Unknown
2020-12-16
€1,940.00
Insufficient fulfilment of information obligations
Art. 5 (1) b), c) GDPR
Art. 13 (1) GDPR
The Hungarian DPA (NAIH) imposed a fine of HUF 700,000 (EUR 1,940) against a construction company. The controller had installed a video surveillance system at a construction site to protect its property and the physical integrity of the employees. The cameras were aligned in a way that they were able to record a part of the recreation room and thus also the activities of his employees beyond a required extent. The data subjects were not sufficiently informed about this at the time their contract was concluded.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Robinson Tours Ltd. (Robinson Tours Idegenforgalmi és Szolgáltató Kft.)
2020-12-16
€55,400.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1), (2) GDPR
Art. 32 (1) b) GDPR
Art. 34 (1) GDPR
The Hungarian DPA (NAIH) imposed a fine of HUF 20,500,000 (EUR 55,400) on Robinson Tours Idegenforgalmi és Szolgáltató Kft. (Robinson Tours Ltd.) The travel agent's reservation system contained unprotected data of customers, which could be viewed by anyone and found via Google. The data contained, among others, names, contact and address data, copies of personal IDs and passport numbers. During the DPA's investigation, it turned out that the data in question was from a test database created by Next Time Media Agency Ltd, the web agency contracted to develop and operate the database, which was supplemented not only with test data but also with real data of Robinson Tours' customers. In total, the data of 781 individuals was affected, which was accessible by anyone in the period from November 13, 2019 to February 4, 2020.
The NAIH also notes that Robinson Tours did not conduct regular security risk screenings. Robinson Tours also failed to notify the data subjects about the data breach.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
Next Time Media Agency Ltd. (Next Time Media Ügynökség Kft.)
2020-12-16
€1,385.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Hungarian DPA (NAIH) imposed a fine of HUF 50,000 (EUR 1,385) on Next Time Media Ügynökség Kft. (Next Time Media Agency Ltd.). The web agency had been contracted by the travel agency Robinson Tours Idegenforgalmi és Szolgáltató Kft. (Robinson Tours Ltd.) to develop and operate the travel agency's online reservation system. However, the database was not only supplemented with test data, but also with real data of Robinson Tours' customers. In total, the data of 781 people was compromised. During the period from November 13, 2019, to February 4, 2020, these data were accessible to anyone and could be found via Google. The DPA found that Next Time Media Agency Ltd. did not take adequate technical and organizational measures to ensure the security of the personal data.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Unknown
2020-12-16
€97,150.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 6 (1) GDPR
Art. 9 (1) GDPR
Art. 12 GDPR
The Hungarian DPA (NAIH) imposed a fine of EUR 97,150 against a credit institute. Two parents contacted the Hungarian DPA regarding the processing of personal data by their credit institute related to a 'childbirth incentive loan'. The couple requested a suspension of repayment, for which they had to prove that the fetus is at least 12 weeks old. To certify this fact, the controller copied their entire pregnancy booklet. The NAIH found that the controller violated the principle of data minimization by copying the entire pregnancy booklet, which contained excessive amounts of health data, even though this was not necessary regarding the purpose of the processing. For this reason, the NAIH ultimately concluded that the controller had no legal basis for such extensive data processing
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Twitter International Company
2020-12-15
€450,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1), (5) GDPR
The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach.
The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while public posts are visible to the public. A programming bug in Twitter's Android app resulted in some private posts being visible to the public. The DPA found that Twitter had not properly fulfilled its reporting and documentation obligations. Twitter's legal team became aware of the error on January 2nd, 2019, and it was not until January 8th that the company informed the DPC. Consequently, the company failed to inform the DPC within the 72-hour period required by Art. 33 (1) GDPR. Furthermore, it had failed to adequately document the incident in accordance with Art. 33 (5) GDPR.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Real Estate
Uppsalahem AB
2020-12-15
€29,500.00
Insufficient legal basis for data processing
Art. 5 GDPR,
Art. 6 (1) f) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined the housing company Uppsalahem AB SEK 300,000 (EUR 29,500). The housing company had installed surveillance cameras in an apartment building to monitor one floor after disturbances and security incidents occurred. The cameras not only monitored the staircase, but also the front door of a resident. Therefore, when the door was opened, the inside of the apartment was also captured by the video surveillance. While the company may have had a legitimate interest in the video surveillance, this is outweighed by the residents' right to privacy.
