background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
AP
Dutch Supervisory Authority for Data Protection
Employment
CP&A
2020-03-24
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 9 GDPR
Art. 32 GDPR
The Dutch DPA (AP) has imposed a fine of EUR 15,000 on CP&A. The controller had documented both the causes of illness and specific complaints of the data subjects as part of the recording of employee absences due to illness. The DPA found that this was unlawful since health data is granted special protection. Employers are not permitted to record either the reasons or causes of sick leave. Furthermore, the DPA found that the controller had not implemented adequate technical and organizational measures to protect the processing when recording absences. Namely, the absence registration was accessible online, without any form of authentication. Yet, when an absence system is accessible via the Internet, the system is to be accessed only through a multi-factor authentication. In the DPA's view, another form of authentication would have been required in addition to the 'normal' login.
HDPA
Hellenic Data Protection Authority
Health Care
Speech and Special Education Centre - Mihou Dimitra
2020-03-20
€8,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
Art. 58 GDPR
The complainant had requested access to his child's data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Oliveros Ustrell, S.L.
2020-03-19
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Not assigned
Unknown Company
2020-03-19
€5,800.00
Insufficient fulfilment of data subjects rights
Art. 6 GDPR
Art. 15 GDPR
The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Telefónica
2020-03-18
€30,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
Telefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects' request for right of access and erasure of data.
AEPD
Spanish Data Protection Authority
Public Sector and Education
Centro De Estudio Dirigidos Delta, S.L.
2020-03-16
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Centro De Estudio Dirigidos Delta sent a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects. This constitutes a violation of the principles of integrity and confidentiality under Article 5(1)(f) GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Person
2020-03-16
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
On a beach, a private person secretly photographed female bathers. The incident was reported to the AEPD by the local police.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Amalfi Servicios de Restauracion S.L.
2020-03-16
€6,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 13 GDPR
Art. 14 GDPR
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
AZOP
Croatian Data Protection Authority
Finance, Insurance and Consulting
Bank (name not available at the moment)
2020-03-13
€NaN
Insufficient fulfilment of data subjects rights
Art. 15 (1), (3) GDPR
In the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers’ right of access. During the procedure initiated based on data subject’s complaints, the DPA ordered the bank to enable the right of access and provide copies of the requested loan documentation. When imposing the fine, the DPA took into consideration especially that the bank failed to comply with the ordered measures, that it continued with such practice for almost a year and denied the right of access to more than 2500 of its customers. The amount of the fine is now known at the moment, but as the DPA qualified the breach as “severe”, a high fine is expected.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2020-03-12
€2,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 13 GDPR
Art. 14 GDPR
Video surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Media, Telecoms and Broadcasting
Google LLC
2020-03-11
€5,000,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 6 GDPR
Art. 17 GDPR
Original Fine Summary: The Swedish data protection authority has fined Google LLC € 7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Integritetsskyddsmyndigheten had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Integritetsskyddsmyndigheten had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google's practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Integritetsskyddsmyndigheten also objected to Google's current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis. Update: On November 23th, 2020, after an appeal against the fine, the The Administrative Court of Stockholm announced that it had rejected Google LLC´s appeal. However the court reduced the fine from a total of SEK 75 million (approx. EUR 7 million) to SEK 52 million (approx. EUR 5 million).
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Hørsholm Municipality
2020-03-10
€7,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Gladsaxe Municipality
2020-03-10
€14,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.
PERSÓNUVERND
Icelandic data protection authority
Health Care
National Center of Addiction Medicine ('SAA')
2020-03-10
€20,600.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Persónuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.
PERSÓNUVERND
Icelandic data protection authority
Public Sector and Education
Breiðholt Upper Secondary School
2020-03-10
€9,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
In violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.
AEPD
Spanish Data Protection Authority
Employment
Gesthotel Activos Balagares
2020-03-09
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees.
UODO
Polish National Personal Data Protection Office
Finance, Insurance and Consulting
Vis Consulting Sp. z o.o.
2020-03-09
€4,400.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
Art. 58 GDPR
The company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Creditor
2020-03-09
€870.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Sending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Liceo Artistico Statale di Napoli
2020-03-06
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
The AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Liceo Scientifico Nobel di Torre del Greco
2020-03-06
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
The AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2020-03-06
€4,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization).
