A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
AEPD
Spanish Data Protection Authority
Transportation and Energy
ENDESA (energy supplyer)
Unknown
€60,000.00
Insufficient legal basis for data processing
Art. 5 (1) f) GDPR
The complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confidentiality.
Data Protection Authority of Berlin
Real Estate
Deutsche Wohnen SE
2021-02-23
€0.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 25 GDPR
Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry. *** UPDATE *** On 24 February 2021 the Berlin Regional Court has dismissed the fine against Deutsche Wohnen SE due to procedural errors, see <a class='blau' href='https://www.deutsche-wohnen.com/ueber-uns/presse-news/pressemitteilungen/landgericht-berlin-stellt-bussgeldverfahren-gegen-deutsche-wohnen-ein/' target='_blank'>link</a> and <a class='blau' href='https://www.heise.de/news/Gravierende-Maengel-Deutsche-Wohnen-wendet-DSGVO-Millionenstrafe-vorerst-ab-5064633.html' target='_blank'>link</a>
ICO
Information Commissioner
Accomodation and Hospitalty
Marriott International, Inc
2020-10-30
€20,450,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Original Summary: The ICO issued a notice of its intention to fine Marriott International Inc due to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
--> Update: On 2020/10/30, the ICO announced its final decision to impose a fine of £ 18.4 million (approximately EUR 20.4 million) on Marriott International Inc. In its decision, the ICO set forth its considerations for the calculation of the fine, which included Marriott's absence of prior violations or omissions and the fact that Marriott had fully cooperated with the investigation and had taken steps to notify the individuals concerned. In addition, the ICO noted that it had also made an alignment with other fines already imposed on other companies - in particular also of other European data protection authorities.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
FAN Courier Express SRL
2019-11-25
€11,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder's address, personal identification number, serial and identity card number, bank account number, authorised credit limit) of approximately 1,100 data subjects.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
BNP Paribas Personal Finance S.A.
2019-11-22
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 17 GDPR
BNP Paribas Personal Finance did not react to a request for erasure within the period set by the GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
General Confederation of Labour ('CGT')
2019-11-13
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The CGT, with the aim of convening a meeting, e-mailed personal data of the complainant, including her home address, family relationship, pregnancy status and the date of an ongoing verbal abuse and harassment case, to 400 union members without her consent.
AEPD
Spanish Data Protection Authority
Industry and Commerce
TODOTECNICOS24H S.L.
2019-11-07
€900.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
TODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Cerrajero Online
2019-11-06
€900.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Jocker Premium Invex
2019-10-31
€6,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
After registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration.
AP
Dutch Supervisory Authority for Data Protection
Finance, Insurance and Consulting
UWV (Dutch employee insurance service provider)
2019-10-31
€900,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
As the UWV (the Dutch employee insurance service provider - 'Uitvoeringsinstituut Werknemersverzekeringen') did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system.
Data Protection Authority of Berlin
Real Estate
Deutsche Wohnen SE
2019-10-30
€NaN
Non-compliance with general data processing principles
Art. 5 GDPR
In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.
DSB
Austrian Data Protection Authority
Transportation and Energy
Austrian Post
2019-10-29
€0.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Originial fine summary: Sending election advertising to citizens without sufficient legal basis.
Update: On January 27th, 2021, the Brussels Court of Appeal overturned the fine of EUR 5,000.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2019-10-25
€36,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone España proceeded to providing him services and seeking payment from him, so Vodafone España had processed the claimant's personal data without his consent.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Major of Aleksandrów Kujawski
2019-10-18
€9,380.00
Insufficient data processing agreement
Art. 28 GDPR
No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
UTTIS INDUSTRIES SRL
2019-10-17
€2,500.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
Art. 5 (1) c) GDPR
Art. 6 GDPR
The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.
UODO
Polish National Personal Data Protection Office
Industry and Commerce
ClickQuickNow
2019-10-16
€47,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
The UODO imposed a fine of EUR 47000 for obstructing the exercise of the right of withdrawal for the processing of personal data. The company has not taken appropriate technical and organisational measures that allow the simple and effective withdrawal of consent to the processing of personal data and the exercise of the right to request the erasure of personal data.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2019-10-16
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Xfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberdrola Clientes
2019-10-16
€8,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Iberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provide information about the possibility of adding the person's data to the solvency list to which the company did not respond. This lack of cooperation with the AEPD was a violation of Article 31 of the GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Raiffeisen Bank SA
2019-10-09
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Original fine summary: Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication. Update: The fine was reduced from EUR 150,000 to EUR 15,000 following a court ruling in 2021 <a class='blau' href='https://www.zf.ro/banci-si-asigurari/raiffeisen-bank-a-obtinut-in-instanta-reducerea-de-10-ori-a-unei-19914204.' target='_blank'>link</a>
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Vreau Credit SRL
2019-10-09
€20,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 33 GDPR
Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
Telecommunication Service Provider
2019-10-07
€200,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 25 GDPR
A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
Telecommunication Service Provider
2019-10-07
€200,000.00
Non-compliance with general data processing principles
Art. 21 (3) GDPR
Art. 25 GDPR
Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Vueling Airlines
2019-10-01
€30,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, which could be reduced to 18,000 for immediate payment.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Inteligo Media SA
2019-09-26
€9,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
As part of the registration process on the webseite avocatnet.ro, the operator used an unfilled checkbox, by means of which users could declare that they did not wish to receive information letters via e-mail (opt-out). Without any action, the user was automatically sent information letters via e-mail. This did not fulfil the requirements for a GDPR-compliant consent.
