A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Dentist
2023-01-31
€1,000.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
Art. 9 (2) a) GDPR
The Romanian DPA has fined a dentist EUR 1,000. The controller had published medical information of a patient, such as photos and X-rays, in an article on a medical blog. However, it had failed to obtain the patient's consent before publishing the medical data. Therefore, the DPA found that the controller had unlawfully processed the data.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2023-01-31
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on a data controller. The data controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-31
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-31
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 600 on a private individual. The individual had installed a video surveillance camera at their home that recorded, among other things, common areas of the residential complex. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-27
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded a neighbor property and the public space. The DPA considered this to be a violation of the principle of data minimization.
GARANTE
Italian Data Protection Authority
Health Care
Azienda ULSS n.5 Polesana
2023-01-26
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 9 GDPR
Art. 32 GPDR
The Italian DPA has imposed a fine of EUR 5,000 on Azienda ULSS n.5 Polesana. The healthcare facility had mistakenly sent a patient medical record to the wrong patient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data, which allowed such an incident to occur.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliera Bianchi Melacrino Morelli
2023-01-26
€7,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art 9 GDPR
Art. 32 GDPR
Art. 75 Codice della privacy
The Italian DPA has imposed a fine of EUR 7,000 on Azienda Ospedaliera Bianchi Melacrino Morelli. The controller had mistakenly sent a document containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data.
GARANTE
Italian Data Protection Authority
Employment
Misterbianco municipality
2023-01-26
€5,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 5,000 on Misterbianco municipality. An employee had filed a complaint with the DPA due to the fact, that the municipality had published a document, containing personal data of them, on their website. In the course of its investigation, the DPA found that the municipality had published the data without a valid legal basis and therefore had acted unlawfully.
AEPD
Spanish Data Protection Authority
Not assigned
Unknown
2023-01-25
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on a data controller. The data controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
CASAL DE L'ESPLUGA DE FRANCOLÍ
2023-01-25
€3,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on CASAL DE L'ESPLUGA DE FRANCOLÍ. A club managed by the controller had uploaded pictures of a competition showing minors on social media . The mother of a child had filed a complaint because she had not given her permission for the pictures to be published. The DPA therefore determined that the controller, in the absence of a valid legal basis, had unlawfully processed the images. The original fine of EUR 5000 was reduced to EUR 3000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-20
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things recorded a neighbor property. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
TECNO MOTOR LA MUELA, S.L.L
2023-01-20
€360.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine on TECNO MOTOR LA MUELA, S.L.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed about the video surveillance and thus violated its duty to inform under Art. 13 GDPR. The original fine of EUR 600 was reduced to EUR 360 due to voluntary payment and admission of responsibility.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
WhatsApp Ireland Ltd.
2023-01-19
€5,500,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 12 GDPR
Art. 13 (1) c) GDPR
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual.
WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the acceptance of the updated terms of use constituted a contract between WhatsApp and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to WhatsApp, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that WhatsApp was actually trying to rely on consent as a legal basis for processing users' data. By making the access to its services conditional on users' consent to the updated terms of service, WhatsApp was forcing users to consent to the processing of their personal data.
Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that WhatsApp did not rely on user consent as a legal basis, and did not consider 'coerced consent' in this case. It also did not rule out the possibility that WhatsApp relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that WhatsApp had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed.
As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by WhatsApp. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that WhatsApp was not entitled to rely on a contractual legal basis. The EDPB therefore found that WhatsApp had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required WhatsApp to bring its data processing into compliance within three months.
The DPC agreed in its final decision and imposed the fine and also required WhatsApp to bring its data processing into compliance within six months.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Szczecin-Centrum District Court
2023-01-19
€6,400.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 24 (1) GDPR
Art. 25 (1), (2) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA has imposed a fine of EUR 6,400 on the Szczecin-Centrum District Court.
The court had reported a data breach to the DPA involving the loss of three data carriers. One data carrier was an official and encrypted one, the other two were private and unencrypted data carriers containing drafts of court rulings and statements with personal data.
In the course of its investigation, the DPA discovered that data carriers which had not been checked and secured by the court's IT department had been used on official computers over a period of many years. In addition, the DPA found that although there were regulations prohibiting the use of private data carriers, the court failed to check whether employees actually complied with these regulations. In addition, the court failed to implement technical measures to prevent the use of private data carriers.