DSI
Data State Inspectorate
Industry and Commerce
HH Invest SIA
2020-12-15
€15,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Latvian DPA (DSI) fined the online store HH Invest SIA EUR 15,000. The information provided on the company's website regarding the privacy policy was found not to be easily understandable. This constitutes a violation of Art. 13 GDPR.
DSI
Data State Inspectorate
Employment
Unknown
2020-12-15
€6,250.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Latvian DPA (DSI) fined an employer EUR 6,250 for sending personal data of an employee, including health data, to fellow employees by email. The DSI found that the data subject's personal data had been processed without a proper legal basis and thus this processing was unlawful.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Online Services
2020-12-15
€10,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 8 (1) GDPR
Art. 6 (1) a) GDPR
The Spanish DPA (AEPD) fined the operator of the online store banderacatalana.cat. EUR 10,000 for a violation of Art. 13 GDPR. The operator stated on its website privacy notices that a minimum age of 13 or sufficient legal capacity was required to subscribe to the newsletter. It was also stated that filling out the newsletter subscription form would be considered as consent to the processing of personal data. This constitutes a violation of the GDPR, as according to Art. 8 GDPR, the processing of personal data of under-16-year-olds requires the consent of the holder of parental responsibility over the child.
UODO
Polish National Personal Data Protection Office
Media, Telecoms and Broadcasting
Virgin Mobile Polska
2020-12-14
€443,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f), (2) GDPR
Art. 25 (1) GDPR
Art. 32 (1) b), d), (2) GDPR
The Polish DPA (UODO) fined Virgin Mobile Polska EUR 443,000 due to a data leak that allowed unauthorized third parties to access personal data stored by Virgin Mobile Polska as a result of inadequate security measures. The DPA notes that the company did not conduct regular and extensive tests on the effectiveness of the measures applied to ensure data security. Indeed, activities in this regard were conducted only in the event of a suspected security leak.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria, S.A.
2020-12-11
€5,000,000.00
Insufficient fulfilment of information obligations
Art. 6 GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) fined Banco Bilbao Vizcaya Argentaria, S.A. EUR 5,000,000 for violating Art. 6 GDPR (EUR 3,000,000) and Art. 13 GDPR (EUR 2,000,000).
The bank had not implemented a specific mechanism to obtain the consent of the customers to process their data. Furthermore, it did not use precise terminology in its privacy policy, nor did it provide adequate information about the type of personal data that might be processed. In particular the AEPD notes that the purpose and legal basis for data processing are not sufficiently identifiable in the privacy statement.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Public Sector and Education
Umeå University
2020-12-11
€54,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR,
Art. 32 (1), (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Umeå University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data.
As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives, alongside information about the suspected crime. The DPA notes that the storage in that cloud does not adequately protect such particularly sensitive data.
In addition, one of the investigation reports was sent unencrypted to the Swedish police via email. However, the controller had neither documented the incident nor reported it to the DPA.
Information Commissioner of Isle of Man
Industry and Commerce
Cosmetic Medical Limited
2020-12-11
€3,250.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The DPA of Isle of Man has imposed a fine of EUR 3,250 on Cosmetic Medical Limited. A data subject had filed a complaint with the DPA regarding the controller's failure to comply with her request to exercise her right of access to personal data. As part of its investigation, the DPA sent the controller a request for information in order to clarify the facts of the case. However, the controller had not responded to this request in due time. The DPA concluded that as the controller did not properly cooperate with the authorities, it violated Article 31 of the GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Borjamotor, S.A.
