A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
GARANTE
Italian Data Protection Authority
Employment
A.R.N.A.S. Civico
2022-12-01
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 6,000 on A.R.N.A.S. Civico. Two employees of the controller had filed a complaint with the DPA. During its investigation, the DPA found that the controller had published two documents containing personal health data of the data subjects on the Internet without their consent, thus making them available to the public.
GARANTE
Italian Data Protection Authority
Employment
Amazon Italia Logistica s.r.l.
2022-12-01
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 GDPR
The Italian DPA has fined Amazon Italia Logistica s.r.l. EUR 20,000. A former employee had requested documents from the controller, which however they did not receive in time. During its investigation, the DPA found that the controller had not sufficiently fulfilled its obligation to comply with the data subject's request for access.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Store owner
2022-12-01
€2,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has fined a store owner EUR 2,000 for failing to provide sufficient information pursuant to Art. 13 GDPR about CCTV surveillance in their premises.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-11-29
€500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and furthermore published the recorded images on Facebook. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Not assigned
Company
2022-11-29
€3,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 3,000 on a company. The controller had installed a video surveillance system that also recorded the voices of both employees and customers. During its investigation, the DPA found that the controller did not have a valid legal basis for processing the information of the voices as part of the video surveillance. In addition, the DPA found that the controller failed to provide sufficient information about the video surveillance, including information about the processing, the identity of the controller, and the exercise of data subjects' rights.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Meta Platforms Ireland Limited
2022-11-25
€265,000,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1), (2) GDPR
The Irish DPA has fined Meta Platforms Ireland Limited EUR 265 million. The DPA had launched an investigation against Meta in 2021 after media reports indicated that a dataset containing personal data from Facebook had been made available on a hacking platform. The data leak affected up to 533 million users with their data such as phone numbers and email addresses.
As part of the investigation, the DPA reviewed and assessed the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. The DPA primarily reviewed the implementation of technical and organizational measures to protect personal data and found a breach of Art. 25 GDPR
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
OTP LEASING ROMANIA IFN SA
2022-11-25
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 3,000 on OTP LEASING ROMANIA IFN SA. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR.
An individual had informed the controller that they had gained unauthorized access to an IT platform operated by the controller by changing the URL address and creating an administrator account. This enabled the person to gain unauthorized access to personal data. The DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. This resulted in unauthorized access to the personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ALPA 57 PRODUCCIONES, S.L.
2022-11-25
€1,800.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Spanish DPA (AEPD) has fined ALPA 57 PRODUCCIONES, S.L. for failing to provide information requested by the DPA during an investigation. The original fine of EUR 3,000 was reduced to EUR 1,800 due to immediate payment and acknowledgement of guilt.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications (APEDANICA)
2022-11-25
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has fined the Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications (APEDANICA) EUR 5,000. Employees of the company LEGAL ERASER SL had filed a complaint with the DPA. The controller had requested information about LEGAL ERASER from the DPA as part of the right to information based on the Spanish Transparency Act. The controller then published the documents, some of which contained personal data of LEGAL ERASER's customers and employees, on 58 links on the Internet.
AZOP
Croatian Data Protection Authority
Accomodation and Hospitalty
Company in the hospitality industry
2022-11-25
€1,991.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 1,991 on a company in the hospitality industry. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Betting place
2022-11-25
€1,991.00
Insufficient fulfilment of information obligations
Art. 27 (2) Croatian Act on the Implementation of the GDPR
The Croation DPA (azop) has imposed a fine of EUR 1,991 on a betting place. The controller had installed a video surveillance system in its premises, however the DPA found that the video surveillance notice did not contain all relevant information. The DPA therefore concluded that the controller had violated Art. 27 (2) of the Croatian Act on the Implementation of the GDPR.
GARANTE
Italian Data Protection Authority
Health Care
Società Lombarda Sport s.r.l.