AP
Dutch Supervisory Authority for Data Protection
Public Sector and Education
Dutch Social Insurance Institution (SVB)
2023-01-19
€150,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2) GDPR
The Dutch DPA has imposed a fine of EUR 150,000 on the Dutch Social Insurance Institution (SVB). The controller had suffered a data breach in which a client's data had been leaked to unauthorized third parties. An unknown third party had succeeded in requesting benefit information via the controller's telephone helpdesk. In the course of its investigation, the DPA found that the controller had failed to implement sufficient technical and organizational measures to protect personal data. For example, the DPA found that the system for verifying the identity of callers was inadequate and verification questions were too simple.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Dante Internațional SA
2023-01-18
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 17 GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Dante Internațional SA. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send them advertisements, despite the fact that they had requested the deletion of their data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private investigator
2023-01-18
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has fined a private investigator EUR 2,000. An individual who had hired the investigator filed a complaint with the DPA. They stated that the controller had failed to inform them sufficiently about the processing of their personal data conducted as part of the investigation. In addition, the DPA found that the controller had a contact form on its website with no reference to the privacy policy.
INTEGRITETSSKYDDSMYNDIGHETEN
Data Protection Authority of Sweden
Health Care
Dalarna Region
2023-01-17
€17,900.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) GDPR
The Swedish DPA has imposed a fine of EUR 17,900 on Dalarna Region. The region had sent out invitations for patient visits where the respective healthcare facility, such as a children's hospital, was visible on the envelope window. The DPA found that this visibility allowed unauthorized persons to gain access to patients' personal data. The DPA concluded that the region had failed to implement adequate technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-16
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and neighbour properties. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Vodafone España, S.A.U.
2023-01-16
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. This allowed the fraudsters to gain access to the data subject's bank account and make unauthorized transactions. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Thomas International Systems, S.A.
2023-01-16
€40,000.00
Insufficient legal basis for data processing
Art. 9 GDPR
The Spanish DPA has imposed a fine on Thomas International Systems, S.A.. Thomas International performs psychological tests on behalf of other companies. Thomas International had conducted such a test on behalf of the company Agroxarxa, S.L.. A participant of such a test had filed a complaint against the controller because they had to provide sensitive personal data (ethnicity, disability). However, Agroxarxa had indicated that the test did not request and process such sensitive data. During its investigation, the DPA found that Thomas International had nevertheless processed sensitive personal data without the consent of the data subject or the processing being necessary for the fulfillment of the contractually agreed purpose between Agroxarxa and Thomas International. The DPA considered this to be a violation of Art. 9 GDPR. The original fine of EUR 50,000 was reduced to EUR 40,000 due to voluntary payment.
Cypriot Data Protection Commissioner
Media, Telecoms and Broadcasting
Πολίτης newspaper
2023-01-16
€7,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 6 (1) f) GDPR
The Cypriot DPA has imposed a fine of EUR 7,000 on the newspaper 'Πολίτης'. The controller had unlawfully published the names and pictures of two police officers.
AEPD
Spanish Data Protection Authority
Industry and Commerce
EDITORIAL RIBADEO S.L.
2023-01-13
€1,000.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine of EUR 1,000 on EDITORIAL RIBADEO S.L. for failing to comply with an order issued by the DPA.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
Intellexa SA
2023-01-13
€50,000.00
Insufficient cooperation with supervisory authority
Art. 31 GDPR
The Hellenic DPA has fined Intellexa SA EUR 50,000. The controller had not properly cooperated with the DPA during an investigation.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
BRISTOL LOGISTICS SA
2023-01-12
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 10,000 on BRISTOL LOGISTICS SA. The DPA received a notification from BRISTOL LOGISTICS SA of a personal data breach under Art. 33 GDPR. The notification stated that a binder containing the personnel files of 12 employees had been stolen, which led to unauthorized persons having access to personal data. The DPA considered this to be a violation of Art. 32 GDPR, as the municipality had failed to implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.
AEPD
Spanish Data Protection Authority
Employment
SERVICIOS INTEGRALES DEL HOGAR TENERIFE, S.L.