2020-12-10
€4,000.00
Insufficient legal basis for data processing
Art. 7 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 4,000 on Borjamotor, S.A. The company kept sending commercial advertisements to the data subject via email and SMS, even though the data subject had previously revoked his/her consent to receive advertisements and submitted a request to delete his/her data. Although the company had confirmed this, the data subject continued to receive advertising.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Public Sector and Education
Budapesti Műszaki és Gazdaságtudományi Egyetem (Budapest University of Technology and Economics)
2020-12-10
€22,200.00
Insufficient legal basis for data processing
Art. 5 (1) a), b), c) GDPR
Art. 6 (1) GDPR
Art. 9 (2) GDPR
Art. 12 GDPR
Art. 13 GDPR
The Hungarian DPA (NAIH) imposed a fine of EUR 22,200 against the Budapest University of Technology and Economics. NAIH finds that the controller unlawfully processed personal data in the course of audits of applications for social scholarships. Among other things, data was processed without a legal basis and in some cases particularly sensitive data was processed, although this was not necessary for the evaluation of the scholarship applications.
AP
Dutch Supervisory Authority for Data Protection
Accomodation and Hospitalty
Booking.com B.V.
2020-12-10
€475,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermore, they tried to get other victims' credit card details by pretending to be Booking.com employees via email or phone. Booking.com was notified of the data breach on January 13, 2019, but did not report it to the DPA until February 7, 2019. The controller was thus 22 days late in reporting the data breach, as it is required to report a data breach to the DPA within 72 hours.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-12-09
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Xfera Móviles, S.A. due to insufficient legal basis for data processing. The data subject states that two telephone and internet connections were registered in his/her name with a charge account. However, the data subject had never signed contracts with the company for any of these connections. In fact, the contracts in question were concluded by fraudsters using the personal data of the data subject. Nevertheless, the personal data were entered into the company's information systems without verifying whether the contracts had been lawfully and actually concluded by the data subject, whether he/she had given his/her consent to the collection and subsequent processing of his/her personal data or whether there was any other reason justifying the processing.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2020-12-09
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA (AEPD) imposed a fine of 10,000 EUR on a company for violating Art. 5 GDPR. The company sent an e-mail to a third party with the dismissal and settlement document of the data subject, disclosing their personal data without their consent.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
TUiR Warta S.A.
2020-12-09
€18,850.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
An insurance agent hired by the controller had sent an email to unauthorized third parties in regard to insurance policies that contained personal data of two of the company's customers after they had mistakenly provided false email addresses. The leaked data included data such as the names, email adresses and postal addresses of the data subjects. The controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. The controller believed that there was no breach requiring notification because the data subjects themselves had mistakenly provided incorrect e-mail addresses. The Polish DPA states that this circumstance does not release the controller from its obligation to report this data breach in a timely manner.
UODO
Polish National Personal Data Protection Office
Industry and Commerce
Smart Cities Sp. z o.o.
2020-12-09
€2,850.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
Fine for failure to comply with an order of the Polish DPA (UODO). The controller failed to provide personal data and other information requested by UODO for investigative purposes.
CNIL
French Data Protection Authority
Industry and Commerce
Perfomeclic
2020-12-07
€7,300.00
Insufficient legal basis for data processing
Art. 5 (1) c), e) GDPR
Art. 14 GDPR
Art. 21 GDPR
Art. 28 GDPR
The French DPA (CNIL) imposed a fine of EUR 7,300 on the company Perfomeclic. The company had sent commercial advertising emails without a proof of prior consent and without sufficient information.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Aleris Sjukvård AB
2020-12-03
€1,463,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR,
Art. 32 (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvård AB SEK 15,000,000 (EUR 1,463,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Aleris Sjukvård AB
2020-12-03
€1,168,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR,
Art. 32 (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Aleris Sjukvård AB SEK 12,000,000 (EUR 1,168,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Nationell patientöversikt (NPÖ) were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
AEPD
Spanish Data Protection Authority
Health Care
Dr Marín Cirugia Plástica, S.L.P.
2020-12-03
€2,400.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (aepd) imposed a fine of EUR 4,000 on the doctor due to the lack of a privacy policy on his website, thus violating Art. 13 GDPR. The original fine of EUR 4,000 was reduced for both immediate payment and admission of responsibility by each 20% to EUR 2,400.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Östergötland Region
2020-12-03
€243,800.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR,
Art. 32 (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Östergötland Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system Cosmic were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
