background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
Data Protection Authority of Sachsen-Anhalt
Individuals and Private Associations
Private Individual
2020-10-24
€200.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 32 GDPR
Original summary: The DPA of Saxony-Anhalt imposed a fine of EUR 200 on a private individual. The controller had taken photos of vehicles and, in some cases, their drivers and emailed them to the city of Magedburg in an unencrypted form as part of reports of violations of the Road Traffic Regulations.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Deichmann Cipőkereskedelmi Korlátolt Felelősségű Társaságnak
2020-10-23
€54,800.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 18 (1) c) GDPR
Art. 25 GDPR
The data controller denied the data subject access to the video material recorded by CCTV in a local store, with which the data subject wanted to prove that he or she had not received any money back after paying in the store. The company not only denied the data subject access to the data according to Art. 15 GDPR (with the argument that this would require an official order), but also deleted the video recordings after a certain period of time, although the data subject had requested the company to not delete the data in advance according to Art. 18 (1) c) GDPR.
Cypriot Data Protection Commissioner
Public Sector and Education
Cyprus Police
2020-10-22
€6,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
A police officer had unauthorized access to a database holding personal data about vehicle owners and used the database for non-official purposes to pass information from the database to a third party. In this respect, the organizational and technical measures taken by the police to prevent unauthorized access to the database were insufficient to prevent the unauthorized disclosure of personal data to third parties.
VDAI
Lithuanian Data Protection Authority
Public Sector and Education
Vilnius City Municipality Administration
2020-10-21
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) d) GDPR
Art. 5 (1) f) GDPR
During the data synchronization of the Population Information System of the Municipal Administration with the databases of the State Centre for Business Registers, the personal data of an applicant for the fostering of an adopted child was replaced, due to an error, with the personal data of the biological parents, which were subsequently accessible in the Population Register of the Republic of Lithuania. This constituted a violation of the principles of integrity and confidentiality of personal data processing (Art. 5 (1) f) GDPR) and a violation of the principle of accuracy.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Globus Score SRL
2020-10-20
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company had not provided the ANSPDCP with requested information.
Cypriot Data Protection Commissioner
Industry and Commerce
Grant Ideas Ltd
2020-10-19
€1,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Sending emails to data subjects without sufficient legal basis.
Cypriot Data Protection Commissioner
Finance, Insurance and Consulting
Bank of Cyprus Public Company Ltd
2020-10-19
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 15 GDPR
Art. 32 GDPR
Art. 33 GDPR
The data subject made a claim for access to information according to Art. 15 GDPR, which could not be answered, since the insurance contract of the data subject could not be found and has been lost. This constituted a violation of the rights of the data subject under Art. 15 GDPR as well as a violation of the obligations to protect personal data according to Art. 5 (1) f) GDPR and Art. 32 GDPR. In addition, the Data Breach Notification Obligations pursuant to Art. 33 f. GDPR have also been violated, as the data subject was not informed about the security incident in due time.
DSB
Austrian Data Protection Authority
Health Care
Private Individual
2020-10-19
€600.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 9 GDPR
Between February and June 2020, a private individual published information about patients on his personal Facebook page. The information included health data in terms of Art. 4 (15) GDPR. In detail, the published data comprised patient names, diagnostic findings, medical diagnoses, medication data, data on hospital admissions and discharges, patients' social security numbers and the names of the treating physicians.
DSB
Austrian Data Protection Authority
Individuals and Private Associations
Private Individual
2020-10-19
€150.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
The private individual recorded a female person while she was using one of the WC cabins by placing a cell phone (smartphone with camera function) under the WC cabin partition wall, with the screen pointing upwards and the front camera of the cell phone being active during the entire process.
ICO
Information Commissioner
Transportation and Energy
British Airways
2020-10-16
€22,046,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information. In the meantime, the final fine imposed on the airline has been set at £20 million (approximately EUR 22,046,000). The ICO emphasized that when setting the amount of the fine, it also took into account the economic impact of the COVID-19 ('Coronavirus') pandemic on the airline industry.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
S.C. Marsorom S.R.L.
2020-10-15
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Disclosure of personal data of customers on the companies website due to inadequate technical and organisational measures to ensure information security.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Café Restaurante B.B.B
2020-10-09
€900.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The cafe used CCTV cameras which also captured the public space outside resulting in a violation of the so called principle of data minimisation.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Person
2020-10-09
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 6 GDPR
Usage of CCTV camera that was also capturing foreign private space of a neighbour.
AEPD
Spanish Data Protection Authority
Health Care
Centro de Investigación y Estudio para la Obesidad, SL
2020-10-09
€50,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Fines for the transfer of the data subject's personal data to Evo Finance EFC, SA in the course of processing a health insurance application, without a sufficient legal basis for the transfer of data, as the medical treatment in question has never been carried out.
