A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
APD
Belgian Data Protection Authority
Not assigned
Unknown
2020-06-19
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 6 GDPR
Art. 15 GDPR
The company sent an e-mail to the person concerned without his consent. Thereupon the person concerned requested timely information about the entries in the database concerning his person, which remained unanswered.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Aquateknikk AS
2020-06-19
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
On June 19, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Aquateknikk AS EUR 28,000 for violations of Art. 5 GDPR and Art. 6 GDPR . This fine has been imposed in the meantime, see details at <a class='blau' href='https://www.enforcementtracker.com/ETid-530.' target='_blank'>link</a>
AEPD
Spanish Data Protection Authority
Public Sector and Education
National Police Brigade
2020-06-19
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Making copies of a company's business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Enel Energie
2020-06-18
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Failure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Café Bar
2020-06-16
€2,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 13 GDPR
Art. 14 GDPR
Illegal use of CCTV cameras (recording of third parties) and insufficient fulfilment of information obligations.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Real Estate
Housing Association
2020-06-16
€1,900.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Unlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance.
APD
Belgian Data Protection Authority
Not assigned
Unknown
2020-06-16
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
Art. 21 GDPR
Art. 31 GDPR
The data subject repeatedly received e-mails with advertising content from a company, although the data subject had objected to the processing of his personal data and requested the deletion of his data. In addition, the company did not respond to any inquiries from the data protection authority in this regard.
AP
Dutch Supervisory Authority for Data Protection
Public Sector and Education
PVV Overijssel
2020-06-16
€7,500.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The Dutch DPA (AP) fined the Overijssel local branch of the PVV party EUR 7,500 for failing to notify the AP of a personal data breach, in violation of Art. 33 GDPR. An email regarding the convening of a meeting had been sent via an open distribution list due to a human error. Since the total of 101 recipients were addressed as 'Friends of the PVV' in the email, the political beliefs of the data subjects were thus disclosed to all addressees.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-06-15
€75,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The data subject received a notice from a debt collection company demanding payments in connection with Xfera Móviles' services, even though the claimant had not been a customer of Xfera Móviles since September 2017. Furthermore, the resolution states that Xfera Móviles carried out the processing of the personal data of the plaintiff without his consent, which constitutes a violation of Article 6 of the GDPR.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
Digi Távközlési Szolgáltató Kft. ('Digi') (electronic communication service provider)
2020-06-12
€288,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) b), (e) GDPR
Art. 32 (1), (2) GDPR
The company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Telekom Romania
2020-06-11
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Consulting de Seguridad e Investigacion Mira Dp Madrid S.L.
2020-06-09
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A data subject has received marketing messages without having consented.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Chenming Ye (Bazar Real)
2020-06-09
€540.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 14 GDPR
Usage of CCTV camera in a shop without proper information.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Property Owner
2020-06-09
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Equifax Iberica, S.L.
2020-06-09
€75,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The Data Subject has requested by e-mail the deletion of his data from the file of the National Association of Financial Credit Institutions ('ASNEF'). Equifax Iberica had replied that the exercise of the complainant's right was excessive due to an earlier request and that therefore the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-06-09
€39,000.00
Insufficient legal basis for data processing
Art. 5 (1) f) GDPR
A customer claimed to have received an SMS from Xfera Móviles informing about the non-payment and the resulting suspension of the service in relation to the account of another data subject.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Glovoapp23
2020-06-09
€25,000.00
Insufficient involvement of data protection officer
Art. 37 GDPR
The company had not appointed a Data Protection Officer ('DPO') to whom requests from data subjects could be addressed, and the company's website did not contain information about an appointed DPO.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
TELEFONICA MOVILES ESPAÑA, S.A.U.
2020-06-09
€40,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Salad Market S.L. (Catering Company)
2020-06-09
€3,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 14 GDPR
Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Attorney
2020-06-09
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
In the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Property Owner
2020-06-09
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.
APD
Belgian Data Protection Authority
Public Sector and Education
Municipal employee
2020-06-08
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberdrola Clientes
2020-06-04
€4,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR.
UODO
Polish National Personal Data Protection Office
Individuals and Private Associations
Entrepreneur running a non-public nursery and pre-school
2020-06-03
€1,168.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
Fine for not answering requests for further information of the supervisory authority in due time following a data breach.
APD
Belgian Data Protection Authority
Individuals and Private Associations
Non-profit organisation
2020-05-29
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 6 GDPR
Art. 21 GDPR
The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.
Deputy Data Protection Ombudsman
Transportation and Energy
Taksi Helsinki
2020-05-29
€72,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 6 GDPR
Art. 35 GDPR
Among other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization.
