A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
Data Protection Authority of Ireland
Industry and Commerce
VIEC Limited
2022-12-22
€100,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Irish DPA has imposed a fine of EUR 100,000 on the nursing home operator VIEC Limited.
The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The controller had suffered a phishing attack in which an unauthorized third party gained access to an email account of a VIEC manager. As a result, the unknown third party also managed to access personal data such as health and biometric data of home residents. The DPA found this to be a breach of the principle of integrity and confidentiality. The DPA also found that the controller had failed to implement appropriate technical and organizational measures to protect personal data.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Accomodation and Hospitalty
Hotel
2022-12-21
€8,000.00
Insufficient legal basis for data processing
Art. 5 (1) e) GDPR
Art. 6 (1) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 31 GDPR
The Hungarian DPA has imposed a fine of EUR 8,000 on a hotel. The controller had installed video surveillance cameras that covered the dining room and a whirlpool area permanently recording guests. The controller had installed the cameras for the purpose of protecting individuals and property. However, during its investigation, the DPA found that the controller's pursued purposes could not be considered proportionate to the severe interference with the guests' privacy. The DPA also found that the controller had failed to provide sufficient information about the video surveillance.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-12-20
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 1,000 on a private individual. A person had filed a complaint with the DPA because the controller had published their personal data such as name, surname, ID card number and date of birth without their consent in a WhatsApp group with 31 members. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Property owner administrative board
2022-12-20
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on a Property Owners Association. Two property owners had filed a complaint with the DPA. The individuals had submitted a request for a copy of financial documents to the board. The Association however published the requests with personal data of the individuals concerned on the bulletin board in a common area of the respective residential building. The DPA considered this to be a violation of the principle of confidentiality.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-12-20
€3,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 3,000 on a private individual. An individual had posted videos of teachers and underage students during physical education classes on the Internet to express his anger about the fact that students were required to wear masks during class. The DPA found that the individual had unlawfully processed the data of the data subjects due to the lack of consent of the data subjects as well as any other legal basis.
HDPA
Hellenic Data Protection Authority
Not assigned
ΜΑΡΙΑ ΠΕΔΙΩΤΗ ΚΑΙ ΣΙΑ Ο.Ε.
2022-12-19
€7,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 31 GDPR
The Hellenic DPA has imposed a fine of EUR 7,000 on the company ΜΑΡΙΑ ΠΕΔΙΩΤΗ ΚΑΙ ΣΙΑ Ο.Ε. The company had not sufficiently complied with the request for information from a person, as the information was late and incomplete. In addition, the controller did not sufficiently cooperate with the DPA.
GARANTE
Italian Data Protection Authority
Employment
Comune di Borgia
2022-12-15
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 (2), (4) GDPR
Art. 37 (7) GDPR
The Italian DPA (Garante) imposed a fine of EUR 5,000 on Comune di Borgia. The municipality processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis. Also the Garante found that the municipality failed to provide the DPA the contact data of their data protections officer.
GARANTE
Italian Data Protection Authority
Employment
Comune di Vicchio
2022-12-15
€8,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 (2), (4) GDPR
The Italian DPA (Garante) imposed a fine of EUR 8,000 on Comune di Vicchio. The municipality processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis.
GARANTE
Italian Data Protection Authority
Employment
Comune di Bracciano
2022-12-15
€6,000.00
Insufficient legal basis for data processing
Art.5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 6,000 on Comune di Bracciano. A former employee had filed a complaint with the DPA due to the fact, that the municipality had published a document, containing personal health data of them, on their website. In the course of its investigation, the DPA found that the municipality had published the data without a valid legal basis and therefore had acted unlawfully.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Verizon Connect Italy S.p.A.
2022-12-15
€30,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 28 GDPR
The Italian DPA has fined Verizon Connect Italy S.p.A. EUR 30,000. An individual who worked for a Verizon customer had filed a complaint with the DPA. Verizon had installed GPS systems in delivery vehicles for the customer and was acting as a processor for them. During its investigation, the DPA found that the relationship between Verizon and the customer was not sufficiently regulated, contrary to the requirements of Art. 28 GDPR. The DPA therefore found that the data processed as part of the commissioned processing was consequently processed without a valid legal basis over a long period of time.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Edison Energia S.p.A.
