A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Västerbotten Region
2020-12-03
€243,800.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR,
Art. 32 (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Västerbotten Region SEK 2,500,000 (EUR 243,800) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the medical record system NCS Cross were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Sahlgrenska University Hospital
2020-12-03
€341,300.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR,
Art. 32 (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Sahlgrenska University Hospital SEK 3,500,000 (EUR 341,300) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Melior and Nationell patientöversikt were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes. In addition, the Melior hospital information system did not keep records of when and for what purpose patient data was accessed.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Karolinska University Hospital of Solna
2020-12-03
€390,100.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 32 (1) GDPR,
Art. 32 (2) GDPR
The Swedish DPA (Integritetsskyddsmyndigheten) fined Karolinska University Hospital of Solna SEK 4,000,000 (EUR 390,100) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information system TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Capio St. Göran AB
2020-12-03
€2,900,000.00
Insufficient technical and organisational measures to ensure information security
The Swedish DPA (Integritetsskyddsmyndigheten) fined Capio St. Göran AB SEK 30,000,000 (EUR 2,900,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Cosmic, Nationell patientöversikt and TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Municipality of Indre Østfold
2020-12-03
€18,840.00
Insufficient technical and organisational measures to ensure information security
Art. 6 GDPR
Art. 32 (1) b) GDPR
The Norwegian DPA (Datatilsynet) imposed a fine in the amount of NOK 200,000 (EUR 18,840) on the municipality of Indre Østfold. Datatilsynet found that a student file containing personal data was published on the municipality's website.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Servicio de Alojamientos Responsables, S.L.
2020-12-02
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine in the amount of EUR 6,000 against the controller for unauthorized conclusion of a contract in the name of the data subject without his/her consent. The data subject only learned about this when a complaint for breach of the contract was filed against him or her. The AEPD decided that by this act the controller unlawfully processed the personal data of the data subject.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Comercio Online Levante, S.L.
2020-12-02
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
A woman filed a complaint with the Spanish DPA (AEPD) against Comercio Online Levante, S.L. due to the fact that she was shown the personal data of another user when trying to access her user account of the online store perfumespremium.es operated by the controller.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Asociación de Víctimas por Arbitrariedades Judiciales, (JAVA)
2020-12-02
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on the association for publishing the personal data of the data subjects on its website. The data had been unlawfully recorded without their consent in the course of another legal proceeding and had been forwarded by the recording party to the association.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Losada Advocats S.L.
2020-12-02
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA (AEPD) imposed a fine on Losada Advocats S.L. for sending an e-mail to dozens of recipients without putting them on the Blind Carbon Copy (BCC) list, thus violating Art. 32 GDPR and Art. 5 (1) f) GDPR.
AKI
Estonian Data Protection Authority
Health Care
Apotheka e-apteek
2020-12-01
€100,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.
AKI
Estonian Data Protection Authority
Health Care
Südameapteegi e-apteek
2020-12-01
€100,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.
AKI
Estonian Data Protection Authority
Health Care
Azeta.ee e-apteek
2020-12-01
€100,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Individual
2020-11-27
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
The Spanish DPA (AEPD) imposed a fine in the amount of EUR 1,200 on a private individual for impersonating a third party on the social networks Tinder and WhatsApp by using images of the third party on their profile. The pictures were used without the consent of the data subject.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Reti Televisive Italiane S.p.a.
2020-11-26
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
The television station broadcasted a documentary about the link between emissions from a local ceramics plant and health problems in the population, in which the person interviewed was not made sufficiently anonymous.
GARANTE
Italian Data Protection Authority
Employment
Concentrix Cvg Italy s.r.l.
2020-11-26
€20,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) b), c) GDPR
Art. 9 (1) b) GDPR
The union UILCOM Sardegna filed a complaint with the Italian DPA (garante) against the call center operator Concentrix Cvg Italy s.r.l. regarding an internal regulation of the controller.
Under the terms of a 'clean desk policy,' the company had prohibited employees from keeping certain items, such as smartphones, on their desks, which was intended to ensure confidentiality in the processing of customers' personal data. Exceptions were made for medication, which the data subjects proved they needed to take during their shift. These had to be placed visibly on the desk, making it indirectly possible for other employees to obtain information on the health status of the data subjects. The controller had indeed informed the data subjects about the rules of procedure and obtained their consents. However, this did not contain any information on the processing of their health data.
GARANTE
Italian Data Protection Authority
Accomodation and Hospitalty
Charly Mike s.r.l.
