background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
EDITORIAL DE PRENSA CANARIA, S.A.
2023-03-21
€40,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on EDITORIAL DE PRENSA CANARIA, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
TITANIA COMPAÑÍA EDITORIAL, S.L.
2023-03-21
€40,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on TITANIA COMPAÑÍA EDITORIAL, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
UNIDAD EDITORIAL INFORMACION GENERAL S.L.U.
2023-03-21
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 50,000 on UNIDAD EDITORIAL INFORMACION GENERAL S.L.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any significant value to the reporting, but rather severely compromised the victim's privacy. For this reason, the DPA found that the controller violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
NGENIERÍA Y TELECOM JAÉN, S.L.
2023-03-17
€10,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine of EUR 10,000 on INGENIERÍA Y TELECOM JAÉN, S.L.. The controller had extented the data subject's contract without their consent.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Centrul Medical dr. Furtună Dan
2023-03-16
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Centrul Medical dr. Furtună Dan. The controller had sent results of a medical test via WhatsApp to the wrong recipient. As a result, personal data of the data subject, such as first and last name, telephone number and medical data, were unauthorizedly disclosed to third parties. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Med Life S.A.
2023-03-16
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
Art. 32 (4) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Centrul Medical dr. Furtună Dan. The controller had sent results of a medical test via WhatsApp to the wrong recipient. As a result, personal data of the data subject, such as first and last name, telephone number and medical data, were unauthorizedly disclosed to third parties. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-03-16
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA has imposed a fine of EUR 5,000 on a private individual. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients.
CNIL
French Data Protection Authority
Transportation and Energy
CITYSCOOT
2023-03-16
€125,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 28 (3) GDPR
Art. 82 Loi informatique et libertés
The French DPA has imposed a fine of EUR 125,000 on CITYSCOOT, a company that rents out motor scooters for short periods. During its investigation, the DPA found that CITYSCOOT, was collecting vehicle geolocation data every 30 seconds while renting a scooter, as well as, storing the history of the trips. The company had stated that it collected the data for purposes such as handling traffic violations, complaint inquiries, assisting users in the event of a crash, and handling theft cases. However, the DPA found that none of these purposes justified such permanent geolocation of data subjects, and that the company had thus violated the principle of data minimization. In addition, the DPA found that the contracts concluded by the company with its processors did not contain all the required information.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ORANGE ESPAGNE S.A.U.
2023-03-16
€100,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 100,000 on ORANGE ESPAGNE S.A.U.. A customer who had purchased a cell phone from ORANGE had filed a complaint with the DPA. As a condition to deliver the cell phone, ORANGE stated that the delivery person had to take a photo of the front and back of the customer's ID card. ORANGE implemented these measures for security purposes to prevent fraud and identity theft. Despite these legitimate purposes, the DPA found that there existed far less intrusive means to the data subject´s privacy of preserving these purposes than photographing the ID card and thereby processing a variety of personal data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Alianța pentru Unirea Românilor
2023-03-15
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 5 (2) GDPR
The Romanian DPA imposed a fine of EUR 10,000 on Alianța pentru Unirea Românilor. During its investigation, the DPA found that the controller collected personal data on its website without informing the data subjects and without meeting the conditions for the lawfulness of the processing. The DPA also found that the controller collected data such as surname, first name, address, ID card number, etc. not only on its website but also through various forms to be filled in. The DPA considered this to be a violation of the principle of data minimization.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Partidul Uniunea Salvați România
2023-03-15
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) a) GDPR
Art. 32 (2) GDPR
The Romanian DPA has fined the Partidul Uniunea Salvați România party EUR 4,000. The controller had suffered a phishing attack in which the attackers gained unauthorized access to personal data such as first name, last name, email, phone number, as well as data on the political affiliation of the data subjects. The DPA found that the controller had failed to implement adequate technical and organizational measures such as data encryption to protect personal data, which facilitated such an attack.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-03-15
€480.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine on a private individual. The controller had installed a video surveillance camera which also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2023-03-15
€136,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 32 GDPR
The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U. A data subject had filed a complaint against the data controller as unauthorized fraudsters managed to access their Vodafone account and make changes to their contract. During its investigation, the DPA found that Vodafone had carried out the changes without verifying the identity of the person requesting them and determining whether they were actually requested by the data subject. The original fine of EUR 170,000 was reduced to EUR 136,000 due to voluntary payment and admission of responsibility.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Tinmar Energy SA
2023-03-14
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Romanian DPA has fined Tinmar Energy SA EUR 3,000. The controller had suffered a data breach in which third parties gained unauthorized access to personal data such as first name, last name, phone number, address etc. of the data subjects. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-03-14
€240.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on a private individual. A data subject had filed a complaint against their ex-partner with the DPA. The ex-partner had installed video surveillance cameras in the jointly occupied residency, which also recorded parts of their private living areas and and jointly used parts of the residency. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 240 due to voluntary payment.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Modaone SRL
2023-03-13
€2,000.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Modaone SRL. An individual had filed a complaint with the DPA for having received advertising messages by e-mail, although they had objected to receiving such messages and this had been confirmed to them by the controller. In the course of its investigation, the DPA also found that the controller had not provided data subjects with sufficient, correct and up-to-date information about the processing of their personal data. In addition, the DPA found that the requirements for exercising data subject rights were inadequate.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
VODAFONE ONO, S.A.U.