2022-12-15
€4,900,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 12 (1), (2), (3) GDPR
Art. 21 (2) GDPR
Art. 24 (1), (2) GDPR
Art. 25 (1) GDPR
The Italian DPA has fined Edison Energia S.p.A. EUR 4.9 million. Several person had filed complaints with the DPA regarding unlawful marketing activities of the company. During its investigation, the DPA found that the company contacted data subjects by telephone for marketing purposes without their consent. For this purpose, the company used contact lists from third parties, which in many cases, however, did not contain the free, specific, informed and documented consent of the users to the disclosure of personal data. The DPA also found that Edison Energia did not provide data subjects with a direct and easy way to exercise their right to object. In addition, Edison Energia failed to respond to data subject requests in a timely manner in several cases. In addition, the DPA found that users of the app and website simultaneously consented to the use of their data for both marketing and profiling purposes. The DPA found that such consent did not correspond to voluntary and specific consent for different purposes. Finally, the DPA found that Edison Energia failed to provide data subjects with transparent information about the processing of their personal data.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Societatea Energetică Electrica S.A.
2022-12-15
€5,000.00
Insufficient data processing agreement
Art. 28 (3) a) GDPR
The Romanian DPA has fined Societatea Energetică Electrica S.A. EUR 5,000 for a violation of Art. 28 (3) a) GDPR.
AEPD
Spanish Data Protection Authority
Health Care
HOSPITAL RECOLETAS PONFERRADA, S.L.
2022-12-15
€16,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 15 GDPR
The Spanish DPA has imposed a fine on the healthcare facility HOSPITAL RECOLETAS PONFERRADA, S.L.. A patient had filed a complaint with the DPA. The patient had filled out a consent form during a medical examination in which certain items were already pre-ticked. The DPA also found that the controller had not complied with the patient's request for access to their personal data in a timely manner. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ORANGE ESPAGNE, S.A.U.
2022-12-15
€30,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA (AEPD) imposed a fine ORANGE ESPAGNE, S.A.U. due to insufficient legal basis for data processing. The data subject had filed a complaint against the data controller for registering a telephone line in their name without their consent or any contractual relationship. Rather, the contracts in question were concluded by fraudsters using the personal data of the data subject. Still, the personal data was entered into the company's information systems without any verification as to whether the contracts were lawful and actually concluded by the data subject. The original fine of EUR 60,000 was reduced to EUR 30,000 due to voluntary payment and admission of guilt.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Universitaria Friuli Occidentale
2022-12-15
€55,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 9 GDPR
Art. 14 GDPR
Art. 35 GDPR
Art. 2-sexies Codice della privacy
The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Occidentale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Universitaria Friuli Centrale
2022-12-15
€55,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 9 GDPR
Art. 14 GDPR
Art. 35 GDPR
Art. 2-sexies Codice della privacy
The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Centrale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Universitaria Giuliano Isontina
2022-12-15
€55,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 9 GDPR
Art. 14 GDPR
Art. 35 GDPR
Art. 2-sexies Codice della privacy
The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Giuliano Isontina . The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' personal data for profiling. In addition, the DPA found that the health authority had failed to conduct a data protection impact assessment. In calculating the fine, the DPA took into account the aggravating factor that a large number of individuals were affected.
GARANTE
Italian Data Protection Authority
Health Care
Eurosanità S.P.A.
2022-12-15
€120,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 GDPR
Art. 9 GDPR
Art. 32 GDPR
The Italian DPA has imposed a fine of EUR 120,000 on Eurosanità S.P.A.. The controller operates various healthcare facilities. An individual had filed a complaint with the DPA for mistakenly receiving a document that contained medical records of another individual. The DPA found that the controller had not taken sufficient technical and organizational measures to protect personal data in order to avoid such incidents.