AEPD
Spanish Data Protection Authority
Employment
Caja Rural San José de Nules S. Cooperativa de Crédito
2020-10-09
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The company published information with the names and surnames of its employees, which led to the disclosure of the data subject's financial situation.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Lycamobile
2020-10-06
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Fine for processing of personal data without sufficient legal basis due to incorrect information about the owners of prepaid phone cards (mismatch between the registered owners in the company's business register and the actual owners of the cards).
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Callesgarcia, S.L.
2020-10-06
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Usage of a photo of the data subjects for commercial purposes without sufficient legal basis.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Avata Hispania, S.L.
2020-10-03
€3,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 28 (3) g) GDPR
Infringement of Art. 28 (3) g) GDPR, since personal data were further processed after the controller had terminated the contractual relationship with the processor.
Data Protection Authority of Hamburg
Employment
H&M Hennes & Mauritz Online Shop A.B. & Co. KG
2020-10-01
€35,258,708.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The fashion company with seat in Hamburg operates a service center in Nuremberg. Here, according to the findings of the Hamburg data protection officer, since at least 2014 private life circumstances of some of the employees have been comprehensively recorded and this information stored on a network drive. For example, the company conducted a 'Welcome Back Talk' after employees returned to work after vacation or illness. The information that became known in this context - including information on the symptoms of illness and diagnoses of the employees - was recorded and stored. In addition, according to the Hamburg data protection authority, some supervisors also used the 'Flurfunk' [meaning to hear something through the grapevine] to acquire a broad knowledge of individual employees, for example about family problems and religious beliefs. The information stored on the network drive was accessible to up to 50 managers of the company and was used, among other things, to evaluate the work performance of the employees and to make employment decisions.The data collection became known due to a technical configuration error in October 2019, according to which the data stored on the network drive was accessible company-wide for several hours. After the violation became known, the management apologized to the employees and offered monetary compensation. In addition, also further protective measures were introduced together with the data protection authority. [Note: Concrete legal basis of the fine not yet published - we assume this will mainly be Art. 5 and 6 GDPR]
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Megareduceri TV S.R.L.
2020-10-01
€3,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
Fine for failure to comply with an order of the supervisory authority.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Real Estate
Asociația de proprietari Militari R
2020-10-01
€2,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
Fine for failure to comply with an order of the supervisory authority.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli' (Private Hospital)
2020-09-30
€80,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 28 GDPR
Art. 32 GDPR
According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security. In addition, the data protection authority found that the information obligations were also not complied with and that the hospital had also not provided a sufficient data processing agreement with the data processor [which was also fined, see fine for 'Scanshare'] in accordance with Art. 28 GDPR.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Scanshare s.r.l.
2020-09-30
€60,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 32 GDPR
According to the data protection authority, personal information about participants in a public competition had been unlawfully disclosed online. The reason for this was that, due to a configuration error, a list of the codes assigned to the candidates was temporarily accessible on the platform, which allowed access to the documents submitted by the candidates with their personal data. This was a violation of the principle of protection of information security for which Scanshare - which was the processor of the data on behalf of the controller 'Azienda Ospedaliera di Rilievo Nazionale 'Antonio Cardarelli'' (a private hospital) - had been fined with EUR 60.000. [Also see the main fine on the hospital!]
AEPD
Spanish Data Protection Authority
Industry and Commerce
Venu Sanz Chef, S.L.
2020-09-30
€3,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Use of personal data for advertising purposes without sufficient legal basis.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-09-25
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Failure to remove the data subject's personal data at the time of cancellation of his/her telephone services contract and sending a warning to the data subject after cancellation resulting in the processing of his/her personal data without sufficient legal basis.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Odin Flissenter AS
2020-09-25
€13,900.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so.
AEPD
Spanish Data Protection Authority
Industry and Commerce
GLP Instalaciones 86, SL
2020-09-22
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
In order to obtain assistance for the installation of an air conditioning system, the data subject had contacted Naturgy Energy Group S.A. Subsequently, he was contacted by two different companies, one of which was GLP Instalaciones 86, who pretended to be Naturgy employees. Naturgy denied this and claimed that the companies were neither authorized installers nor employees of Naturgy resulting in the processing of personal data of the data subject, including his/her name, surname, telephone number, bank details and e-mail, without a valid legal basis.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Iweb Internet Learning, S.L.
2020-09-22
€7,800.00
Insufficient fulfilment of information obligations
Art. 7 GDPR
Art. 12 GDPR
Art. 13 GDPR
Lack of information in the privacy policy (information on the data controller) as well as inadequate obtaining of consent, as only a general consent could be given without distinguishing between different data processing purposes.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2020-09-17
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A former customer had received e-mails containing electronic bills even after he had terminated his contract with the company resulting in a processing of personal data without sufficient legal basis.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Grupo Carolizan
2020-09-17
€3,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Operation of CCTV camera systems in an arcade area in front of a building, i.e. also covering public space. This violated the principles of data minimization, as the surveillance cameras could have been operated in a way that would not have affected the public space.