2023-03-10
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on VODAFONE ONO, S.A.U.. The controller had carried out a credit check on an individual without there being a customer relationship or other affiliation. The personal data of the data subject was thus processed without a legal basis.The original fine of EUR 50,000 was reduced to EUR 40,000 for voluntary payment.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Store owner
2023-03-09
€3,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 13 GDPR
Art. 114 Codice della privacy
The Italian DPA has fined a store owner EUR 3,000. The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.
GARANTE
Italian Data Protection Authority
Employment
Deca s.r.l.
2023-03-09
€1,600.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
The Italian DPA has imposed a fine of EUR 1,600 on Deca s.r.l.. Employees had filed a complaint with the DPA because the controller had not complied with their requests for access to personal data processed during the attendance check.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Banca Cambiano 1884 S.p.A.
2023-03-09
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Failure to respond to the data subject's request for access to their data in a timely manner.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Aesse S.r.l.s.
2023-03-09
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
Art. 7 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 130 Codice della privacy
The Italian DPA has imposed a fine of EUR 3,000 on Aesse S.r.l.s.. An individual had filed a complaint with the DPA due to the fact that the controller had made an unsolicited advertising call. The complainant stated that they had never given their consent to receive advertising communication. In addition, the controller failed to adequately comply with their request for information about the origin of their data.
DATATILSYNET
Norwegian Supervisory Authority
Employment
Argon Medical Devices
2023-03-08
€220,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Finopro IFN SA
2023-03-06
€2,250.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), c) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 2,250 on Finopro IFN SA. The controller had suffered a ransomware attack in which unauthorized third parties gained access to personal data such as address, credit card details, bank account information, telephone numbers etc. of data subjects. During its investigation the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Integral Collection SRL
2023-03-06
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), c) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 3000 on Integral Collection SRL. The controller had suffered a ransomware attack in which unauthorized third parties gained access to personal data such as address, credit card details, bank account information, telephone numbers etc. of data subjects. During its investigation the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
GARANTE
Italian Data Protection Authority
Health Care
Azienda sanitaria locale di Bari
2023-03-02
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c), f) GDPR
Art. 9 GDPR
Art. 25 (1), (2) GDPR
The Italian DPA has imposed a fine of EUR 50,000 on Azienda sanitaria locale di Bari. The healthcare facility had published reviews of former patients on the Internet and provided access to hundreds of documents on which it was possible to identify the patients. The information about the patients had been crudely redacted, but not enough to prevent the data from being disclosed. In particular, information about the patients' state of health, clinical data on operations, diagnoses, etc. were visible.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Private individual
2023-03-02
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
Art. 130 Codice della privacy
The Italian DPA has imposed a fine of EUR 5,000 on a private individual. The individual had sent promotional messages to several data subjects without their consent.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Razmataz Live s.r.l..
2023-03-02
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 28 GDPR
The Italian DPA has imposed a fine of EUR 1,000 on Razmataz Live s.r.l.. Razmataz had contracted a processor to carry out marketing campaigns, which the processor failed to execute in a privacy-compliant manner. During its investigation, the DPA found that Razmataz had failed to carry out adequate controls at the processor.
UODO
Polish National Personal Data Protection Office
Individuals and Private Associations
Housing cooperative
2023-03-01
€11,100.00
Insufficient fulfilment of data breach notification obligations
Art. 33 (1) GDPR
Art. 34 (1) GDPR
The Polish DPA has imposed a fine of EUR 11,100 on a housing cooperative. The controller had disclosed personal data of a member of the cooperative to an unauthorized person. The incident was recorded in an internal register of violations, however the controller failed to inform the DPA and the data subject of the incident in a timely manner.