2022-11-24
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 9 GDPR
The Italian DPA has fined Società Lombarda Sport s.r.l. EUR 4,000. An individual had filed a complaint with the DPA. The individual had undergone a sports fitness examination with the company for the purpose of attending sports courses. However, the company then had passed on the result of their examination without a valid legal basis.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Health Care
Medicover S.R.L.
2022-11-24
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
Art. 32 (4) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Medicover S.R.L.. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had inadvertently sent documents containing personal data to the wrong recipient. As a result, personal data such as the data subject's name, correspondence address, e-mail and health data were disclosed without authorization. The DPA determined that the incidents were due to the controller's failure to implement appropriate technical and organizational measures to protect the processing of personal data.
CNIL
French Data Protection Authority
Transportation and Energy
ÉLECTRICITÉ DE FRANCE
2022-11-24
€600,000.00
Insufficient fulfilment of data subjects rights
Art. 7 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 21 GDPR
Art. L. 34-5 CPCE
The French DPA has imposed a fine of EUR 600,000 on ÉLECTRICITÉ DE FRANCE (EDF), France's largest electricity supplier.
The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF.
During its investigation, the DPA found that EDF's privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data.
In addition, the DPA found that EDF had not responded to a number of data subject requests in a timely manner
Also, EDF failed to respect data subjects' right to object to advertising requests in some cases.
Furthermore, the DPA noted that EDF failed to demonstrate that it had obtained valid consent from data subjects in the context of a commercial solicitation campaign.
Finally, the DPA concluded that EDF had failed to implement sufficient technical and organizational measures to protect personal data.
EDF had insecurely stored passwords of more than 25,000 customer accounts. In addition, the company had merely hashed and not salted passwords of 2,4 million accounts.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Areti spa
2022-11-24
€1,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) d), e) GDPR
Art. 5 (2) GDPR
Art. 12 GDPR
Art. 15 GDPR
Art. 24 GDPR
The Italian DPA has fined electricity supplier Areti spa EUR 1 million. A customer had filed a complaint with the DPA due to Areti classifying them as a defaulting customer, which prevented them from switching to another electricity supplier.
This was due to the fact that outdated data in Areti's databases had not been updated following a mismatch in the company's internal systems. The incident affected around 47,000 customers.
The DPA's investigation also found that Areti had stored the data for an inadequate length of time. In addition, Areti failed to properly respond to requests to exercise data subject rights.
GARANTE
Italian Data Protection Authority
Industry and Commerce
STS Di Prisinzano s.r.l
2022-11-24
€1,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has fined STS Di Prisinzano s.r.l EUR 1,000. The company had processed data of a customer in the context of a breakdown service without sufficiently informing the customer about the processing of their personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-11-21
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
ING Bank NV Amsterdam Sucursala București
2022-11-21
€20,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1), (2) GDPR
The Romanian DPA has imposed a fine of EUR 20,000 on ING Bank NV Amsterdam Sucursala București.
The bank had reported a data breach to the DPA pursuant to Art. 33 GDPR.
Several personal data of customers, such as ID card data, bank data, bank card data, etc., were accessed and disclosed without authorization. This resulted in payment transactions being carried out by unauthorized third parties. During its investigation, the DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data, which allowed the unauthorized access.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Homeowners Association Bld. Pipera 1-2E
2022-11-18
€300.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Romanian DPA (ANSPDCP) has fined Homeowners Association 'Bld. Pipera 1-2E' EUR 300 for failing to provide information requested by the DPA during an investigation.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Raiffeisen Bank SA
2022-11-16
€28,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 (1), (2), (4) GDPR
The Romanian DPA has imposed a fine of EUR 28,000 on Raiffeisen Bank SA.
The bank had reported several data breaches pursuant to Art. 33 GDPR to the DPA.
During its investigation, the DPA found that the bank conducted queries in a credit agency without the consent of the data subjects.
