background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
TELEFONICA MOVILES ESPAÑA, S.A.U.
2019
€48,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
The claimant's bank account was charged by the company with two invoices for the services he had contracted, however, displaying personal data of another customer. The initial fine of EUR 60.000 was reduced to EUR 48.000.
Data Protection Authority of Hamburg
Media, Telecoms and Broadcasting
Facebook Germany GmbH
2019
€51,000.00
Insufficient involvement of data protection officer
Art. 37 GDPR
Whereas Facebook Ireland had appointed a data proteciton officer for all group companies located in the EU, this appontment was not notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The fine was calculated on the basis of the turnover of the German branch (EUR 35 million). Relevant factors for the calculation were i.a. that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.
Data Protection Authority of Hamburg
Transportation and Energy
Hamburger Verkehrsverbund GmbH (HVV GmbH)
2019
€20,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
Art. 34 GDPR
On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner.
Data Protection Authority of Hamburg
Finance, Insurance and Consulting
Hamburger Volksbank eG
2019
€NaN
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
The company had sent a customer a newsletter with advertising content by e-mail, although this customer had previously expressly objected to the sending of further advertising letters.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Ikea Ibérica
Unknown
€10,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The company installed cookies on an end users terminal device without prior consent of the data subject.
AEPD
Spanish Data Protection Authority
Industry and Commerce
IMAGINA FRAN SPORT, S.L.
2021-12-02
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) fined IMAGINA FRAN SPORT, S.L. EUR 2,000 due to the fact that its privacy policy did not comply with the requirements of Art. 13 GDPR. For instance, the website contained outdated information.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INTRODUCTION BUSINESS CAPITAL MEDIA, S.L.
2021-12-01
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 LOPDGDD
The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on INTRODUCTION BUSINESS CAPITAL MEDIA, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list.
ICO
Information Commissioner
Public Sector and Education
Cabinet Office
2021-11-25
€585,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The UK DPA (ICO) has fined the Cabinet Office EUR 585,000. On December 27, 2019, the Cabinet Office published a file on GOV.UK containing the names and uncensored addresses of more than 1,000 individuals who had received New Year's honors. Individuals from a wide range of professions across the United Kingdom were affected, including individuals with a high public profile. After learning of the data breach, the Cabinet Office removed the web link to the file. However, the file was still in the cache and was accessible online to people who had the exact website address. The disclosed personal data was available online for two hours and 21 minutes and had been accessed 3,872 times. The breach occurred due to an error in the setup of the Cabinet Office's new IT system. The ICO found that the Cabinet Office failed to take appropriate technical and organizational measures to ensure a level of protection appropriate with the risk to data subjects.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Norwegian State Pension Fund (SPK)
2021-11-24
€98,000.00
Insufficient legal basis for data processing
Art. 5 (1) c), e) GDPR
Art. 6 (1) GDPR
Art. 9 (2) GDPR
The Norwegian DPA has imposed a fine of EUR 98,000 on the Norwegian State Pension Fund (SPK). The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The DPA found that the controller had unlawfully collected certain income information since 2016. For example, the controller had collected health-related information on disability pensions, although this was not required. Approximately 24,000 individuals were affected by these incidents. In addition, the DPA found that SPK did not implement routines to review and delete excessive information collected until 2019.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-11-23
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine on Vodafone España, S.A.U. due to insufficient legal basis for data processing. A data subject had filed a complaint against the data controller due to the fact that telephone lines were registered in his name, although he had never concluded contracts with the company for any of these lines. Vodafone had accidentally assigned the data of the data subject to the contracts of another Vodafone customer, which is why the contracts went under his name. Against this background, the DPA considered the processing of the data subject's data by Vodafone to be unlawful. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2021-11-23
€40,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) has imposed a fine on Vodafone España, S.A.U.. A data subject had filed a complaint with the DPA as the controller had transferred her cell phone line to another person without her consent due to a technical error. In addition, the data subject's account was debited with amounts that belonged to a third party's phone line. The DPA found that Vodafone had unlawfully processed the data subject's data. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
TIM S.p.A.
2021-11-11
€150,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The Italian DPA (Garante) has fined mobile operator TIM S.p.A. EUR 150,000 for denying a data subject access to his phone data needed to defend himself in a criminal case. Since the data subject received no response to his repeated requests to the company, he turned to the DPA to obtain the data in time for the hearing in the criminal proceedings.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
COOPERA RC SERVICES, S.L.
2021-11-02
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on COOPERA RC SERVICES. The controller had not provided sufficient contact details through which data subjects could exercise their rights.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Anfiteatro Flavio s.r.l.