CNPD
National Commission for Data Protection
Real Estate
Manager of a real estate co-ownership
2022-12-13
€1,500.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 (1) GDPR
Art. 12 (3), (4) GDPR
Art. 15 (1) b), c) GDPR
The DPA of Luxembourg has imposed a fine of EUR 1,500 on a manager of a real estate co-ownership. The controller had disclosed personal data to unauthorized third parties without having a legal basis for such disclosure. In addition, the controller did not respond to requests from data subjects to exercise their rights in a timely manner.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-12-13
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. This allowed the fraudsters to gain access to the data subject's bank account and make unauthorized transactions. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-12-13
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-12-13
€56,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA because the company had given a duplicate of their SIM card to an unauthorized fraudulent third party without their consent. During its investigation, the DPA found that the company failed to verify the identity of the third party or obtain the data subject's consent to share their data. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
Deputy Data Protection Ombudsman
Finance, Insurance and Consulting
Alektum Oy
2022-12-13
€750,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 (1), (3) GDPR
The Finnish DPA has fined the debt collection company Alektum Oy EUR 750 000. The DPA opened an investigation against the controller after three people filed complaints against them. During its investigation, the DPA found that the controller had failed to respond at all or sufficiently to requests from data subjects regarding their data protection rights. The DPA also found that the controller had not sufficiently cooperated with the DPA.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-12-13
€1,000.00
Insufficient fulfilment of information obligations
Art. 12 (1) GDPR
The DPA of Luxembourg has imposed a fine of EUR 1,000 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-12-13
€2,500.00
Insufficient fulfilment of information obligations
Art. 12 (1) GDPR
The DPA of Luxembourg has imposed a fine of EUR 2,500 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-12-13
€2,100.00
Insufficient fulfilment of information obligations
Art. 12 (1) GDPR
Art. 13 GDPR
The DPA of Luxembourg has imposed a fine of EUR 2,100 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the processing of personal data, therefore violating Art. 13 GDPR.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-12-13
€700.00
Insufficient fulfilment of information obligations
Art. 12 (1) GDPR
Art. 13 (1) f) GDPR
The DPA of Luxembourg has imposed a fine of EUR 700 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the transfer of personal data to a third country or international organisation, therefore violating Art. 13 GDPR.
CNPD
National Commission for Data Protection
Not assigned
Company
2022-12-13
€1,400.00
Insufficient fulfilment of information obligations
Art. 12 (1) GDPR
Art. 13 GDPR
The DPA of Luxembourg has imposed a fine of EUR 1,400 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the processing of personal data, therefore violating Art. 13 GDPR.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Casa Rusu S.R.L.
2022-12-09
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Casa Rusu S.R.L. . The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had used an unauthorized form during the payment process on its website, through which the bank data of the customer cards were collected. This allowed unauthorized access to personal data such as the first and last name of the affected bank cardholder, card number, expiration date and year, CVC code. During its investigation, the DPA found that the controller failed to take appropriate technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-12-09
€480.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
The Spanish DPA has fined a private individual. The individual had installed video surveillance cameras in a residential complex that also covered common areas. During its investigation, the DPA found that the individual did not have permission to install the cameras and therefore did not have a valid legal basis for data processing. In addition, the individual failed to provide information about the video surveillance to the data subjects. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Notary
2022-12-09
€8,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has fined a notary. The controller had consulted the land register of a property belonging to the data subject without an order requiring the consultation of this data or the consent of the data subject. The original fine of EUR 10,000 was reduced to EUR 8,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Real Estate
Private individual
2022-12-09
€120.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has fined a private individual. The controller had installed a video surveillance system in a multi-party residential building that they own. However, the information sign regarding the video surveillance system lacked information about the controller and the exercise of data subjects' rights. The original fine of EUR 150 was reduced to EUR 120 due to voluntary payment.
Deputy Data Protection Ombudsman
Accomodation and Hospitalty
Viking Line Oy Abp
2022-12-09
€230,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), d) GDPR
Art. 12 (3) GDPR
Art. 13 GDPR
Art. 15 (1) GDPR
Art. 25 (1) GDPR
The Finnish DPA has imposed a fine of EUR 230,000 on Viking Line Oy Abp.
A former employee had filed a complaint with the DPA. During its investigation, the DPA found that the controller had not complied with the data subject's request for access to their health data and that some of the medical data had been stored incorrectly.
The DPA also found that the medical data was stored with other personal data, although such storage is unlawful.
Furthermore, the DPA found that the controller had not properly informed its employees about the processing of their personal data, contrary to its obligation under Art. 13 GDPR.
CNIL
French Data Protection Authority
Media, Telecoms and Broadcasting
FREE SAS
2022-12-08
€300,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 32 GDPR
Art. 33 GDPR
The French DPA has imposed a fine of EUR 300,000 on FREE SAS.