AEPD
Spanish Data Protection Authority
Industry and Commerce
Retailer
2020-03-06
€3,200.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 14 GDPR
Insufficient declaration of video surveillance.
GARANTE
Italian Data Protection Authority
Public Sector and Education
San Giorgio Jonico
2020-03-05
€3,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 17 GDPR
Publication of a citizen's personal data on a website and failure to comply with requests for deletion.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
School in Gdansk (Danzig) (fine imposed against town of Gdansk)
2020-03-04
€0.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 9 GDPR
Original summary: A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily. Update: Update: On August 7, 2020, the Provincial Administrative Court in Warsaw overturned the decision of the Polish DPA imposing a fine of EUR 4,600.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-03-04
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Public Sector and Education
Representative of a local government
2020-03-04
€290.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information.
AP
Dutch Supervisory Authority for Data Protection
Individuals and Private Associations
Royal Dutch Tennis Association ('KNLTB')
2020-03-03
€525,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ('KNLTB') with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Solo Embrague
2020-03-03
€1,800.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The corporate website did not present a privacy policy or a cookie banner on its main page.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-03-03
€42,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
According to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-03-03
€40,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-03-03
€24,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone ONO, S.A.U.
2020-02-28
€48,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The decision was taken due to several deficiencies in information security. For example, two people were given the same security access key.
AEPD
Spanish Data Protection Authority
Employment
AEMA Hispánica
2020-02-28
€3,600.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Coop Finnmark SA
2020-02-28
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
On February 28, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Coop Finnmark SA EUR 38,600 for violations of Art. 5 GDPR and Art. 6 GDPR . This fine has been imposed in the meantime, see details at <a class='blau' href='https://www.enforcementtracker.com/ETid-525.' target='_blank'>link</a>
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-02-27
€120,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Vodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone España also unlawfully disclosed the personal data of the data subject to various credit agencies.
DATATILSYNET
Norwegian Supervisory Authority
Public Sector and Education
Rælingen Municipality
2020-02-26
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
On February 26, 2020, the Norwegian DPA (Datatilsynet) announced that it intents to fine Rælingen Municipality EUR 73,600 for violations of Art. 5 (1) f) GDPR and Art. 32 GDPR . This fine has been imposed in the meantime, see details at <a class='blau' href='https://www.enforcementtracker.com/ETid-333.' target='_blank'>link</a>
AEPD
Spanish Data Protection Authority
Health Care
HM Hospitales
2020-02-25
€48,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Casa Gracio Operation
2020-02-25
€6,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation.
HDPA
Hellenic Data Protection Authority
Transportation and Energy
Public Power Corporation S.A.
2020-02-21
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 15 GDPR
The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request.
KZLD
Data Protection Commision of Bulgaria
Industry and Commerce
T.K. EOOD
2020-02-20
€2,560.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 GDPR
The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject.
KZLD
Data Protection Commision of Bulgaria
Industry and Commerce
L.E. EOOD
2020-02-20
€2,560.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 GDPR
Art. 6 GDPR
The fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (“KZLD”) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Mymoviles Europa 2000, S.L.
2020-02-18
€1,500.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself.
AEPD
Spanish Data Protection Authority
Real Estate
Grupo Valsor Y Losan, S.L.
2020-02-14
€2,500.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
The controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data)
AEPD
Spanish Data Protection Authority
Public Sector and Education
Colegio Arenales Carabanchel (School)
2020-02-14
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberdrola Clientes
2020-02-14
€80,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Iberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis. In addition to this fine the AEPD also imposed another fine in the amount of EUR 50.000 under the old Spanish Data Protection Law.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-02-14
€42,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The complainant had access to third party data in his personal Vodafone profile.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-02-14
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The AEPD found that a third party had access to the name, telephone number and address of another customer.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Urago
2020-02-13
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The local council has published on its website information containing a person's personal data, including health information.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Vodafone Romania
2020-02-11
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Vodafone Romania had incorrectly processed personal data of an individual in order to process a complaint, which was subsequently sent to a wrong e-mail address. The reason for this was that there were insufficient security measures in place to prevent such erroneous data processing.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
RTI - Reti Televisive Italiane s.p.a.
2020-02-06
€20,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The television station broadcasted a documentary about prostitution in Switzerland, in which the persons interviewed were not made sufficiently anonymous.