UOOU
Czech Data Protection Auhtority
Industry and Commerce
Unknown
2020-05-26
€NaN
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
The Czech DPA (UOOU) imposed a fine against a company for processing personal data without a sufficent legal basis. Several individuals were contacted by the sales staff of the controller for advertising purposes. The data subjects had used the services of the sales staff in the past (until around 2016) to conclude insurance or financial contracts. However, at that time, the sales staff were working for a different company with which they had concluded an agency contract. The DPA notes that on the one hand the use of the personal data known to the representatives from their previous activity constitutes a breach of the contract concluded with the previous company, and on the other hand no legal basis existed for the further processing of the data for advertising purposes in favour of the controller.
Deputy Data Protection Ombudsman
Transportation and Energy
Posti Group Oyj
2020-05-22
€100,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 15 GDPR
The decision relates to complaints alleging that data subjects received direct marketing from the company although they had requested that their postal data be deleted. Investigations also revealed that the data protection information provided by the company was not transparent enough.
Deputy Data Protection Ombudsman
Employment
Kymen Vesi Oy
2020-05-22
€16,000.00
Non-compliance with general data processing principles
Art. 35 GDPR
Fine for failure to carry out a data protection impact assessment ('DPIA') for the processing of location data of employees with a vehicle information system
Deputy Data Protection Ombudsman
Employment
Unknown Company
2020-05-22
€12,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Processing of employee data without sufficient legal basis.
Data Protection Authority of Ireland
Public Sector and Education
Tusla Child and Family Agency
2020-05-17
€75,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison.
DATATILSYNET
Danish Data Protection Authority
Employment
JobTeam A/S DKK
2020-05-15
€6,700.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The company has deleted personal data affected by a request for access without legal reason.
APD
Belgian Data Protection Authority
Industry and Commerce
Social Media Provider
2020-05-14
€50,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Public Sector and Education
Health and Medical Board of the Region of Örebro County
2020-05-12
€11,200.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Publication of personal data of a patient without sufficient legal basis.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Banca Comercială Română SA
2020-05-05
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.
DATATILSYNET
Norwegian Supervisory Authority
Media, Telecoms and Broadcasting
Telenor Norge AS
2020-05-03
€134,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Fines for security breaches in a voice mailbox function.
AP
Dutch Supervisory Authority for Data Protection
Employment
Unknown Organisation
2020-04-30
€725,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 9 GDPR
The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.
AKI
Estonian Data Protection Authority
Real Estate
Housing Association
2020-04-30
€500.00
Insufficient legal basis for data processing
Art. 6 GDPR
Fine of EUR 500 against a housing association for publishing photos showing members of the association without their consent.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Public Sector and Education
National Government Service Centre (NGSC)
2020-04-29
€18,700.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
Art. 34 GDPR
The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.
APD
Belgian Data Protection Authority
Media, Telecoms and Broadcasting
Proximus SA
2020-04-28
€50,000.00
Insufficient involvement of data protection officer
Art. 31 GDPR
Art. 58 GDPR
Art. 37 GDPR
According to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Estee Lauder Romania
2020-04-23
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 7 GDPR
Art. 9 GDPR
Processing of personal data without sufficient legal basis including health data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Telekom Romania Communications SA
2020-04-23
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects
KZLD
Data Protection Commision of Bulgaria
Public Sector and Education
Political Party
2020-04-14
€2,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Forging signatures on a voters' list.
HDPA
Hellenic Data Protection Authority
Employment
Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε.
2020-04-07
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 6 (1) f) GDPR
The Hellenic DPA (HDPA) has imposed a fine of EUR 2,000 on Ιγνατιάδης Νικόλαος και ΣΙΑ Ε.Ε. The controller had installed surveillance cameras covering areas where its employees were present. The controller claims that the cameras were installed for security purposes, as there had been incidents of theft in the past. Considering this, the surveillance system was intended to detect people entering the facilities. However, during the DPA's investigation, it was found that the camera installation was not limited to areas necessary for the protection of property. The DPA recognized this as a violation of the principle of data minimization.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Bank
2020-03-26
€2,890.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Due to an administrative error, the personal data of the data subject were registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
SOS Infertility Association
2020-03-25
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Enel Energie
2020-03-25
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Vodafone Romania
2020-03-25
€4,150.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Dante International
2020-03-25
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 21 GDPR
The company has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-03-25
€5,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
The company did not provide the data protection authority with the requested information in a timely manner. The AEPD's request was preceded by a request from a data subject for access to its personal data.