The DPA had received several complaints from individuals experiencing difficulties in exercising their rights to access and delete their personal data at FREE.
During its investigation, the DPA found that the company did not process the requests for access and deletion of personal data in a timely manner.
The DPA also found that the company failed to ensure the security of personal data. For example, the company allowed users to use insecure passwords and user passwords were stored unencrypted in the company's databases.
Finally, the DPA found that the company had not adequately documented a data breach.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Jewelry manufacturer
2022-12-08
€2,654.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 2,654 on a jewelry manufacturer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Retailer
2022-12-08
€2,654.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 2,654 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Retailer
2022-12-07
€2,654.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 2,654 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Fish market
2022-12-07
€1,991.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 1,991 on a fish market. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Retailer
2022-12-06
€3,185.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 3,185 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Retailer
2022-12-06
€1,991.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 1,991 on a retailer. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Betting place
2022-12-05
€1,991.00
Insufficient fulfilment of information obligations
Art. 27 (1), (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 1,991 on a betting place.
The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice was not visible for data subjects entering the video perimeter. Furthermore the the video surveillance notice did not contain all relevant information on the CCTV. The DPA therefore concluded that the controller had violated Art. 27 (1) and (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Retailer
2022-12-05
€3,583.00
Insufficient fulfilment of information obligations
Art. 27 (1) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 3,583 on a retailer.
The controller had installed a video surveillance system in their premises, however the DPA found that the controller failed to inform the data subjects about the fact that they would be recorded by the CCTV. The DPA therefore concluded that the controller had violated Art. 27 (1) of the Croatian Act on the Implementation of the GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INDECEMI, S.L.
2022-12-03
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine of EUR 3,000 on INDECEMI, S.L.. A person had filed a complaint with the DPA against the controller after receiving an email from the controller containing personal data (first name, last name, address, telephone number, etc.) of another person in the context of a complaint. The DPA considered this to be a violation of the principle of integrity and confidentiality.
AEPD
Spanish Data Protection Authority
Industry and Commerce
LORENT 2013, S.L
2022-12-03
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on LORENT 2013, S.L.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Homeowners Association
2022-12-03
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine on a Homeowners Association. The association had installed several video surveillance cameras across the residential area which, among other things, also covered the common area. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
CASA 7 PERSONAL SHOPPER, S.L.
2022-12-02
€3,500.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine of EUR 3,500 on CASA 7 PERSONAL SHOPPER, S.L. The controller sent an e-mail with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Federation of Sports for People with Intellectual Disabilities of Castilla la Mancha-FECAM
2022-12-02
€3,600.00
Insufficient legal basis for data processing
Art. 9 (2) a) GDPR
Art. 13 GDPR
The Spanish DPA has fined the Federation of Sports for People with Intellectual Disabilities of Castilla la Mancha-FECAM. The controller processed medical data from Covid-19 antigen tests of participants in sports competitions without their consent to the processing. In addition, the DPA found that the controller failed to inform the data subjects of the data retention period. The original fine of EUR 6,000 was reduced to EUR 3,600 due to voluntary payment and admission of responsibility.
GARANTE
Italian Data Protection Authority
Employment
Lazio Region
2022-12-01
€100,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 113 Codice della privacy
Art. 114 Codice della privacy
The Italian DPA has fined Lazio Region EUR 100,000. A trade union had filed a complaint with the DPA alleging that the Region had monitored the e-mail accounts of employees of the Region's legal department. The Region had initiated such monitoring on suspicion of possible disclosure of information protected by official secrecy to third parties. The Region stored and analyzed the employees' data for 180 days. The data included not only information related to work, but also personal data of the data subjects concerning their private sphere. During its investigation, the DPA found that the Region at the time did not have a valid legal basis for such a large-scale collection of personal data.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Store owner (Joy Unique Collection)
2022-12-01
€6,000.00
Insufficient fulfilment of information obligations
Art. 5 GDPR
Art. 13 GDPR
Art. 114 Codice della privacy
The Italian DPA has fined the owner of the store 'Joy Unique Collection' EUR 6,000 . The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Store owner (Woolen)
2022-12-01
€3,000.00
Insufficient fulfilment of information obligations
Art. 5 GDPR
Art. 13 GDPR
Art. 114 Codice della privacy
The Italian DPA has fined the owner of the store 'Woolen' EUR 3,000 . The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.