2020-11-26
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA (Garante) imposed a fine of EUR 3,000 on Charly Mike s.r.l.. The controller is the hotel operator of the Hotel Olimpo in Alberobello. Garante received a complaint about the video surveillance system installed in the hotel. During the course of the investigation, it was found that the hotel facility had 17 fixed cameras and one with 360° recording, placed inside and outside the facility, recording both employees and customers.
The system had been operated without the required signs indicating video surveillance.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Gnosjö Municipality
2020-11-25
€19,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 35 GDPR
Art. 36 GDPR
The Swedish DPA imposed a fine on the municipality of Gnosjö for illegal video surveillance in a care home for persons with certain functional disabilities.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Miraclia Telecomunicaciones S.L.
2020-11-25
€40,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
Art. 14 GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on Miraclia Telecomunicaciones S.L. for violating Articles 6, 13 and 14 of the GDPR. Miraclia Telecomunicaciones S.L. is the operator of a phone prank app where you can select a 'prank' and enter the phone number of the recipient. The recipient is then called on a suppressed number and the prank is executed.
The AEPD notes that the operator violated the obligation to provide information regarding the collection of personal data of the data subject. Furthermore, it notes that Miraclia, through this application, does not at any time inform the data subject (the person who answers the prank call and is recorded) of his or her right to consent in accordance with the provisions of the GDPR.
APD
Belgian Data Protection Authority
Individuals and Private Associations
Private Individual
2020-11-25
€1,500.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 25 GDPR
The Belgian DPA (APD) imposed a fine against private individuals.
The controllers installed video cameras on their private property, two of which were positioned in a way that they could capture images of the public space and the neighbor's private property. Also the controllers forwarded the images to a third party.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Dada Creation S.R.L.
2020-11-24
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 33 GDPR
Due to inadequate technical and organizational measures, the company disclosed the order, delivery and personal data of over 1000 customers via its web store. The data was displayed on a document in the web store that could be downloaded without access protection. In addition, the operator had failed to report the security leak to the data protection authority.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Public Sector and Education
City of Stockholm
2020-11-24
€394,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 32 GDPR
The Swedish DPA imposed a fine on the City of Stockholm for data breaches on a school education platform. The platform consists of different subsystems, including a system for monitoring school attendance, a student administration system, an interface for parents and an administration interface for teachers. In one of the subsystems, a lack of ability to restrict user access to the data has allowed a significant number of staff to access information about students using a protected identity. In another sub-system, parents could access information about other students, such as grades relatively easily. Via Google's search engine, it was possible to find links to enter an administrative interface where information about teachers with a protected identity was accessible.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Recambios Villalegre S.L.
2020-11-23
€12,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) fined the company for posting photos of a person on Facebook and WhatsApp and
accusing the individual of theft in related posts. The photos were obtained
through the company's video surveillance system. The company further encouraged
other users to share both the photos and the postings. The postings resulted in
hundreds of humiliating, insulting and even threatening comments. The AEPD
imposed a fine of EUR 10,000 for publishing the photos and EUR 2,000 for not
installing the sign required for video surveillance of the store.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Vodafone România SA
2020-11-23
€4,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
The Romanian DPA (ANSPDCP) imposed a fine in the amount of EUR 4,000 on Vodafone România SA. The fine was imposed as a result of complaints alleging that the operator failed to respond to requests for access and erasure of data.
The operator could not provide any evidence for exonaration.
GARANTE
Italian Data Protection Authority
Employment
Burgo Group S.p.A
2020-11-23
€20,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 13 GDPR
The Italian DPA (Garante) imposed a fine of EUR 20,000 on the company for non-compliant practices. Thus, for example, the personnel director forwarded an e-mail conversation between the data subject and a work colleague containing personal data (information relating to physical and mental discomfort in the workplace) to four people in the company.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-11-19
€36,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Processing of personal data of a data subject without sufficient legal basis. The company had sent an invoice to a data subject without being able to prove that it had a contract with the data subject.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Anmavas 61, S.L.
2020-11-18
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The Spanish DPA (AEPD) imposed a fine on Anmavas 61, S.L. for neither granting nor justifiably denying the right to erasure to the data subject, even after receiving a warning issued by the AEPD.
CNIL
French Data Protection Authority
Finance, Insurance and Consulting
Carrefour Banque
2020-11-18
€800,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
The French DPA (CNIL) imposed a fine on Carrefour Banque for violation of its obligation to process data fairly (Article 5 (1) GDPR).
If a person who subscribed to the Pass card (a credit card that can be attached to a loyalty account) also wanted to participate in the loyalty program, he or she had to tick a box in which he or she agreed to Carrefour Banque sending his or her surname, first name and e-mail address to 'Carrefour fidélité'. Carrefour Banque expressly indicated that no further data would be transmitted. However, the CNIL noted that other data such as postal address, telephone number and the number of children had been transmitted, although the company undertook not to transmit any further data.