In addition, the DPA found that the bank had granted credit to several customers without the affected customers having applied for it.
Furthermore, the bank had inadvertently sent personal data of data subjects to wrong recipients, allowing them to access the data.
The DPA found that the bank had failed to implement adequate technical and organizational measures to protect personal data. This resulted in unauthorized access and/or disclosure of personal data.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
BANKINTER, S.A.
2022-11-15
€80,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA has imposed a fine on BANKINTER, S.A.. A person had filed a complaint with the DPA as personal data of a third person were also displayed to them when accessing their bank account. The DPA found that the unauthorized disclosure of the third-party data occurred due to a lack of adequate technical and organizational measures to protect personal data at the bank. The original fine of EUR 100,000 was reduced to EUR 80,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria S.L.
2022-11-11
€48,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. An individual had filed a complaint with the DPA due to requesting information on one of their accounts and then receiving contract information from a third party. The DPA found that the unauthorized disclosure of third-party data was due to inadequate technical and organizational measures at the bank. The original fine of EUR 80,000 was reduced to EUR 48,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
XASTRE DO PETO, S.L.
2022-11-11
€3,600.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 13 GDPR
Art. 21 GDPR
The Spanish DPA has imposed a fine of EUR 3,600 on XASTRE DO PETO, S.L. (restaurant). An individual had filed a complaint with the DPA due to the fact that the controller required them to fill out a form with their personal information for contact tracing purposes in the context of the Covid-19 pandemic. However, during its investigation, the DPA found that the legal basis for collecting the contact information had expired in the meantime and that the controller had therefore processed the data unlawfully. The DPA also found that the controller did not provide data subjects with sufficient information on data processing. The DPA further determined that the controller did not provide data subjects with an easy way to object to the processing of personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-11-10
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Homeowners Association
2022-11-10
€900.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine on a Homeowners Association. The association had installed several video surveillance cameras across the residential area which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and admission of responsibility.
CNIL
French Data Protection Authority
Media, Telecoms and Broadcasting
DISCORD INC.
2022-11-10
€800,000.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 13 GDPR
Art. 25 (2) GDPR
Art. 32 GDPR
Art. 35 GDPR
The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls.
During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximately 50,000 accounts that had not been used for more than five years.
Further, the DPA noted that the company did not have complete information regarding retention periods.
Also, the DPA found that the company had failed to ensure data protection by default, contrary to the obligation under Art. 25 (2) GDPR.
Thus, it was possible for user data to be transmitted even after the communication application was closed.
The DPA also found that the company had failed to sufficiently ensure the security of personal data by accepting insecure passwords from users.
The company accepted user passwords that consisted of six characters containing only letters and numbers.
Finally, the DPA found that the company had failed to conduct a data protection impact assessment.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone Italia S.p.A.
2022-11-10
€500,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
Art. 130 (1), (2), (3) Codice della privacy
The Italian DPA has imposed a fine of EUR 500,000 on Vodafone Italia S.p.A.. A customer had filed a complaint with the DPA against Vodafone. The 80-year-old customer had been contacted by an external call center commissioned by Vodafone. During the conversation, the call center concluded a new contract with the customer without their consent. During its investigation, the DPA also found that the customer had not received sufficient information about the processing of her personal data. In addition, the call center had read out the information too quickly, making the content incomprehensible.
In calculating the fine, the DPA took into account, as an aggravating factor, that Vodafone had already committed similar violations in the past. However, the fact that Vodafone immediately terminated the contract in question was taken into account as a mitigating factor.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Usl Valle d'Aosta
2022-11-10
€40,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) a), f) GDPR
Art. 9 GDPR
Art. 25 GDPR
Art. 32 GDPR
The Italian DPA has fined Azienda Usl Valle d'Aosta EUR 40,000. An employee and patient of the health department had filed a complaint with the DPA because a colleague who had never treated them had repeatedly accessed their medical file, despite the fact that they had explicitly refused their consent to the data processing.