2021-10-28
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 2,000 on Anfiteatro Flavio s.r.l.. During an administrative inspection of a hotel managed by Anfiteatro Flavio, the police found that a video surveillance system with three cameras was installed in the store. However, it found that the controller had not provided sufficient information on the presence of the CCTV. The DPA considered this to be a violation of Art. 13 GDPR.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Car importer
2021-10-27
€13,500.00
Insufficient legal basis for data processing
Art. 5 (1), (2) GDPR
Art. 6 (1) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
The Hungarian DPA imposed a fine of EUR 13,500 on a car importer. A customer of one of the company's authorized repair shops filed a complaint with the DPA due to receiving unsolicited emails related to customer surveys from the company after a car inspection. The Hungarian DPA found that the controller did not have a valid legal basis to contact the data subject. It also found that the controller had not complied with its duty to inform under Art. 12 GDPR and Art. 13 GDPR. The emails did not contain any contact information of the controller, for example.
GARANTE
Italian Data Protection Authority
Health Care
Health Protection Agency of Sardinia (ATS)
2021-10-14
€8,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 8,000 on the Health Protection Agency of Sardinia (ATS). A patient had mistakenly received medical records and clinical documentation from another patient in his own file.
GARANTE
Italian Data Protection Authority
Health Care
Physician
2021-09-29
€2,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has fined a physician EUR 2,000. A patient had complained to the DPA that the doctor had disclosed his personal data to third parties without authorization. The doctor had recommended medical products to the data subject as part of his treatment. A few days later, the data subject received a call from the marketing consultant behind the recommended products. The data subject pointed out that he had never given his consent to the disclosure of his data. The Garante states that no specific consent is required for the processing of personal data necessary for medical treatment. Here, however, the data was processed for the purpose of product promotion, and therefore explicit consent would have been required under Art. 9 GDPR. The physician thus processed the data unlawfully.
DSB
Austrian Data Protection Authority
Not assigned
Unknown
2021-02-12
€3,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Austrian DPA has fined a company EUR 3,000 for failing to provide information requested by the DPA during an investigation.
UOOU
Czech Data Protection Auhtority
Media, Telecoms and Broadcasting
Mall.tv
2020
€2,700.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Czech DPA (UOOU) fined Mall.tv EUR 2,700 for recording parts of the public space without a legal basis. The subject of the DPA's investigation was the operation of two cameras by a company. The cameras recorded parts of the public space and then broadcast the footage in real time on internet television. The footage was of such high resolution that people and vehicles passing by were clearly visible and identifiable.
UOOU
Czech Data Protection Auhtority
Industry and Commerce
Ski rental company
2020
€NaN
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 6 (1) GDPR
Art. 7 (1) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 16 GDPR
Art. 17 GDPR
Art. 18 GDPR
Art. 19 GDPR
Art. 20 GDPR
Art. 21 GDPR
The Czech DPA (UOOU) imposed a fine against a ski rental company. Due to the high value of the sports equipment, the controller required a financial deposit or a full copy of a valid ID when renting sports equipment. The consent to the copy of the ID was included in the sports equipment rental agreement itself. Thus, when the sports equipment rental agreement was signed, consent to the processing of the ID copy was obtained at the same time. The DPA considered this method of obtaining consent to be a violation against the lawfulness of the processing. In addition, it was found that the data subjects were not properly informed about the processing of their personal data.
UOOU
Czech Data Protection Auhtority
Health Care
Private healthcare provider
2020
€387.00
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 (1) GDPR
The Czech DPA (UOOU) conducted an investigation against the operator of a non-governmental medical facility following a security breach. The operator offers a range of diagnostic tests to patients. The results of the tests are subsequently communicated on its website to both patients and physicians who recommended the tests. The reported security breach involved an attack on the operator's website by an unknown individual. Following this incident, the operator stopped operating the website in question and proposed technical measures to increase security. However, the DPA still found that other websites operated by the same operator had the same shortcomings. Yet, the operator did not restrict their operation nor did it take any new technical measures. As a consequence, the UOOU imposed a fine of EUR 387.
UOOU
Czech Data Protection Auhtority
Industry and Commerce
Unknown
2020
€1,900.00
Insufficient fulfilment of data subjects rights
Art. 12 (2) GDPR
Art. 15 (1) GDPR
A person had received an invoice for ordered goods, which, however, came from a different company than the one from which she had ordered the goods. Therefore, the data subject contacted the company that had supplied the goods and requested information about where her personal data had been obtained from, how it had been processed and on what legal basis it had been processed. As the company did not respond to her request, the data subject contacted the DPA. The DPA then demanded the controller to provide the data subject with the requested information immediately. As the controller did not respond to this request either, the DPA imposed a fine in the amount of EUR 1,900.