AEPD
Spanish Data Protection Authority
Industry and Commerce
WUNSCHURLAUB S.L.
2023-02-28
€1,800.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Spanish DPA has fined WUNSCHURLAUB S.L. for storing passwords in plain text on its website www.meine-auszeit-jetzt.de. The DPA considered this to be a violation of Art. 32 GDPR. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ECOMM MOVADGENCY S.L.
2023-02-28
€600.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
The Spanish DPA has imposed a fine a ECOMM MOVADGENCY S.L. for sending out direct marketing messages, despite the fact that the data subjects had exercised their right to objection. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
CITIZENGO FOUNDATION
2023-02-28
€3,000.00
Insufficient legal basis for data processing
Art. 7 GDPR
The Spanish DPA has imposed a fine on CITIZENGO FOUNDATION. A person had filed a complaint with the DPA because the controller had sent them an email with election advertising without the individual's consent. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and acknowledgement of responsibility.
AEPD
Spanish Data Protection Authority
Not assigned
UUDJOB WORLDWIDE S.L.
2023-02-28
€800.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 17 GDPR
The Spanish DPA has imposed a fine on GUUDJOB WORLDWIDE S.L.. An individual filed a complaint with the DPA claiming that the controller had not complied with their request to delete their personal data. The individual had posted a review on the controller's website. After seeing that their name had been published, they asked for their data to be deleted. However, the controller did not comply with this request in due time. The original fine of EUR 1,000 was reduced to EUR 800 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Attorney
2023-02-27
€4,000.00
Insufficient legal basis for data processing
Art. 5 (1) f) GDPR
Art. 6 GDPR
The Spanish DPA has imposed a fine of EUR 4,000 on an attorney. The attorney had sent a court ruling containing personal data of a data subject to several individuals via WhatsApp without the consent of the data subject.
Data Protection Authority of Ireland
Finance, Insurance and Consulting
Bank of Ireland 365
2023-02-27
€750,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Irish DPA has fined Bank of Ireland 365 EUR 750,000. The bank had notified the DPA of 10 data breaches linked to the bank's app. Unauthorized persons had managed to gain access to the app as well as to other individuals' accounts. The DPA determined that this data breach was facilitated due to the bank's failure to implement appropriate technical and organizational measures to protect personal data.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Ediscom S.p.a.
2023-02-23
€300,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), c) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 14 GDPR
Art. 25 GDPR
Art. 130 Codice della privacy
The Italian DPA has imposed a fine of EUR 300,000 on Ediscom S.p.a.. The marketing company had collected data from 21 million individuals via various online portals in order to use them for marketing activities. The company also used so-called 'dark patterns' to mislead users into consenting to the processing of their data for marketing purposes and to the transfer of their data to third parties. The DPA found a number of other violations, including that in some cases of data processing, the company was unable to demonstrate that it had obtained the consent of data subjects for this.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
DISPLAY CONNECTORS, S.L.
2023-02-22
€30,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on DISPLAY CONNECTORS, S.L.. An individual had filed a complaint with the DPA regarding the controller's publication of information about a court case that included personal data of the complainant's minor son. During its investigation, the DPA determined that the minor's right to privacy outweighed the controller's freedom of information, and thus the publication violated the principle of data minimization. The original fine of EUR 50,000 was reduced to EUR 30,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Industry and Commerce
COMANDANCIA DE LLEIDA
2023-02-21
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 300 on COMANDANCIA DE LLEIDA. The controller had failed to provide a notice with information about video surveillance in its premises.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-02-21
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone
2023-02-20
€40,000.00
Insufficient fulfilment of data breach notification obligations
Art. 15 GDPR
Art. 33 GDPR
The Hellenic DPA has imposed a fine of EUR 40,000 on Vodafone. An individual had filed a complaint with the DPA because, following a request for access to records of conversations with a Vodafone call center, Vodafone had provided them with another customer's conversations. Vodafone in addition failed to report this incident to the DPA in a timely manner.
Deputy Data Protection Ombudsman
Finance, Insurance and Consulting
Suomen Asiakastieto Oy
2023-02-17
€440,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Finnish DPA has imposed a fine of EUR 440,000 on Suomen Asiakastieto Oy for failing to comply with an order issued by the DPA. During an investigation, the DPA found that the company had unlawfully stored financial data of data subjects. The DPA therefore ordered the company to remove the data, which the company did not comply with.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Company
2023-02-08
€7,200.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 24 (1) GDPR
Art. 25 (1), (2) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA has imposed a fine of EUR 7,200 on a company. The controller had suffered a data breach that resulted in the loss of personal data. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data, which facilitated the data breach. The controller had failed to conduct certain risk analyses, for example. In addition, the DPA found that the controller failed to review its processor and ensure that it provided sufficient guarantees to protect personal data.
