background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
GARANTE
Italian Data Protection Authority
Employment
Community of Manduria
2020-07-30
€2,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The community transmitted personal data of a community employee to the press without sufficient legal basis.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Community of San Giorgio Jonico
2020-07-29
€3,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Publication of personal data on the municipal website with regard to legal proceedings.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Region of Campania
2020-07-29
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Publication of an enforcement order in civil proceedings on the Region's website. The document listed the names and place of residence and the amount of the claim.
DATATILSYNET
Danish Data Protection Authority
Accomodation and Hospitalty
Arp Hansen Hotel Group A/S
2020-07-28
€147,800.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
During an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself.
APD
Belgian Data Protection Authority
Public Sector and Education
Communal political association
2020-07-28
€3,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 14 GDPR
A local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
SC Cntar Tarom SA
2020-07-27
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Unauthorised disclosure of the data of five Tarom passengers due to inadequate technical and organisational measures for secure data processing. Among other things, the company was required to take corrective action, including training its employees and conducting risk assessment procedures.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
El Periódico de Catalunya, S.L.U.
2020-07-23
€10,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Following a request for erasure addressed to the company, the data subject received another newsletter from the newspaper, although El Periódico de Catalunya claimed to have granted the request. This was due to a failure of an external service provider of the company.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, SAU
2020-07-23
€55,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Telefónica Móviles España has processed the personal data of a data subject, such as first and last name and bank details, in order to activate three telephone lines that were never requested. This constitutes a breach of the principle of lawfulness of the processing.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, SAU
2020-07-23
€70,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The data subject's account was debited for two telephone lines that he had never ordered or approved. This constituted unlawful processing of personal data, since the data subject's information was stored in the information systems of Telefónica Móviles España without a legal basis for invoicing.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica Móviles España, SAU
2020-07-23
€75,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefónica Móviles España in order to change the ownership of the telephone line without sufficient legal basis.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-07-23
€5,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
Following a complaint, Xfera Móviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
El Real Sporting de Gijón S.A.D.
2020-07-23
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 7 GDPR
Fines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in).
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
Forbes Hungary
2020-07-23
€560.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Fine imposed on Forbes Hungary for publishing a list of the 50 wealthiest Hungarians and a list of the largest family businesses without a sufficient balance of interests (Art. 6 (1) f) GDPR).
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Employment
Employer
2020-07-23
€1,700.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
Failure to change the private address of an employee to his new address and to delete the old address as well as insufficient enabling of the employer to exercise his/her rights.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria, SA
2020-07-20
€24,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
BBVA had no legitimate basis for processing the data of the data subject and had therefore infringed Article 6(1) of the GDPR, since the company processed solvency and credit information files without a prior contractual relationship with the data subject.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberia Lae SA Operadora Unipersonal
2020-07-20
€40,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company did not grant the data subject access to telephone records. The applicant's request for access did not receive a reply, despite the prior order of the AEPD.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Comercial Vigobrandy, SL
2020-07-20
€1,500.00
Insufficient fulfilment of information obligations
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Installation of CCTV surveillance without adequate information by using a sign
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Orange Espagne S.A.U.
2020-07-20
€80,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company had unlawfully activated several telephone line contracts using the personal data of a data subject. This constituted an unlawful processing operation, since the data of the data subject was entered into the company's database and processed there without a legitimate legal basis.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-07-20
€70,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
A data subject had received a call from another Xfera Móviles customer who stated that the company had charged his bank account with an invoice, disclosing the personal details of the other data subject. This was due to an error on the part of Xfera Móviles and was therefore a violation of the principles of integrity and confidentiality.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
Google Ireland Ltd.
2020-07-16
€28.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Failure to respond to a data subjects request to access information (Art. 15 GDPR - here: about data processed in the context of Google AdWords) in due time.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Office for geodesy and cartography
2020-07-15
€22,300.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
Refusal of access to the premises by the supervisory authority in the course of an audit.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
Google Belgium SA
2020-07-14
€600,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 6 GDPR
Art. 17 (1) a) GDPR
Art. 12 GDPR
The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google's rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: €500,000). In addition, a further €100,000 was imposed for breach of the principle of transparency, as Google's rejection of the request for deletion was not sufficiently justified
APD
Belgian Data Protection Authority
Industry and Commerce
Operator of CCTV of a residential building
2020-07-14
€5,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 7 GDPR
The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Merlini s.r.l.
2020-07-13
€200,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 28 GDPR
Art. 29 GDPR
The company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third party provider as data processor without sufficient legal basis fpr data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third party provider.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Wind Tre S.p.A.
2020-07-13
€16,700,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 24 GDPR
Art. 25 GDPR
Fines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details. Furthermore, the data protection authority stated that the data of the data subjects were published on public telephone lists despite their objection. In addition, several apps distributed by the company were set up in such a way that the user had to give his consent to various processing activities each time he accessed them, with the possibility of withdrawing consent given only after 24 hours.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Iliad Italia S.p.A.