UOOU
Czech Data Protection Auhtority
Public Sector and Education
Public university
2020
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 13 GDPR
A public university required personal data from applying students without a sufficient legal basis.
UOOU
Czech Data Protection Auhtority
Health Care
Healthcare provider
2020
€NaN
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 12 (1) GDPR
Art. 28 (2), (3) GDPR
A healthcare provider collected personal data through a software provided by an external body without informing the patients.
UOOU
Czech Data Protection Auhtority
Finance, Insurance and Consulting
Bank
2020
€NaN
Non-compliance with general data processing principles
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 (4) LOPDGDD
A bank made the opening of an account conditional on the presentation of a copy of the identity card.
UOOU
Czech Data Protection Auhtority
Industry and Commerce
Unknown
2020
€NaN
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
A company stored biometric signatures of its customers, which violated the principle of data minimization.
UOOU
Czech Data Protection Auhtority
Media, Telecoms and Broadcasting
Television broadcaster
2020
€3,850.00
Insufficient fulfilment of information obligations
Art. 12 (1) GDPR
A TV broadcaster had provided information on its website about the processing of personal data, which was however hidden and inaccurate (links to outdated legal provisions).
UOOU
Czech Data Protection Auhtority
Public Sector and Education
Municipality
2020
€NaN
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 13 GDPR
Art. 14 (3) GDPR
A public school shared personal information with a municipal mayor, who disclosed it through the city radio mobile application.
UOOU
Czech Data Protection Auhtority
Employment
Unknown
2020
€NaN
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
State-subsidized organization shared photos of its employees on its website without a sufficient legal basis.
UOOU
Czech Data Protection Auhtority
Not assigned
Unknown
2020
€19,200.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 12 (2), (3) GDPR
Art. 15 GDPR
Art. 16 GDPR
Art. 17 GDPR
Art. 18 GDPR
Art. 19 GDPR
Art. 20 GDPR
Art. 21 GDPR
Art. 22 GDPR
A company copied personal data from public registers, which was considered illegal by the Czech DPA, as it was not deemed necessary.
Data Protection Authority of Liechtenstein
Not assigned
Unknown
2020
€4,100.00
Non-compliance with general data processing principles
Unknown
Unlawful operation of a video surveillance system.
VDAI
Lithuanian Data Protection Authority
Not assigned
Unknown
2020
€8,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 35 GDPR
The Lithuanian DPA (VDAI) fined a company EUR 8,000 for conducting sound recordings on public transport buses in violation of Article 5 GDPR, Article 13 GDPR, Article 24 GDPR and Article 35 GDPR.
Data Protection Authority of Bavaria
Not assigned
Unknown
2020
€7,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) f) GDPR
The Bavarian DPA has imposed a fine on a company. The controller had refused access to the business premises and data processing equipment during an on-site inspection carried out by the DPA pursuant to Article 58 (1) f) GDPR. The DPA then imposed a fine of EUR 20,000, which was, however, reduced to EUR 7,000 by a district court.
Data Protection Authority of Niedersachsen
Industry and Commerce
Company
2020
€65,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The DPA of Lower Saxony has imposed a fine of EUR 65,000 on a company. The reason for the proceedings was a report by the company to the authority regarding a data breach pursuant to Art. 33 GDPR. As a result, the DPA conducted an audit of the company's web presence. In the process, the DPA discovered that an outdated web store application was used on the site, which was no longer provided with security updates. The developer had explicitly warned against further use of this version, as it contained significant security vulnerabilities. The investigations of the DPA further revealed that the passwords stored in the database were not sufficiently secured. The DPA concluded that the technical measures taken by the responsible party were not adequate for the protection requirements of the GDPR, resulting in a violation of Art. 32 GDPR.
Data Protection Authority of Hamburg
Industry and Commerce
Company
2020
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 6 GDPR
Art. 32 GDPR
The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises that it guarantees one hundred percent anonymity. On the platform, users can upload photos of underwear. In most cases, smartphones or other mobile devices were used to take the photos. The camera apps of the smartphones or GPS modules of the cameras often store additional information in the image file alongside the actual image as a standard setting. Based on this data, a fairly precise localization is possible. A review by the DPA revealed that the company had not cleaned up the residual information or metadata in the uploaded photos. Consequently, the data could be entered into any map service and the exact location where the photo was taken could be determined. The number of data subjects involved was approximately around 760 women between the ages of 18 and 50. For this reason, the DPA found that the company had failed to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. In addition, the DPA concluded that the company had unlawfully processed the associated data by uploading the photos without cleaning them.