During its investigation, the DPA found that, in order to simplify patient management during the Covid 19 pandemic, the health department had simplified the medical record system. As a result, patient medical records were accessible to any employee, whether or not the affected patient had consented to it.
The DPA considered this a violation of the obligation to implement appropriate technical and organizational measures to protect personal data.
GARANTE
Italian Data Protection Authority
Employment
Villafranca di Verona municipality
2022-11-10
€4,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA (Garante) imposed a fine of EUR 4,000 on Villafranca di Verona municipality. The municipality had published a document containing personal data of an employee on its website.
GARANTE
Italian Data Protection Authority
Employment
Sportitalia
2022-11-10
€20,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 9 GDPR
Art. 13 GDPR
Art. 30 (1) c) GDPR
The Italian DPA (Garante) imposed a fine of EUR 20,000 on Sportitalia. The controller processed biometric data (fingerprints) of employees for the purpose of registering their attendance. Garante found that such extensive processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Furthermore, Garante determined that the processing of biometric data had taken place without sufficiently informing the data subjects about the processing.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Cisterna di Latina Municipality
2022-11-10
€5,000.00
Non-compliance with general data processing principles
Art. 5 GDPR
Art. 12 GDPR
Art. 37 GDPR
The Italian DPA has imposed a fine of EUR 5,000 on Cisterna di Latina Municipality. An individual had filed a complaint with the DPA. The individual had submitted a request to the municipality for access to their personal data. Due to an error, the data was not disclosed to the data subject but to a third party. For this reason, the data subject did not receive a response to his request. In addition the DPA found that the municipality had not appointed a data protection officer.
GARANTE
Italian Data Protection Authority
Industry and Commerce
I-Model s.r.l.
2022-11-10
€10,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 17 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 10,000 on I-Model s.r.l. A data subject had filed a complaint with the DPA against the controller due to the fact that the controller continued to send them SMS advertisements, despite the fact that they had requested the deletion of their data and the controller had confirmed the deletion.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Cisterna di Latina municipality
2022-11-10
€5,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 12 GDPR
Art. 37 GDPR
The Italian DPA has imposed a fine of EUR 5,000 on Cisterna di Latina municipality. An individual had filed a complaint with the DPA because the municipality had not responded to their request for access to their personal data in a timely manner. During its investigation, the DPA found that the municipality had mistakenly sent the data requested by the data subject to a third party rather than to the data subject. In addition, the DPA found that the municipality failed to appoint a new data protection officer several months after the initially appointed data protection officer resigned.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Conservatorio di Musica S. Cecilia di Roma
2022-11-10
€6,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 38 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 6,000 on 'Conservatorio di Musica S. Cecilia di Roma'. A student of the educational institution had filed a complaint with the DPA for having received a disciplinary sanction for a statement made during a student assembly. Although it was not supposed to be, the assembly was recorded and the institution used the recordings to base the disciplinary action on it. During its investigation, the DPA determined that the controller did not have a valid legal basis to use the assembly recordings and, therefore, the processing of the student's personal data was unlawful. Also, the DPA found that the educational institution's data protection officer was also the institution's director. The DPA considered this to be an unlawful conflict of interest.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Accomodation and Hospitalty
SC Das Sense Society SRL
2022-11-09
€1,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Romanian DPA (ANSPDCP) has fined SC Das Sense Society SRL EUR 1,000 for failing to provide information requested by the DPA during an investigation.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
SC Prestige Media PHG SRL
2022-11-08
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 5,000 on SC Prestige Media PHG SRL. The controller had published 23 documents containing information on the termination of employment relationships and personal data of the data subjects on its website. Some of the data subjects had no legal relationship with the controller.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Romanian Post
2022-11-07
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), (2) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on the Romanian Post. The Post suffered a data breach where staff lost several mailings containing pension statements, employment certificates and death certificates. The incident affected 35 individuals (recipients).