Data Protection Authority of Berlin
Accomodation and Hospitalty
Delivery Hero
2019-09-19
€195,407.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 17 GDPR
Art. 21 GDPR
According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.
APD
Belgian Data Protection Authority
Industry and Commerce
Merchant
2019-09-17
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. In the meantime, the decision of the data protection authority has been annulled by a court: <a class='blau' href='https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/Arrest_190220.pdf' target='_blank'>link</a>
UODO
Polish National Personal Data Protection Office
Industry and Commerce
Morele.net
2019-09-10
€660,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.
KZLD
Data Protection Commision of Bulgaria
Public Sector and Education
National Revenue Agency
2019-08-28
€2,600,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible.
KZLD
Data Protection Commision of Bulgaria
Finance, Insurance and Consulting
DSK Bank
2019-08-28
€511,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.
DSI
Data State Inspectorate
Industry and Commerce
Online Services
2019-08-26
€7,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
A merchant who provides services in an online store has infringed the 'right to be forgotten' pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number.
Data Protection Authority of Sweden
Public Sector and Education
School in Skellefteå
2019-08-20
€18,630.00
Insufficient legal basis for data processing
Art. 5 (1) c) GDPR
Art. 9 GDPR
Art. 35 GDPR
Art. 36 GDPR
A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
AVON COSMETICS
2019-08-16
€60,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.
DSB
Austrian Data Protection Authority
Health Care
Company in the medical sector
2019-08
€25,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 35 GDPR
Art. 37 GDPR
The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.
Update: The original fine of EUR 50,000 was reduced to EUR 25,000 by the Austrian Federal Administrative Court.
HDPA
Hellenic Data Protection Authority
Employment
PWC Business Solutions
2019-07-30
€150,000.00
Insufficient legal basis for data processing
Art. 5 (1) GDPR
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 13 (1) c) GDPR
Art. 14 (1) c) GDPR
The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal data
CNIL
French Data Protection Authority
Finance, Insurance and Consulting
ACTIVE ASSURANCES (car insurer)
2019-07-25
€180,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
LEGAL COMPANY & TAX HUB SRL
2019-07-05
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019.
The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Accomodation and Hospitalty
WORLD TRADE CENTER BUCHAREST SA
2019-07-02
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.
DSB
Austrian Data Protection Authority
Individuals and Private Associations
Private person (soccer coach)
2019-07
€11,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Not assigned
Unknown
2019-06-25
€15,150.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The data controller did not fulfil its data breach notification obligations when a flash memory with personal data was lost.
AP
Dutch Supervisory Authority for Data Protection
Health Care
Haga Hospital
2019-06-18
€350,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Original Fine Summary: The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay EUR 100,000 every two weeks, with a maximum of EUR 300,000. The Haga Hospital has meanwhile indicated to take measures. Update: The fine was reduced from EUR 460,000 to EUR 350,000 following a court ruling in 2021.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
Organizer of SZIGET festival and VOLT festival
2019-05-23
€92,146.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 5 (1) b) GDPR
Art. 13 GDPR
The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Oslo Municipal Education Department
2019-04-29
€120,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees. The fine has meanwhile been reduced to EUR 120.000, see <a class='blau' href='https://edpb.europa.eu/news/national-news/2020/norwegian-data-protection-authority-imposes-fine-municipality-oslo-education_en' target='_blank'>link</a>
CNPD
Portuguese Data Protection Authority
Not assigned
Unknown
2019-03-25
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Inexistence of signalization regarding the use of CCTV systems
CNPD
Portuguese Data Protection Authority
Not assigned
Unknown
2019-03-19
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Inexistence of signalization regarding the use of CCTV systems
CNPD
Portuguese Data Protection Authority
Not assigned
Unknown
2019-02-05
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Denial of the right to access recorded phone calls by the Data Subject
Cypriot Data Protection Commissioner
Health Care
Doctor
2019
€14,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.
Data Protection Authority of Baden-Wuerttemberg
Health Care
Unknown
2019
€80,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
In a digital publication, health data was accidentally published due to inadequate internal control mechanisms.
AEPD
Spanish Data Protection Authority
Employment
Restaurant (SANTI 3000, S.L.)
Unknown
€9,600.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600.
Slovak Data Protection Office
Not assigned
Unknown
Unknown
€NaN
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
A Data Controller failed to comply with data subject´s request to access his/her personal data processed by audio recordings.
Slovak Data Protection Office
Not assigned
Unknown
Unknown
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Documents containing personal data were disposed of in the area of the municipal garbage dump.