2023-01-12
€3,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on a SERVICIOS INTEGRALES DEL HOGAR TENERIFE, S.L.. A former employee had filed a complaint with the DPA due to the controller's unauthorized disclosure of their personal data via Whatsapp after they left the company. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and admission of responsibility.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Ufficio Scolastico Regionale per la Lombardia, Ufficio IV - Ambito Territoriale di Brescia
2023-01-11
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 6,000 on Ufficio Scolastico Regionale per la Lombardia, Ufficio IV - Ambito Territoriale di Brescia. The school board had published a document, which contained personal health data of a teacher on its website. In the course of its investigation, the DPA found that the school had published the data without a valid legal basis and therefore had acted unlawfully.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedale-Università Padova
2023-01-11
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA has imposed a fine of EUR 5,000 on Azienda Ospedale-Università Padova. The controller had sent an email containing consent forms for participation in a clinical trial to several recipients in an open distribution list. This allowed the recipients to view the email addresses of all other recipients, 19 in total.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2023-01-10
€120.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on a homeowners' association for failing to provide sufficient information about video surveillance in the residential area. The original fine of EUR 150 was reduced to EUR 120 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-10
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 300. The individual had installed video surveillance cameras on their property which covered, among other things, a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2023-01-09
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 300. The individual had installed video surveillance cameras on their property which covered, among other things, a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization.
VDAI
Lithuanian Data Protection Authority
Industry and Commerce
Praktiškas UAB
2023-01-09
€6,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 9 (1) GDPR
Art. 13 (1), (2) GDPR
Art. 30 (1), (3) GDPR
Art. 35 (1), (3) GDPR
The Lithuanian DPA has fined Praktiškas UAB, the operator of SportGates sports clubs, EUR 6,000. The controller had processed biometric data of customers in the context of their access to sports facilities. During its investigation, the DPA found that the customers' consent to the processing of their biometric data could not be considered voluntary. This was because the controller did not offer the provision of any other type of information for access to the sports clubs. Nor did it provide the data subjects with information about possible alternatives for accessing the sports club. In addition, the DPA found that the controller did not provide the data subjects with sufficient information about the processing of their personal biometric data. The controller also failed to conduct a data protection impact assessment before processing the personal data.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Meta Platforms Ireland Limited
2023-01-04
€390,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 12 GDPR
Art. 13 (1) c) GDPR
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals.
Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of service, Meta informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. Meta assumed that the acceptance of the updated terms of use constituted a contract between Meta and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to Meta, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that Meta was actually trying to rely on consent as a legal basis for processing users' data. By making the access to its services conditional on users' consent to the updated terms of service, Meta was actually forcing users to consent to the processing of their personal data.
Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that Meta did not rely on user consent as a legal basis, and did not consider 'coerced consent' in this case. It also did not rule out the possibility that Meta relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that Meta had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed.
As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by Meta. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that Meta was not entitled to rely on a contractual legal basis. The EDPB therefore found that Meta had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required Meta to bring its data processing into compliance within three months.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Apă Canal Ilfov SA
2023-01-04
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
Art. 32 (4) GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on Apă Canal Ilfov SA. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Real Estate
Homeowners Association
2023-01-03
€500.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
The Romanian DPA has imposed a fine of EUR 500 on a homeowners' association. The controller had publicly posted a list with the first and last names of all members of the association.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Transport Workers' Union of Aragon
2023-01-03
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has fined the Transport Workers' Union of Aragon EUR 3,000. The union had published a document with personal data (surname, first name and identity card number) of members of the strike committee on various social networks. During its investigation, the DPA found that the incident may have occurred due to the union's failure to implement sufficient technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Transportation and Energy
FACTOR ENERGÍA,
S.A.
2023-01-02
€24,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on a FACTOR ENERGÍA,
S.A.. A data subject had filed a complaint with the DPA because they had received advertising messages from the controller even though no contractual relationship existed between them. According to the DPA, the controller had processed the data unlawfully in the absence of a valid legal basis. The original fine of EUR 40,000 was reduced to EUR 24,000 due to voluntary payment and admission of responsibility.