2020-07-13
€800,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 25 GDPR
The fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its website.
UODO
Polish National Personal Data Protection Office
Transportation and Energy
East Power Sp. z o.o.
2020-07-10
€3,400.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
After three subpoenas to East Power, in which the latter failed to provide sufficient explanations on a direct marketing complaint, the data protection authority found that East Power had deliberately obstructed the course of the procedure or at least failed to comply with its obligations to cooperate with the supervisory authority.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Municipality of Rælingen
2020-07-10
€46,660.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Art. 35 GDPR
Fine for the processing of children's health data in connection with disability through the digital learning platform 'Showbie'. The Municipality had failed to carry out a Data Protection Impact Assessment ('DPIA') in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Auto Desguaces Iglesias S.L.
2020-07-10
€1,500.00
Non-compliance with general data processing principles
Art. 5 GDPR
The company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Centro Internacional De Crecimiento Laboral Y Profesional S.L.
2020-07-10
€1,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Sending commercial messages without consent and without the possibility to object.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, SAU
2020-07-10
€12,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Fines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Global Business Travel Spain SLU
2020-07-10
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The fine was preceded by an employee's access to health data of a person concerned. In the course of its investigations, the Data Protection Authority found that Global Business Travel Spain, as data controller, had infringed Article 32(2) and (4) of the GDPR by failing to take adequate technical and organisational measures to protect the data from unauthorised disclosure.
AEPD
Spanish Data Protection Authority
Industry and Commerce
School Fitness Holiday & Franchising S.L.
2020-07-10
€5,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Breach of transparency principle. No further information available at the moment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-07-10
€55,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 32 GDPR
The company had changed a contract for a mobile phone connection to a new owner, whereby the personal data of a data subject such as his address and telephone numbers were freely accessible. This constituted a violation of the principles of confidentiality and integrity.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Proleasing Motors SRL
2020-07-09
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company had failed to take adequate technical and organisational measures to ensure data security, which led to the publication on Facebook of a document containing a password for access to personal data of 436 customers.
AP
Dutch Supervisory Authority for Data Protection
Finance, Insurance and Consulting
Bureau Krediet Registration ('BKR')
2020-07-06
€830,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
BKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberdrola Clientes
2020-07-02
€24,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
A third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of €40,000 has been reduced to €24,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Industry and Commerce
De Vere Spain S.L.
2020-07-02
€4,000.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
The company did not respond to the data subject's request to stop processing his or her data, and therefore data subject continued to receive commercial calls.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Odin Flissenter AS
2020-07-02
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
On July 2, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Odin Flissenter AS EUR 28,000 for violations of Art. 5 GDPR and Art. 6 GDPR. This fine has been imposed in the meantime, see details at <a class='blau' href='https://www.enforcementtracker.com/ETid-416.' target='_blank'>link</a>
AEPD
Spanish Data Protection Authority
Industry and Commerce
Saunier-Tec Mantenimientos de Calor y Frio, SL.
2020-07-02
€3,600.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-07-02
€5,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
The company had not cooperated sufficiently with the data protection authority.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Mapei S.p.A.
2020-07-02
€15,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Mapei failed to respond to the request for access to personal data of the data subject. In addition, Mapei had left the e-mail account of the person concerned active even after the termination of the contract.
Data Protection Authority of Baden-Wuerttemberg
Finance, Insurance and Consulting
Allgemeine Ortskrankenkasse ('AOK') (health insurance company)
2020-06-30
€1,240,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 6 GDPR
Art. 32 GDPR
From 2015 to 2019, AOK Baden-Württemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Württemberg stopped all marketing measures in order to thoroughly examine all processes.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Lejre Municipality
2020-06-30
€6,700.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 33 GDPR
Art. 34 GDPR
The data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach.
Data Protection Authority of Ireland
Public Sector and Education
Tusla Child and Family Agency
2020-06-30
€40,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
New York College S.A.
2020-06-29
€5,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
The College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner.
Information Commissioner of Isle of Man
Public Sector and Education
Department of Home Affairs
2020-06-25
€13,500.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Miraclia (telecommunications company)
2020-06-23
€7,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.
AEPD
Spanish Data Protection Authority
Real Estate
Comunidad de propietarios demelza beach
2020-06-22
€2,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 14 GDPR
Illegal use of CCTV cameras due to coverage of public space and recording of passing pedestrians. Furthermore, insufficient fulfilment of information obligations.
DATATILSYNET
Norwegian Supervisory Authority
Health Care
Østfold HF Hospital
2020-06-22
€112,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
It was found that Østfold HF Hospital had stored patient data, including sensitive data such as the reason for hospitalisation, during the period 2013-2019 without controlling access to the folders where the data was stored. Datatilsynet therefore decided that the hospital had not taken sufficient technical and organisational measures to protect personal data and was therefore in breach of the GDPR and the Patient Records Act.