AEPD
Spanish Data Protection Authority
Real Estate
Property owners community
2020-09-16
€10,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Publication of a document containing personal data (information about identity of the data subject as well as about debts) on a community notice billboard.
AEPD
Spanish Data Protection Authority
Public Sector and Education
Political Party
2020-09-11
€1,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Sending of an e-mail to a former party member who had since resigned, with the request to act as an election representative without sufficient legal basis to process the personal data required for this purpose
HDPA
Hellenic Data Protection Authority
Individuals and Private Associations
Private Person
2020-09-11
€8,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Operation of a CCTV camera that also monitored public space outside the premises of the data controller.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Warsaw University of Life Sciences
2020-09-08
€11,200.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Theft of a private notebook belonging to a university employee who also used this device for business purposes and on which personal data of candidates for study at SGGW was contained for recruitment activities.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Sanatatea Press Group S.R.L.
2020-09-08
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Sending the personal data collected for the registration for an online course to other participants due to a technical failure.
AEPD
Spanish Data Protection Authority
Employment
Barcelona Airport Security Guard Association ('AVSAB')
2020-09-07
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
A member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Istituto Comprensivo Statale Crucoli Torretta
2020-09-07
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Publication of personal data of students on the website of the Institute with, inter alia, notes about health and progress in school due to technical failure.
APD
Belgian Data Protection Authority
Public Sector and Education
Former mayor of a community
2020-09-07
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Originial fine summary: Sending election advertising to citizens without sufficient legal basis. Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Bergen Municipality
2020-09-03
€276,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
In October 2019, the Data Protection Authority was informed by the Municipality of Bergen about a data breach in connection with the municipality's tool for communication between school and home called 'Vigilo'. This tool contained a module that allowed school and parents to communicate via a portal or app but that had not been secured properly to ensure the protection of personal data against security threats.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Casaloldo
2020-09-03
€2,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Publication of personal data on the website of the community.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, SAU
2020-09-01
€75,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
According to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Real Estate
Apartment building owners association
2020-09-01
€500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 32 GDPR
Export of a still image from a video surveillance system and posting of the image on the billboard of the building without sufficient legal basis. In addition, violation of the information obligations under Art. 12, 13 GDPR and violation of Art. 25 and 32 GDPR, because no sufficient information about the CCTV was given and because no sufficient technical and organizational security measures were taken to protect the personal data collected by the video surveillance system.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
UNICREDIT BANK SA
2019-06-27
€130,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 5 (1) c) GDPR
The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (interla/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).
CNIL
French Data Protection Authority
Employment
Employer UNIONTRAD COMPANY
2019-06-13
€20,000.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 32 GDPR
Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. When determening the amount of the fine, the CNIL took into account the size (9 employees) and the financial situation of the company, which presented a negative net result in 2017 (turnover of 885,739 EUR in 2017 and a negative net result of 110,844 EUR), to retain a dissuasive but proportionate administrative fine.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Professional Football League (LaLiga)
2019-06-11
€250,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 7 (3) GDPR
The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.
APD
Belgian Data Protection Authority
Public Sector and Education
Mayor
2019-05-28
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) b) GDPR
Art. 6 GDPR
The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.
CNIL
French Data Protection Authority
Real Estate
SERGIC (Real Estate)
2019-05-28
€400,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) e) GDPR
The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.
VDAI
Lithuanian Data Protection Authority
Finance, Insurance and Consulting
Payment service provider UAB MisterTango
2019-05-16
€61,500.00
Insufficient fulfilment of data breach notification obligations
Art. 5 GDPR
Art. 32 GDPR
Art. 33 GDPR
During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 GDPR would have been necessary. The controller did not report the Data Breach.
Data Protection Authority of Baden-Wuerttemberg
Individuals and Private Associations
Police Officer
2019-05-09
€1,400.00
Insufficient legal basis for data processing
Art. 6 GDPR
The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. This infringement is not attributable to the police officer's department, since he did not commit the act in the exercise of his official duties, but exclusively for private purposes. The prohibition of punishment under § 28 LDSG, according to which the sanctions of the GDPR cannot be imposed on public bodies, does not apply in the present case, since it was neither a case of misconduct attributable to the authority nor is the person concerned to be classified as a separate public body within the meaning of § 2 (1) or (2) LDSG in the case of the acts in question.
UOOU
Czech Data Protection Auhtority
Not assigned
Unknown
2019-05-06
€194.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Information was not provided.