background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Hora Credit IFN SA
2019-12-10
€14,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 25 GDPR
Art. 32 GDPR
Art. 33 GDPR
The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient security measures for personal data, according to art. 25 and 32 of the GDPR, so as to avoid unauthorized and accessible disclosure of personal data to third parties. At the same time, Hora Credit IFN SA did not notify the Supervisory Authority of the security incident that was brought to its notice, according to art. 33 of the GDPR, within 72 hours from the date it became aware of it. The fine consists of three partial fines of EUR 3000, EUR 10000 and EUR 1000.
BFDI
The Federal Commissioner for Data Protection and Freedom of Information
Media, Telecoms and Broadcasting
Rapidata GmbH
2019-12-09
€10,000.00
Insufficient involvement of data protection officer
Art. 37 GDPR
Despite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
S CNTAR TAROM SA (Airline)
2019-12-04
€20,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Romanian data protection authority imposed a sanction on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) of the GDPR). This resulted in an employee having unauthorized access to the booking application and being able to photograph a list with the personal data of 22 passengers/customers to disclose this list on the Internet.
Data Protection Authority of Rheinland-Pfalz
Health Care
Hospital
2019-12-03
€105,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The fine is based on several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient management.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Cerrajeria Verin S.L.
2019-12-03
€1,500.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The company collected personal data without providing accurate information on their data processing activities in their privacy policy published on their website.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Linea Directa Aseguradora
2019-12-03
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The insurance company has sent advertising e-mails for the 'Reto Nuez' platform without the required consent.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Nicola Medical Team 17 SRL
2019-12-02
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company did not comply with measures ordered by the National Supervisory Authority.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Royal President S.R.L.
2019-11-29
€2,500.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 6 GDPR
Art. 32 GDPR
Royal President refused a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects. In addition, Royal President has not taken appropriate technical or organisational measures to ensure the security of the data processed.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Real Estate
Homeowners Association
2019-11-29
€500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The association used video surveillance systems without proper information according to Art. 13 GDPR and without adequate security measures regarding the persons having access to the system.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Curenergía Comercializador de último recurso
2019-11-28
€75,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
An individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2019
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2019
€40,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by another household which allegedly had received the claimant's bank account and phone number from Vodafone. Since Vodafone could not prove that the claimant had consented to the conclusion of the contract concerning the Netflix services, the AEPD imposed a fine of EUR 40.000.
AEPD
Spanish Data Protection Authority
Employment
Employer
2019
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).
AEPD
Spanish Data Protection Authority
Employment
Employer
2019
€9,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).
AEPD
Spanish Data Protection Authority
Industry and Commerce
AMADOR RECREATIVOS, S.L
2019
€3,600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Surveillance of the public space by video surveillance cameras against violation of the principles of data minimisation.
Data Protection Authority of Mecklenburg-Vorpommern
Individuals and Private Associations
Police Officer
2019
€800.00
Insufficient legal basis for data processing
Art. 6 GDPR
A police officer used a witness's personal data to contact her personally.
Data Protection Authority of Niedersachsen
Employment
Unknown
2019
€294,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
A company was fined EUR 294 000 for 'unnecessarily long' storage and retention of personnel files and for 'excessive' data collection in the personnel selection process, during which also health data were requested.
Data Protection Authority of Saarland
Accomodation and Hospitalty
Restaurant
2019
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Video surveillance cameras have been used in violation of principle of data minimisation (monitoring also of customer areas in restaurants).
Data Protection Authority of Brandenburg
Not assigned
Unknown Company
2019
€50,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 28 GDPR
The data controller had engaged an external company to carry out the duties of access to data according to Art. 15 GDPR. However, the engaged company conducted the correspondence with the data subjects under its own logo and in English language, so that it was not apparent to the data subjects who was responsible for the data processing. As a result, the data controller infringed the principle of transparency laid down in Art. 12 GDPR and did not sufficiently fulfil its obligations to provide information in accordance with Art. 15 GDPR. In addition, the data protection supervisory authority found that no written contract for data processing had been concluded between the data controller and the external company, thus constituting a further breach of Art. 28 (9) GDPR.
Data Protection Authority of Rhineland-Palatinate
Individuals and Private Associations
Unknown
Unknown
€50.00
Insufficient legal basis for data processing
Art. 6 GDPR
Unlawful use of a dashcam
Data Protection Authority of Rhineland-Palatinate
Individuals and Private Associations
Unknown
Unknown
€300.00
Insufficient legal basis for data processing
Art. 6 GDPR
Unlawful use of a dashcam
Data Protection Authority of Rhineland-Palatinate
Individuals and Private Associations
Unknown
Unknown
€600.00
Insufficient legal basis for data processing
Art. 6 GDPR
Unlawful use of a dashcam
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Surveyor General of Poland ('GKK')
2020-08-31
€22,700.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Processing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Bankia S.A.