HDPA
Hellenic Data Protection Authority
Transportation and Energy
Aegean Marine Petroleum Network Inc.
2019-12-19
€150,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 6 GDPR
Art. 32 GDPR
Companies outside the Aegean Marine Petroleum Group had access to its servers containing personal data and copied the contents of the servers, since Aegean Marine Petroleum failed to take the necessary technical measures to secure the processing of large amounts of data and to keep the relevant software separate from the personal data stored on the servers. Furthermore, Aegean Marine Petroleum had not informed the data subjects of the processing of their personal data stored on the servers.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Telekom Romania Mobile Communications SA
2019-12-18
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a clients personal data to another client.
ICO
Information Commissioner
Health Care
Doorstep Dispensaree Ltd. (Pharmacy)
2019-12-17
€320,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.
APD
Belgian Data Protection Authority
Industry and Commerce
Nursing Care Organisation
2019-12-17
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
The company failed to act on requests from the data subject to get access to his data and to have his data erased.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
Website providing legal information
2019-12-17
€15,000.00
Insufficient fulfilment of information obligations
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
An operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Industry and Commerce
Nusvar AB
2019-12-16
€35,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Nusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Globus Score SRL
2019-12-16
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company did not comply with measures ordered by the National Supervisory Authority.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
SC Enel Energie S.A. (Electricity Distributor)
2019-12-16
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 21 GDPR
The sanctions were imposed following a complaint alleging that Enel Energie had unlawfully processed an individual's personal data and was unable to prove that it had obtained the individual's consent to send e-mail notifications. In addition, the ANSPDCP pointed out that the operator had not taken the necessary measures to stop the transmission of notifications, despite the fact that the person had repeatedly exercised his right to object. The operator of SC Enel Energie SRL was sanctioned contraventionally with two fines, each amounting to 14,334.30 lei, the equivalent of the amount of 3000 EUR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
Entirely Shipping & Trading S.R.L.
2019-12-13
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) GDPR
Art. 6 GDPR
Art. 7 GDPR
The company has excessively processed the personal data of his employees through the video cameras installed in the offices and in the places where there are cabinets where the employees store their spare clothes (changing rooms) (violation of principle of 'data minimization')
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
Entirely Shipping & Trading S.R.L.
2019-12-13
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 9 GDPR
The company processed biometric data (fingerprints) of the employees for access to certain rooms tough less intrusive means for the privacy of the data subjects could be used (violation of principle of 'data minimization')
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Employment
Unknown Company
2019-12-11
€1,430.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 25 GDPR
The employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related document. The director received no warning that his former inbox would be activated and did not have a chance to copy / delete his private data (passwords and financial information). According to NAIH, an employee or a representative should be present when the employee's data is being accessed, even if the employment has been terminated. Employees should be able to request a copy or the deletion of their private data. Employers must record the access with minutes and photos; when the employee cannot be present, then in the presence of independent witnesses. Employers must adopt internal policies on archiving and the use of IT assets and e-mail accounts, including procedural rules such as the steps of an inspection and the officials authorised to carry it out.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Eni Gas e Luce
2019-12-11
€8,500,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 17 GDPR
Art. 21 GDPR
The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person's refusal to receive promotional calls, or without triggering the special procedures for checking the public opt-out register. In addition, there was lack of technical and organisational measures to take account of the information provided by users; data was processed longer than the permitted data retention periods; and data on potential customers was collected from entities (list providers) who had not obtained consent to the disclosure of such data.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Eni Gas e Luce
2019-12-11
€3,000,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The second fine of EUR 3 million concerns infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under 'market economy' conditions. Many persons complained to the Authority that they only learned of the conclusion of a new contract after receiving the letter of termination of the contract with the previous supplier or the first Egl invoices. In some cases, the complaints reported false information in the contracts and forged signatures.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Megastar SL
2019-12-10
€1,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The company operated a video surveillance system in which the observation angle of the cameras extended unnecessarily far into the public traffic area. Furthermore, no sign with data protection notices was affixed.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Shop Macoyn, S.L.
2019-12-10
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company has sent advertising e-mails to several recipients where the e-mail addresses of all other recipients were visible to all recipients, because the recipient addresses were inserted as CC and not as BCC.