background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Cafetería Nagasaki
2020-02-04
€1,500.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Xfera Moviles S.A.
2020-02-03
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
According to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-02-03
€75,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-02-03
€60,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-02-03
€50,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
The fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour.
AEPD
Spanish Data Protection Authority
Transportation and Energy
Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal
2020-02-03
€20,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 21 GDPR
Iberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-02-03
€75,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria S.L.
2020-02-03
€6,670.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 21 GDPR
The company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Queseria Artesenal Ameco S.L.
2020-02-03
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The company processed personal data of customers without required consent.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Automoción
2020-02-03
€800.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
An employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Colledara
2020-01-30
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Publication of documents relating to a public tender with personal data on a website
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Accounting firm
2020-01-24
€1,450.00
Insufficient technical and organisational measures to ensure information security
Art. 24 GDPR
Art. 32 GDPR
A printed customer list of an accounting firm, which also contained personal data, could be accessed by unauthorized persons.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)
2020-01-23
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Sapienza Università di Roma
2020-01-23
€30,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
TIM (telecommunications operator)
2020-01-15
€27,800,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 17 GDPR
Art. 21 GDPR
Art. 32 GDPR
Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Community of Francavilla Fontana
2020-01-15
€10,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
The community published on its website information about a court trial, including personal data such as health data about a data subject.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Zhang Bordeta 2006, S.L. (Store and Restaurant)
2020-01-14
€3,600.00
Non-compliance with general data processing principles
Art. 5 GDPR
The store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization.
Cypriot Data Protection Commissioner
Public Sector and Education
Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance
2020-01-13
€9,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.
Cypriot Data Protection Commissioner
Industry and Commerce
eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD)
2020-01-13
€1,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.
HDPA
Hellenic Data Protection Authority
Employment
Allseas Marine S.A.
2020-01-13
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), (2) GDPR
The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-01-09
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 GDPR
Failure to provide information to the AEPD within the required timeframe in violation of Article 58
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2020-01-07
€44,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.
AEPD
Spanish Data Protection Authority
Industry and Commerce
EDP España S.A.U.
2020-01-07
€75,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject
AEPD
Spanish Data Protection Authority
Transportation and Energy
EDP Comercializadora, S.A.U.
2020-01-07
€75,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier.
AEPD
Spanish Data Protection Authority
Health Care
Asociación de Médicos Demócratas
2020-01-07
€10,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.
KZLD
Data Protection Commision of Bulgaria
Industry and Commerce
Utility Company
2020-01-06
€5,110.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The fine of EUR ca. 5,113 was imposed on a Bulgarian utility company for unlawful processing of the personal data of the data subject V.V. The personal data of V.V. was unlawfully processed and subsequently used for initiating an enforcement case against him for outstanding payment obligations. During the enforcement case, the bailiff seized the data subject’s salary, and the latter suffered damages as a result of the unlawful processing.
Data Protection Authority of Saarland
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Several cases in which police officers have accessed data in a police database for private research purposes.
Data Protection Authority of Saarland
Accomodation and Hospitalty
Restaurant
2020
€10,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Excessive use of video surveillance in violation of the principle of data minimization.
Data Protection Authority of Hessen
Individuals and Private Associations
Employee at a Covid 19 testing center
2020
€300.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
An employee at a Covid 19 testing center used the data of a tested person to contact them via WhatsApp for private purposes.
Data Protection Authority of Brandenburg
Individuals and Private Associations
Operator of a ballet school
2020
€NaN
Insufficient legal basis for data processing
Art. 5 (1), (2) GDPR
Art. 6 (1) GDPR
Art. 7 (1) GDPR
The operator of a ballet school had published photos of underage students on their website and Facebook page without the consent of the legal guardians.
Data Protection Authority of Brandenburg
Individuals and Private Associations
Medical assistant
2020
€NaN
Insufficient legal basis for data processing
Art. 6 (1) GDPR
A medical assistant at a doctor's office stored a patient's telephone number in her mobile phone and then contacted him for private purposes.
Data Protection Authority of Hessen
Industry and Commerce
Corporation
2020
€NaN
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
Failure to respond to the data subject's request for access to their data in a timely manner.
Data Protection Authority of Hamburg
Industry and Commerce
Clearview AI Inc.
2020
€10,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The DPA from Hamburg has fined Clearview AI Inc. EUR 10,000 for failing to provide information requested by the DPA during an investigation.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€300.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€400.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group.
Data Protection Authority of Hamburg
Individuals and Private Associations
Police officer
2020
€NaN
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group.
Data Protection Authority of Hamburg
Accomodation and Hospitalty
Restaurant
2020
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Excessive use of video surveillance in violation of the principle of data minimization.
Data Protection Authority of Hamburg
Industry and Commerce
Company
2020
€13,000.00
Insufficient data processing agreement
Art. 26 (2) GDPR
The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the course fees incurred. Some time later, he registered for a course at another company of the same parent company and was rejected there. As a reason, he was told that he still had arrears with the company whose courses he had already attended. Following a complaint filed by the individual against the company, the DPA launched an investigation. It found that those companies shared a common database. It pointed out that the maintenance of a common customer database by several, legally independent companies, leads to joint responsibility according to Art. 26 GDPR. According to Art. 26 (2) GDPR, this requires an agreement that reflects the respective actual functions and relationships of the jointly responsible parties towards data subjects. However, such an agreement did not exist.
Data Protection Authority of Hamburg
Accomodation and Hospitalty
Restaurant
2020
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data.
Data Protection Authority of Hamburg
Accomodation and Hospitalty
Restaurant
2020
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data.
Data Protection Authority of Hamburg
Accomodation and Hospitalty
Restaurant
2020
€NaN
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data.
Data Protection Commissioner of Malta
Not assigned
Unknown
2020
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) b) GDPR
The controller has unlawfully disclosed personal data of a data subject.
Data Protection Commissioner of Malta
Not assigned
Unknown
2020
€2,500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Accidental loss of personal data.
Data Protection Commissioner of Malta
Not assigned
Unknown
2020
€2,500.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
The controller has disclosed a personal email address to all recipients of the email.
Data Protection Commissioner of Malta
Not assigned
Unknown
2020
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
A third party has gained unauthorized access to another person's account.