CNIL
French Data Protection Authority
Industry and Commerce
Carrefour France
2020-11-18
€2,250,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 21 GDPR
Art. 32 GDPR
Art. 33 GDPR
The French DPA (CNIL) fined Carrefour France EUR 2,250,000 for several violations of data protection regulations, including the GPDR.
During its investigation, the CNIL found that the information on personal data provided to users of the carrefour.fr websites and those wishing to join the loyalty program was neither easily accessible nor easily comprehensible. The CNIL also found that the information regarding the transfer of data to countries outside the EU and regarding the duration of data storage was incomplete.
The CNIL also notes that the company did not comply with the storage time limits.
Furthermore, the data of more than twenty-eight million customers who were inactive for five to ten years were stored for the purposes of the loyalty program. This was also the case for 750,000 users of the carrefour.fr site, who were inactive for five to ten years.
The CNIL states that the company required proof of identity for almost every user request to exercise a right. However, this automatic requirement was not justified, as in most cases there was no doubt regarding the identity of the data subjects.
Furthermore, the company did not respond to several requests from individuals who wanted to access their personal data.
Also, in numerous cases, the company did not carry out the erasure of data requested by individuals.
Finally, the company has not responded to several requests from persons who did not agree to receive advertising by SMS or e-mail.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Unknown
2020-11-18
€28.00
Non-compliance with general data processing principles
Art. 5 (1) d) GDPR
The data subject had subscribed to a newsletter of the controller. After altering his/her e-mail address, he/she continued to receive the newsletter via the old e-mail address. The data subject then contacted the controller, whereupon the controller confirmed that the address had now been updated. Nevertheless, the data subject continued to receive the newsletter via the old e-mail address.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Provincial Health Authority of Cosenza
2020-11-17
€30,000.00
Insufficient legal basis for data processing
Art. 9 GDPR
Publication of personal data (including first and last name, address, tax ID) on the website of the authority about persons who have claims for damages against the authority, without sufficient legal basis
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Collegno
2020-11-17
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Fine for non-compliance with the right of the data subject to access to information because the municipality refused the data subjects' request for access to data from a camera surveillance system.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2020-11-16
€1,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization).
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-11-16
€42,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
In 2019, after an arbitration procedure, the company agreed to the early termination of a contract with the data subject and to the deletion of the personal data concerned. Nevertheless, the data subject continued to receive e-mails from the company, which constituted processing of personal data without a sufficient legal basis.
ICO
Information Commissioner
Industry and Commerce
Ticketmaster UK Limited
2020-11-13
€1,405,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Ticketmaster UK Limited has been fined GBP 1.25 million (approximately EUR 1.405 million) for failing to protect the personal data of its customers with adequate security measures. Potentially 9.4 million European customers could have been affected by a cyber attack between February 2018 and June 23, 2018 due to the use of an insufficiently secured chat bot hosted by a third party in its online payment site which allowed an attacker to gain access to customers' financial information. According to the Data Protection Agency, personal data such as names, full payment card numbers, Ticketmaster usernames and passwords, expiration dates and Card Verification Value (CVV) numbers were affected. The DPA also found that 60,000 payment cards belonging to Barclays Bank customers were subject to fraud, and several international banks also reported fraudulent activity to Ticketmaster.
APD
Belgian Data Protection Authority
Real Estate
Unknown
2020-11-13
€1,500.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 30 GDPR
Art. 37 (5) GDPR
Art. 37 (7) GDPR
The Belgian DPA (APD/GBA) imposed a fine of EUR 1,500 on a social housing company for non-compliance with several principles of the GDPR such as data processing as well as the principles of legality and transparency (e.g. insufficient privacy policy, lack of information on camera surveillance).
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone Italia S.p.A.
2020-11-12
€12,251,601.00
Non-compliance with general data processing principles
Art. 5 (1), (2) GDPR
Art. 6 (1) GDPR
Art. 7 GDPR
Art. 15 (1) GDPR
Art. 16 GDPR
Art. 21 GDPR
Art. 24 GDPR
Art. 25 (1) GDPR
Art. 32 GDPR
Art. 33 GDPR
The company was fined EUR 12,251,601 for unlawfully processing personal data of millions of customers for telemarketing purposes. The proceedings were preceded by hundreds of complaints from data subjects about unsolicited telephone calls, which led to an investigation by the data protection authority. This investigation revealed several violations of the data protection law, including the violation of consent requirements and the violation of general data protection obligations such as accountability. One of the main criticisms made by the Data Protection Agency was the use of fake numbers to make promotional calls by the contracted call centers (i.e. phone numbers not registered with the National Consolidated Registry of Communication Operators). Furthermore, further violations could be found in the handling of contact lists purchased from external providers. Finally, security measures for the management of customer data were also considered inadequate.