UODO
Polish National Personal Data Protection Office
Real Estate
Housing association
2023-02-07
€321.00
Insufficient fulfilment of data breach notification obligations
Art. 5 (1) a) GDPR
Art. 28 (1), (3), (9) GDPR
Art. 33 (1) GDPR
Art. 34 (1), (2) GDPR
The Polish DPA has imposed a fine of EUR 321 on a housing association. The controller had suffered a data breach involving the theft of documents, including a copy of a notarial deed. During its investigation, the DPA found that the controller had both failed to report the data breach to the DPA in a timely manner and to notify the data subjects affected by the incident. Further, the DPA found that the controller had not adequately checked if the processor provided sufficient guarantees to implement appropriate technical and organisational measures to ensure data protection.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Sats ASA
2023-02-06
€900,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a), e) GDPR
Art. 6 (1) GDPR
Art. 12 (1), (3) GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 17 GDPR
The Norwegian DPA has imposed a fine of EUR 900,000 on the fitness chain 'Sats'. The DPA had received several complaints from customers who had submitted requests for information as well as deletion of their personal data, which Sats had not complied with. The DPA also found that Sats had processed certain customer data without a valid legal basis.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Accomodation and Hospitalty
I&S Limited Kft
2023-02-06
€80,500.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 6 (1) GDPR
Art. 9 (2) GDPR
Art. 13 (1), (2) GDPR
Art. 24 GDPR
Art. 25 GDPR
The Hungarian DPA has imposed a fine of EUR 80,500 on the spa operator, 'I&S Limited Kft'. During its investigation, the DPA found that the controller had installed video surveillance cameras in its premises, which permanently monitored guests and employees. The DPA found that the controller did not have a valid legal basis for such extensive video surveillance. The controller also failed to properly inform the data subjects about the processing of their personal data. Furthermore, the controller had processed data of customers for marketing purposes without a valid legal basis.
Cypriot Data Protection Commissioner
Media, Telecoms and Broadcasting
Epic Ltd.
2023-02-03
€3,250.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 24 (1), (2) GDPR
Art. 32 (1) GDPR
The Cypriot DPA has imposed a fine of EUR 3,250 on Epic Ltd. The contoller had made unsolicited calls to 332 former customers without a valid legal basis. The DPA also found that the controller had not taken appropriate technical and organizational measures to prove that data processing was carried out in compliance with the GDPR.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone
2023-02-02
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 6 (1), (4) GDPR
Art. 13 GDPR
The Hellenic DPA has imposed a fine of EUR 10,000 on Vodafone. An individual had filed a complaint with the DPA because they had received a package containing promotional gifts from a company working with Vodafone, even though they had expressly objected to the use of their data for promotional purposes. During its investigation, the DPA found that the controller processed the data without a valid legal basis and thus acted unlawfully. The DPA also found that the controller could not prove that it had comprehensively informed the data subject about the processing of their personal data in accordance with Art. 13 GDPR.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
Piraeus Bank
2023-02-02
€30,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 33 GDPR
Art. 34 GDPR
The Hellenic DPA has imposed a fine of EUR 30,000 on Piraeus Bank. A customer had filed a complaint with the DPA because the bank had disclosed transaction and account balance information from two bank accounts of which they were joint owners to the heirs of the other owner in the course of legal proceedings. The DPA determined, that the disclosure of the joint account information was unlawful. In addition, the bank failed to report the incident to the DPA and the data subject in a timely manner.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Tensa Art Design SA
2023-02-01
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 21 (3) GDPR
The Romanian data protection authority (AEPD) has imposed a fine of EUR 1,000 on Tensa Art Design SA. A data subject had objected to a further newsletter subscription and however had continued to receive advertisements from the data controller.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Dent Estet Clinic SA
2023-01-31
€1,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The Romanian DPA has fined Dent Estet Clinic SA (dental practice) EUR 1,000. An employed dentist at the practice had published medical information of a patient, such as photos and X-rays, in an article on a medical blog. However, the dentist failed to obtain the patient's consent before publishing the medical data. Although the patient had informed the clinic, it failed to notify the DPA of the data breach in a timely manner.