The DPA found that the Post had failed to implement adequate technical and organizational measures to protect personal data that might have prevented such an incident.
AEPD
Spanish Data Protection Authority
Transportation and Energy
UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC
2022-11-03
€70,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine of EUR 70,000 on UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC (UPS). A person had filed a complaint with the DPA because UPS had delivered a package from them to a neighbor without their consent. The DPA considered this to be an unauthorized disclosure of their data, which was a result of a lack of technical and organizational measures for personal data protection. The DPA also found that this unauthorized disclosure of personal data constituted a violation of the principle of integrity and confidentiality.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Burwebs S.L.
2022-11-03
€75,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), e) GDPR
Art. 12 (2) GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 30 (1) GDPR
Art. 22 (2) LSSI
The Spanish DPA has fined Burwebs S.L. EUR 75,000. Burwebs operates websites with adult content. During its investigation, the DPA found that Burwebs did not process users' data transparently. In addition, Burwebs retained users' personal data for an indefinite period of time. Further, the DPA found that Burwebs processed the data of minor users without requiring any parental consent. Burwebs also complicated the exercise of data subjects' rights under the GDPR and had not sufficiently informed users about the processing as well as storage of their personal data in its privacy policy. Finally, the DPA found that Burwerbs' record of processing activities was not complete.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
CAIXABANK S.A.
2022-11-02
€25,000.00
Insufficient fulfilment of data subjects rights
Art. 16 GDPR
The Spanish DPA has imposed a fine of EUR 25,000 on CAIXABANK S.A.. The data subject had repeatedly and unsuccessfully requested that their address on file with the bank be updated. The DPA considered this to be a violation of Art. 16 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
CÍTRICOS TANTA, S.L.
2022-11-02
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 5,000 on CÍTRICOS TANTA, S.L.. The controller had entered personal data of an employee in the Social Security General Employee Register without the employee ever having actually worked. For this reason, the controller would have been obliged to cancel the entry of the data subject in the register within 72 hours, which the controller failed to do. In the absence of the data subject's work performance, the controller no longer had a legal basis to upload the data to the register. Therefore, the DPA found that the failure to delete the data constituted an unlawful processing of the data subject's personal data.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Rapido Finance, S.L.
2022-11-02
€2,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on Rapido Finance, S.L.. The data subject had received a message from a company on behalf of Rapid Finance requesting payment of outstanding debts. However, the data subject had already paid the debts, which was also confirmed in a court ruling. For this reason, the DPA determined that the disclosure of the data subject's personal data for the purpose of contacting them regarding the settlement of the debt was unlawful.
UODO
Polish National Personal Data Protection Office
Public Sector and Education
Mayor
2022-11-02
€1,700.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 5 (2) GDPR
Art. 25 (1) GDPR
Art. 32 (1), (2) GDPR
The Polish DPA has imposed a fine of EUR 1,700 on the mayor of Dobrzyniewo Duże municipality. The mayor had reported a data breach to the DPA pursuant to Art. 33 GDPR. An employee's work computer, which contained personal data, had been stolen. During its investigation, the DPA determined that the data on the computer was not adequately secured and that the municipality had failed to take appropriate technical measures to protect personal data.
CNPD
Portuguese Data Protection Authority
Public Sector and Education
Setúbal municipality
2022-11-02
€180,000.00
Non-compliance with general data processing principles
Art. 5 (1) e), f) GDPR
Art. 13 (1), (2) GDPR
Art. 37 (1), (7) GDPR
The Portuguese DPA has imposed a fine of EUR 170,000 on Setúbal municipality. The DPA found data protection violations regarding the collection of personal data from Ukrainian refugees. The municipality had asked refugees to fill out a form at the time of their arrival and provide various details on personal data, such as name, date of birth, marital status, etc.