Data Protection Authority of Sachsen-Anhalt
Health Care
Magdeburg University Hospital
2023
€9,000.00
Insufficient fulfilment of data breach notification obligations
Art. 33 GDPR
The DPA of Sachsen-Anhalt has imposed a fine of EUR 9,000 on Magdeburg University Hospital. The clinic had failed to report to the DPA a data breach involving a former employee having unlawfully disclosed personal data from the clinic's systems to third parties.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ADENET SYSTEMS, S.L.
2022-12-29
€3,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
Failure to provide requested information to the Spanish DPA (AEPD) within the required timeframe in violation of Art. 58 GDPR.
AEPD
Spanish Data Protection Authority
Transportation and Energy
SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.
2022-12-29
€24,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.. A customer had filed a complaint with the DPA due to the fact that the controller carried out a change of their electricity and gas supply company without obtaining their consent beforehand. The original fine of EUR 30,000 was reduced to EUR 24,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2022-12-28
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 300 on a homeowners' association for failing to provide sufficient information about video surveillance in the residential area.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
MAE WEST SYSTEMS, S.L.
2022-12-28
€400.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined MAE WEST SYSTEMS, S.L. EUR 400. The controller had installed video surveillance in a bar it operated without providing sufficient information about the video surveillance.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-12-28
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2022-12-28
€600.00
Insufficient legal basis for data processing
Art. 6 (1) e) GDPR
Art. 13 GDPR
The Spanish DPA has fined a homeowners association EUR 600. The controller had installed an unauthorized CCTV system in the residential area. In addition, the DPA found that the contoller had not provided sufficient information about the data processing by the CCTV.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2022-12-28
€300.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA (AEPD) has fined a store owner EUR 300 for failing to provide information signs about CCTV surveillance in their premises.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-12-28
€100,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine of EUR 100,00 on Vodafone España, S.A.U. due data processing without a sufficient legal basis. A data subject stated that a prepaid line of which charges were made, had been registered in their name. However, the data subject had never concluded a contract with the company for this line. Rather, the contract in question was concluded by fraudsters using the data subject's personal data. Nevertheless, the personal data was entered into the company's information systems without any verification as to whether the contract had been lawfully and actually concluded by the data subject.
AEPD
Spanish Data Protection Authority
Employment
Homeowners Association
2022-12-28
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 15 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on a homeowners' association. An individual who did cleaning work in the residential complex had filed a complaint with the DPA because members of the association had added them to a WhatsApp group without their consent. The data subject was required to upload pictures of the cleaning they had done for documentation purposes. The DPA concluded that adding their phone number to the WhatsApp group without their consent violated Art. 6 GDPR and was therefore unlawful. The DPA also found that the controller had not complied with the data subject's request for access to personal data in a timely manner, therefore violating Art. 15 GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Kaufland Romania SCS
2022-12-27
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (1) b) GDPR
Art. 32 (2), (4) GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on Kaufland Romania SCS. The controller had reported a data breach to the DPA according to Art. 33 GDPR.
An employee had taken pictures of the CCTV recordings with their cell phone and transmitted them to a third party. The third party then published the images on which two people and a license plate could be identified on the website of a local newspaper. The DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data.
Deputy Data Protection Ombudsman
Industry and Commerce
Company
2022-12-27
€122,000.00
Insufficient legal basis for data processing
Art. 9 GDPR
The Finnish DPA has imposed a fine of EUR 122,000 on a company with products that process health data, such as heart rate, etc.
The DPA had received several complaints regarding the processing of health data from data subjects. During its investigation, the DPA found that the company did not have a sufficient legal basis to process various types of health data. While the company had informed users of the products about the processing of personal health data in general, it had failed to provide information for each of the different types of health data (e.g., body mass index or oxygen capacity), such as the purpose of the processing. Accordingly, the DPA found that the users' consent could not be valid since it was not given on an individual basis and with full knowledge of the facts.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
SUDREZIDENȚIAL Broker S.R.L.
2022-12-22
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (4) GDPR
The Romanian DPA has imposed a fine of EUR 10,000 on SUDREZIDENȚIAL Broker S.R.L.. An employee of the controller had unauthorizedly published an Excel spreadsheet containing personal data, such as first name, last name, telephone number, ID number, e-mail address, bank details, etc. of 509 customers of the controller on the Internet. In the course of its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data.