BFDI
The Federal Commissioner for Data Protection and Freedom of Information
Media, Telecoms and Broadcasting
Telecoms provider (1&1 Telecom GmbH)
2020-11-11
€900,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Original Fine Summary: The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 GDPR, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale. -- Update: On November 11th, 2020, after an appeal against the fine, the Bonn District Court decided that although the fine is justified in principle, it is unreasonably high. The chamber has therefore reduced the fine from originally EUR 9,55 million to EUR 900,000. One of the reasons for the reduction was that the company's procedure for authenticating customers used for its telephone hotline (requesting only the name and date of birth of the caller) had remained unobjected for a long time and therefore the company lacked a concrete awareness of the problem which leads to the fact that the concrete culpability in this case had to be classified as rather low. Furthermore, according to the court, the violation was also rather minor, as it could not lead to a massive data leakage.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-11-11
€42,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company ported a telephone number of the data subject without their consent (missing signature on the porting contract).
AEPD
Spanish Data Protection Authority
Industry and Commerce
Miguel Ibáñez Bezanilla, S.L.
2020-11-10
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 13 GDPR
Art. 32 GDPR
The company's website (license plate seller) requested personal information such as first and last name, copy of ID card and driver's license, and the car's VIN number, but offered neither an encrypted transport protocol ('<a class='blau' href='https'' target='_blank'>link</a> instead of '<a class='blau' href='http')' target='_blank'>link</a> nor an updated data processing policy in accordance with the GDPR.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-11-06
€20,000.00
Insufficient legal basis for data processing
Art. 31 GDPR
Xfera Móviles had failed to cooperate with the AEPD in the investigation of privacy violations. Xfera Móviles had neither responded to the request for information nor provided any required documentation.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefonica Moviles Espana, S.A.U.
2020-11-05
€75,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Processing of personal data of the data subject without sufficient legal basis. The company had issued several invoices to the data subject and collected invoice amounts from his bank account without him being a customer of the company. Complaints against the company by the data subject remained unsuccessful.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-11-03
€30,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts. In this case, Vodafone demanded a debt from a data subject due to a mixing up of customers.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
American College of Greece
2020-10-29
€1,000.00
Insufficient fulfilment of information obligations
Art. 12 (3), (4) GDPR
The Hellenic DPA (HDPA) imposed a fine of EUR 1,000 against the American College of Greece for violations of the right of access and the right to erasure of personal data.
GARANTE
Italian Data Protection Authority
Employment
Gaypa s.r.l.
2020-10-29
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), e) GDPR
Art. 12 GDPR
Art. 13 GDPR
The Italian DPA (Garante) imposed a fine of EUR 20,000 on Gaypa s.r.l.. The controller had kept a former employee's email account active and had access to the data subject's correspondence, despite the termination of his/her employment. The data subject had not been informed about such a further use of his/her e-mail account, as well as about the storage of all incoming and outgoing e-mails on the company servers and the related processing of his/her personal data.
GARANTE
Italian Data Protection Authority
Employment
Borgo Fonte Scura s.r.l.
2020-10-29
€4,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA (Garante) imposed a fine of EUR 4,000 on Borgo Fonte Scura s.r.l.. The controller had installed a video surveillance system which also recorded the three data subjects during their work. The data subjects were not sufficiently informed about the video surveillance and the resulting processing of their personal data.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-10-28
€36,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Processing of personal data of a data subject without sufficient legal basis due to errors in the correct assignment of customer contracts.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Play Orenes, S.L.
2020-10-28
€4,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The company used CCTV cameras outside its premises which also captured the public space resulting in a violation of the principle of data minimisation.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Università Campus Bio-medico di Roma (Polyclinic)
2020-10-26
€20,000.00
Non-compliance with general data processing principles
Art. 5 (2) a), f) GDPR
Art. 9 GDPR
In a data breach notification pursuant to Art. 33 GDPR, the data protection authority found that patients accessing their online medical reports via their smartphones could also access personal health data of 74 other patients. According to the polyclinic, the reason for this was a human error in the integration of two IT systems.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Organic Natur 03 S.L.
2020-10-26
€4,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Use of a membership contract containing pre-defined privacy clauses, which prevents effective negotiation and the express consent of the signing client.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Conseguridad SL
2020-10-26
€50,000.00
Insufficient involvement of data protection officer
Art. 37 GDPR
The company (private security company for video surveillance systems) did not have a data protection officer in breach of Art. 37 GDPR.