2020-08-28
€50,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
The bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Basketball Federation of Castilla and Leon
2020-08-28
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Basketball Association transmitted personal data to third parties, which were subsequently published on the Internet without consent of the data subjects. In addition, the data protection authority found that the Basketball Federation also disclosed personal data to a newspaper, violating - in addition - the principle of integrity and confidentiality (Art. 5 (1) f) GDPR).
Data Protection Authority of Ireland
Health Care
Cork University Maternity Hospital
2020-08-18
€65,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 32 GDPR
The „Data Protection Authority of Ireland“ imposed a fine on Cork University Maternity Hospital (CUMH) after the personal data of 78 patients was discovered disposed of in a public recycling center. Among the documents disposed of, some contain special category personal data of six patients. It is believed that the breach at CUMH involves sensitive patient health data such as the medical history and future planned care programs.
AEPD
Spanish Data Protection Authority
Public Sector and Education
Party of the Socialists of Catalonia
2020-08-17
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
The Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.
AKI
Estonian Data Protection Authority
Individuals and Private Associations
Police Officer
2020-08-17
€48.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Acess to personal data in a police database for private research activities.
AKI
Estonian Data Protection Authority
Health Care
Health care worker
2020-08-17
€56.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Acess to personal data in a health database for private research activities.
Data Protection Authority of Ireland
Public Sector and Education
Tusla Child and Family Agency
2020-08-12
€85,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Irish DPA (DPC) fined Tusla Child and Family Agency EUR 85,000. The controller had reported 71 data breaches to the Irish DPA that occurred between May 25 and November 16, 2018, and concerned the unauthorized access of personal data processed by the controller. After a broad investigation, the DPA concluded that the controller failed to implement adequate technical and organizational measures to protect the data processing and thus violated Art. 32 (1) of the GDPR.
GARANTE
Italian Data Protection Authority
Employment
Cavauto S.R.L.
2020-08-10
€10,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 7 GDPR
Access to personal data of a former employee (containing his browser history) on his work computer.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Community of Baronissi
2020-08-10
€10,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc.
AEPD
Spanish Data Protection Authority
Industry and Commerce
GROW BEATS SL
2020-08-06
€3,000.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment.
GARANTE
Italian Data Protection Authority
Industry and Commerce
GTL S.R.L.
2020-08-06
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Failure to graint access to personal data of a data subject according to Art. 15 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Just Landed S.L.
2020-08-06
€3,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Just Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language).
CNIL
French Data Protection Authority
Industry and Commerce
Spartoo
2020-08-05
€250,000.00
Non-compliance with general data processing principles
Art. 5 (1) GDPR
Art. 13 GDPR
Art. 14 GDPR
A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.
Deputy Data Protection Ombudsman
Finance, Insurance and Consulting
Acc Consulting Varsinais-Suomi
2020-08-05
€7,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Unsolicited marketing SMS without prior consent
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Restaurant
2020-08-05
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 12 GDPR
Art. 13 GDPR
Installation of CCTV surveillance cameras that were also monitoring the public space and without proper information.
DSB
Austrian Data Protection Authority
Finance, Insurance and Consulting
Bank
2020-08-05
€100.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above.
GARANTE
Italian Data Protection Authority
Public Sector and Education
School
2020-08-05
€2,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Placing personal data of pupils on a public notice board.
DATATILSYNET
Danish Data Protection Authority
Real Estate
PrivatBo A.M.B.A.
2020-08-04
€20,100.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 32 GDPR
The company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2020-08-04
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The data subject received confirmation from Vodafone of a number porting, which the latter had never commissioned.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Mapei S.p.A.
2020-08-04
€15,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 17 GDPR
The company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure.
GARANTE
Italian Data Protection Authority
Public Sector and Education
National Institute for Social Security - Department of the Province of Brescia
2020-08-04
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Failure to graint access to personal health data of a data subject according to Art. 15 GDPR.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Supermarket
2020-08-04
€1,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
Candidate for parliamentary elections
2020-08-03
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The data subject received telephone calls regarding a candidacy for parliamentary elections. When the data subject made use of its right to access according to Art. 15 GDPR, it did not receive any such information.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España SAU
2020-07-31
€45,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Unlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasure
AEPD
Spanish Data Protection Authority
Industry and Commerce
Tour & People Max S.L.
2020-07-31
€1,500.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
Unsolicited marketing calls though data subjects had expressed their objection to data processing. In addition to the GDPR, this was also seen as a violation of Article 48(1)(b) of General Law 9/2014 (Spanish national law).
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
SC Viva Credit IFN SA
2020-07-30
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Romanian Post National Company
2020-07-30
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Processing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation.