background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
Slovak Data Protection Office
Not assigned
Unknown
Unknown
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Violation of information security measures (no further information available at the moment)
Slovak Data Protection Office
Public Sector and Education
Unknown
Unknown
€NaN
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) a) GDPR
Personal data have been unlawfully published on the website of a city within the framework of fulfilling its disclosure obligation under the Freedom of Information Act. However, the Data Protection Authority stated that the City had published the personal data in violation of the law and without the consent of the person concerned.
Slovak Data Protection Office
Media, Telecoms and Broadcasting
Slovak Telekom
Unknown
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The controller did not take adequate security measures when processing personal data, thereby breaching the obligation to protect the processed personal data.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Madrileña Red de Gas
Unknown
€12,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request.
Slovak Data Protection Office
Health Care
Social Insurance Agency
Unknown
€50,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Applications for social benefits from Slovak citizens were sent by post to foreign authorities. These were lost by post, with the result that the whereabouts of these personal data could not be clarified.
UOOU
Czech Data Protection Auhtority
Industry and Commerce
Alza.cz a.s.
Unknown
€588.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 7 GDPR
The company obtained a copy of photographic ID of the personal data subject with his consent, however did not react to his consent withdrawal and continued in processing of his personal data.
UOOU
Czech Data Protection Auhtority
Individuals and Private Associations
Individual entrepreneur - no further details published
Unknown
€980.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The operator of an online game was exposed to several DDoS attacks which caused the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As part of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a 'backdoor' in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The Office for Personal Data Protection concluded that the operator did not take apropriate security measures.
APD
Belgian Data Protection Authority
Public Sector and Education
Mayor
2019-11-28
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.
APD
Belgian Data Protection Authority
Public Sector and Education
Municipal alderman
2019-11-28
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
ING Bank N.V.
2019-11-28
€0.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Original Fine Summary: ING Bank has not taken appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers, resulting in double transactions being executed between 8 and 10 October. Update: The Bucharest Court of Appeal overturned the fine of EUR 80,000.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Modern Barber
2019-11-26
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company did not comply with measures ordered by the National Supervisory Authority.
CNIL
French Data Protection Authority
Industry and Commerce
Futura Internationale
2019-11-21
€500,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 21 GDPR
Art. 31 GDPR
Art. 44 GDPR
Futura Internationale was fined for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted. In particular, the decision pointed out that the CNIL's on-site investigation of Futura Internationale revealed, inter alia, that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about customers and their health and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Viaqua Xestión Integral Augas de Galicia
2019-11-21
€60,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Processing (modification) of the personal data of a customer included in a contract by a third party without the consent of the customer.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2019-11-19
€60,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
An individual complainant had received an SMS from Xfera Móviles which was to be addressed to a third party and which allowed him to access the account and personal data of this third party on the Xfera Móviles website via the telephone number and password received by SMS.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Corporación radiotelevisión espanola
2019-11-19
€60,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment data, data about criminal convictions and health data.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Sports Bar
2019-11-19
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The sports bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica SA
2019-11-14
€30,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Telefónica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant's bank account was linked to another Telefónica customer, which led to the charges being debited from the complainant's account. According to the AEPD, this is contrary to the principle of accuracy as required by Article 5(1)(d) GDPR.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2019-11-06
€60,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Vodafone has sent the customer's invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 was threatened, but was reduced to EUR 60,000 against immediate payment and waiver of appeal.
DSI
Data State Inspectorate
Not assigned
Unknown
2019-11
€150,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Unlawful data processing. No further information available yet.
UODO
Polish National Personal Data Protection Office
Real Estate
L. Sp. z o.o.
2019-11
€1,770.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
The Polish DPA (UODO) imposed a fine of EUR 1,770 on L. Sp. z o.o. for the video surveillance of a residential community, which was not in compliance with the provisions of the GDPR.
AP
Dutch Supervisory Authority for Data Protection
Finance, Insurance and Consulting
Menzis (Health Insurance Company)
2019-10-31
€50,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Marketing staff had access to patient data. Among other things, this violated the purpose limitation principle.
KZLD
Commission for Personal Data Protection
Employment
Employer
2019-10-28
€511.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 (1) GDPR
The pecuniary sanction of EUR 511 was imposed on an employer for refusal to grant access to the personal data of a data subject who submitted an application for access to his personal data to his former employer.
Cypriot Data Protection Commissioner
Employment
LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd
2019-10-25
€70,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 9 GDPR
The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.
Cypriot Data Protection Commissioner
Employment
LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd
2019-10-25
€10,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 9 GDPR
The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.
Cypriot Data Protection Commissioner
Employment
LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd
2019-10-25
€2,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 9 GDPR
The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.
Data Protection Authority of Baden-Wuerttemberg
Accomodation and Hospitalty
Food company
2019-10-24
€100,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 32 GDPR
The company had set up an applicant portal on its website where interested parties could submit their application documents online. However, the company did not offer an encrypted transmission of the data, nor did it store the applicant data in an encrypted or password-protected manner. In addition, the unsecured applicant data was linked to Google, so that anyone searching for the respective applicant names on Google could find their application documents and retrieve them without access restrictions.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Military Hospital
2019-10-24
€7,400.00
Insufficient fulfilment of data breach notification obligations
Art. 32 GDPR
Art. 33 GDPR
A military hospital did not meet the reporting deadline for data breaches. Another part of the fine relates to a lack of technical and organisational measures.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2019-10-23
€60,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Vodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an unknown third party.
HDPA
Hellenic Data Protection Authority
Media, Telecoms and Broadcasting
Wind Hellas Telecommunications
2019-10-18
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
Among other things, the company has ignored objections raised by affected parties against advertising calls.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Employment
Unknown Company
2019-10-15
€2,860.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 25 GDPR
An employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee did not receive pre-notification and did not have the chance to copy / delete his private information (telephone numbers, messages). According to NAIH, employers must record the access with minutes and photos. Employment agreements must regulate whether employees can use work equipment for private purposes. Privacy notices must contain the reasons for employee monitoring (e.g. business continuity, internal investigation, disciplinary purposes, and the specific retention period of employee data - including the length and recurrence of backup copies. Employers must also prepare ”balancing tests” to prove their legitimate interests for general employee monitoring and specific cases.
KZLD
Commission for Personal Data Protection
Public Sector and Education
The Ministry of Interior Affairs
2019-10-08
€5,112.00
Insufficient legal basis for data processing
Art. 5 (1) GDPR
Art. 6 (1) GDPR
The fine of EUR 5,112 was imposed on the Ministry of Interior Affairs for unlawfully processing the personal data of data subject A.K. The Ministry of Interior sent the personal data of A.K. to the Togolese Republic (Togo).
KZLD
Commission for Personal Data Protection
Health Care
B.D.
2019-10-07
€511.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The fine of EUR 511 was imposed on B.D. for failure to provide access to information which the Commission for Personal Data Protection needed for performance of its tasks and execution of a disposition.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Public Sector and Education
Town of Kerepes
2019-10
€15,100.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their tasks. The processing could not be based on another legal basis.
KZLD
Data Protection Commision of Bulgaria
Public Sector and Education
National Revenue Agency
2019-09-03
€28,100.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 58 (2) e) GDPR
The pecuniary sanction of EUR 28, 121 was imposed on the National Revenue Agency for unlawful processing of the personal data of data subject G.B.I. The personal data of G.B.I. was unlawfully collected and subsequently used to form an enforcement case against her for recovery of the sum of EUR ca. 86, 569. In relation to the enforcement case formed, additional data concerning the bank accounts of G.B.I was collected by the National Revenue Agency from the register of the Bulgarian National Bank. The additional collected data was also unlawfully processed by the National Revenue Agency in sending distraint orders to the banks with which G.B.I. had bank accounts.
KZLD
Commission for Personal Data Protection
Media, Telecoms and Broadcasting
Telecommunication service provide
2019-09-03
€1,022.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 25 (1) GDPR
The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.
KZLD
Commission for Personal Data Protection
Media, Telecoms and Broadcasting
Telecommunication service provide
2019-09-03
€5,113.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 25 (1) GDPR
The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.
KZLD
Commission for Personal Data Protection
Media, Telecoms and Broadcasting
Commercial representative of telecommunication service provider
2019-09-03
€11,760.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The pecuniary sanction of EUR 11, 760 was imposed on the commercial representative of telecommunications service provider for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of a contract for mobile services and leasing contracts.
KZLD
Commission for Personal Data Protection
Industry and Commerce
Private enforcement agent
2019-09-03
€1,121.00
Insufficient fulfilment of data subjects rights
Art. 12 (4) GDPR
Art. 15 GDPR
The fine of EUR 1, 121 was imposed on a private enforcement agent for processing of the personal data of data subject through recording by technical means for video surveillance and for refusal to grant access to the collected data. The data subject submitted an application for access to his personal data to the private enforcement agent, who failed to inform him of the reasons for the rejection of his request.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Public Sector and Education
Government Office Managing the Real Estate Register
2019-08-08
€1,715.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 14 GDPR
The owners of a real estate complained that the government office posted its decision on the change in the person of the lessee (which concluded a lease agreement with real estate owners) to other owners of 40 real estates contracted by the same lessee. The decision contained personal data of all the owners, who had a lease agreement with the same lessee.