The DPA noted, that the municipality had not sufficiently informed the data subjects about the data processing. In addition, the DPA found that the municipality had failed to implement sufficient technical and organizational to protect personal data, as well as to define a retention period for the data. The municipality had also failed to appoint a data protection officer.
CNPD
Portuguese Data Protection Authority
Public Sector and Education
Portuguese National Statistical Institute
2022-11-02
€4,300,000.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 9 (1) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 28 (1), (6), (7) GDPR
Art. 35 (1), (2), (3) b) GDPR
Art. 44 GDPR
Art. 46 (2) GDPR
The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million.
The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal.
The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing.
In addition, the DPA found that the controller failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR.
In addition, the order processing contract permitted the transfer of personal data outside the EEA without providing for additional security measures besides the SCCS approved by the European Commission, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR.
Finally, the DPA found that the controller failed to conduct a data protection impact assessment regarding the census.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-10-31
€2,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a member of a staff council. The individual had sent minutes of staff council meetings to unauthorized third parties that were not members of the staff council. During its investigation, the DPA found that the individual did not have an effective legal basis for sending the emails.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
2022-10-31
€70,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine of EUR 70,000 on BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. A customer of the bank had filed a complaint with the DPA. The customer had in the past, in their capacity as an attorney, filed a statement of claim against the bank by their client, also a customer of the bank.
The bank had then sent a reply to the client and in it, instead of the professional address of the data subject, the attorney, had inadvertently noted their private address.
The DPA firstly found that the bank processed the attorney's personal data in a way that was incompatible with the purposes for which the data were collected (management of their private account).
In addition, the DPA found that the unauthorized disclosure of the attorney's personal data occurred due to inadequate technical and organizational measures at the bank.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
Vodafone España, S.A.U.
2022-10-31
€56,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA for having unsuccessfully requested a copy of their phone contract from Vodafone several times. Finally, the person received an e-mail, but with the phone contract of another customer. The DPA considered this to be a violation of the principle of integrity and confidentiality as set out in Art. 5 (1) f) GDPR. In addition, the DPA found that Vodafone failed to implement adequate technical and organizational measures to protect personal data, which could have prevented the incident. The original fine of EUR 70,000 was reduced to EUR 56,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
TECHPUMP SOLUTIONS S.L.
2022-10-31
€525,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), e) GDPR
Art. 6 (1) GDPR
Art. 8 GDPR
Art. 12 (1), (2) GDPR
Art. 13 GDPR
Art. 25 GDPR
Art. 30 (1) GDPR
Art. 22 (2) LSSI
The Spanish DPA has fined Techpump Solutions S.L. EUR 525,000. Techpump operates several websites with adult content. The DPA found several violations of data protection law during its investigation. Firstly, the DPA found that, contrary to the specified information in the privacy policy, Techpump shared users' personal data with companies belonging to the same group. In addition, the DPA found that Techpump had not specified a retention period for users' personal data and kept it indefinitely until users requested to withdraw their consent. Techpump also processed users' personal data without first obtaining their consent. Further, the DPA found that Techpump did not have sufficient parental controls to prevent minors under the age of 14 from accessing its content. In addition, Techpump's privacy policy was only available in English, rather than Spanish, and the information was not clearly understandable. Techpump also required that individuals who wished to exercise their data subject rights submit their ID card information in order to verify their identity. The DPA considered this to be an unacceptable impediment to the exercise of data subject rights. Finally, Techpump also collected various data such as IP addresses and WIFI data without having defined a processing purpose for it.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
ACKERMANN & SCHWARTZ ATTORNEYS AT LAW SLP
2022-10-26
€10,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 10,000 on ACKERMANN & SCHWARTZ ATTORNEYS AT LAW SLP. The law firm had collected personal data from website users without obtaining their consent. In addition, the DPA found that the privacy policy on the website did not contain sufficient information. For example, information on the controller's contact details and information on exercising data subjects' rights were missing.