Data Protection Authority of Nordrhein-Westfalen
Individuals and Private Associations
Private person (YouTube-Channel)
2019-08-05
€200.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The private person used a dashcam to make recordings of public road traffic and then published them on YouTube as a compilation.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Employment
Public area maintenance company
2019-08-02
€4,290.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
An ex-employee complained that his employer unlawfully monitored his work by its CCTV. The employer argued that CCTV monitoring was necessary to assess, whether the employee fulfilled his employment related duties (i.e. monitoring certain public areas and signalling any unusual event to his colleagues) and that the monitoring also served the protection of its surveillance system from unlawful access or usage. NAIH found that monitoring of the employee by CCTV is not an appropriate way of assessing his work performance and the employer relied on an inappropriate legal basis (public interest, official authority) regarding the CCTV operations. The employer could have protected its public area surveillance system by other methods (e.g. by installing firewalls or other security upgrades to its systems). The employer also placed only a brief notice sheet at the entrance of the workstation of the employee regarding the CCTV monitoring, which NAIH deemed insufficient.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Public Sector and Education
Budapest Environs Regional Court
2019-07-17
€8,575.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The chairman of the Budapest Environs Regional Court organised a meeting for court officials, during which he stated that he quit from the Hungarian Association of Judges and requested the present court officials to persuade their colleagues to do so as well. The chairman also presented a list on the members of the Association in Pest county, which also included information on the amount of membership fees deducted from the salary of judges. The list consisted of data collected from the judges’ payroll records. NAIH determined that the Budapest Environs Regional Court may only process such data for the purpose of deduction and payroll management. NAIH also determined that the Budapest Environs Regional Court lacked a legal basis for data processing, when it provided access to data of employees regarding their membership in an association, to other persons.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Not assigned
Unknown
2019-06-26
€2,850.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 17 GDPR
The individual requested the deletion of his contact data (including his telephone number), however the controller further processed his contact data for claim enforcement purposes on the basis of its legitimate interest. NAIH determined that the controller had no compelling legitimate grounds for processing the telephone number of the data subject, since his address was also at hand, which is sufficient for claim enforcement purposes and for concerning communication with the data subject.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Financial Enterprise
2019-06-26
€2,850.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 21 GDPR
A client of a financial enterprise complained that the financial enterprise transferred his data after he objected against the processing and did not provide information on the processing of his data at his request. According to the financial enterprise, it sold its claim stemming from the contract concluded with its client to a third party, therefore such transaction necessitated the transfer of the relevant client data. NAIH highlighted that the financial enterprise sold the concerning claim and transferred the respective data after the non-fulfilment of the concerning contract by the client; this also means that the financial enterprise cannot rely on the performance of the contract concluded with the client. The relevant legal basis would have been the legitimate interest of the controller, where a balancing test is also necessary, describing its interest in transferring the claim and the relevant data to a third party.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Claim management company
2019-06-03
€2,850.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The complainants stated during the case that they concluded a credit agreement with the bank, which sold its claim against the complainants and transferred their respective data to a third-party company (controller). NAIH determined in the case that the controller can neither rely on the consent of the data subjects nor the performance of the credit contract as the legal basis of the data processing, since the data subjects concluded such contract with the bank, not with the controller. The appropriate legal basis for processing could have been the legitimate interest of the controller.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Local bank
2019-05-31
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3), (4), (5) GDPR
Art. 15 GDPR
Art. 18 GDPR
Customer of a local bank requested access to telephone conversation recordings as well as to CCTV recordings. The bank provided the copies of the recordings of telephone conversations and also provided the chance of reviewing the recordings at bank but rejected to provide copies of the CCTV recordings since the recordings also contained third parties personal data. The NAIH decided in this case that the bank failed to fulfil data subjects rights since it did not respond in due time and also failed to provide copies of the requested recordings. According to the NAIH, the controller could not refer the protection of third party data since the CCTV recordings affected public space open for every customer and the bank also could have anonymised certain parts of the recordings.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Public Sector and Education
Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest
2019-05-21
€286.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The employee of the Directorate sent by mistake 9 letters to the wrong recipient, which contained personal data of 18 data subjects (including data of children, criminal data and data related to the private life of the data subjects). The recipient informed the Directorate by telephone 5 days after the posting that it received certain letters by mistake. The Directorate notified NAIH on the data breach only weeks later.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2019
€21,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
VODAFONE ONO, S.A.U.
2019
€36,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The company sent a marketing email to a large number of recipients (clients) without using the blind copy feature. The initial fine of EUR 60.000 was reduced to EUR 36.000.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
VODAFONE ONO, S.A.U.
2019
€48,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Customers could access personal data of other customers in the customer area. The initial fine of EUR 60.000 was reduced to EUR 48.000.