A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
AEPD
Spanish Data Protection Authority
Industry and Commerce
EL RACO DEL PIS INVERSIONES S.L.
2022-10-25
€9,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine of EUR 9,000 on EL RACO DEL PIS INVERSIONES S.L.. The controller had sent an e-mail in an open distribution list, making the email addresses of all recipients visible to the other recipients.
AEPD
Spanish Data Protection Authority
Not assigned
Company
2022-10-24
€240.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine on a company. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 300 was reduced to EUR 240 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-10-24
€400.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 400 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ADSL HOUSE, S.L.
2022-10-24
€8,000.00
Insufficient fulfilment of data subjects rights
Art. 48 (1) b) LGT
Art. 21 GDPR
Art. 23 (4) LOPDGDD
The Spanish DPA (AEPD) imposed a fine of EUR 8,000 on ADSL HOUSE, S.L.. The data subject had received advertising calls from the controller, although the data subject was registered in the Robinson advertising exclusion list.
GARANTE
Italian Data Protection Authority
Employment
Istituto di Istruzione Superiore G. Renda di Polistena, Reggio Calabria
2022-10-20
€900.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 900 on the educational institution 'Istituto di Istruzione Superiore G. Renda di Polistena, Reggio Calabria'. A former employee of the municipality filed a complaint with the DPA because a document containing their personal data had been unlawfully published on the website of the educational institution. The document contained information about the termination of the employment relationship.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Italian Archery Federation (FITARCO)
2022-10-20
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 10 GDPR
Art. 2-ter Codice della privacy
Art. 2-octies Codice della privacy
The Italian DPA (Garante) has fined the Italian Archery Federation (FITARCO) EUR 10,000. A member of the federation had filed a complaint with the DPA due to the fact that the federation had unlawfully published documents containing their personal data on its website. The documents contained, among other things, criminal information about the data subject.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Comune di Salento
2022-10-20
€12,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b), e) GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 30 GDPR
The Italian DPA has imposed a fine of EUR 12,000 on Comune di Salento. An individual had lodged a complaint with the DPA for being recorded by a CCTV camera, which proved that he had disregarded the curfew introduced as part of the Covid-19 pandemic countermeasures.
During its investigation, the DPA found that the processing of the personal data for the purpose of proving the curfew violation was not lawful since the cameras had originally been installed for the purpose of combating street crime. The municipality is therefore not processing the data for its original purpose, which constitutes a breach of the purpose limitation principle laid down in the GDPR. The DPA also found that the municipality stored the recordings excessively long and did not provide sufficient information about the CCTV to the data subject. Furthermore, the DPA found that the municipality had failed to respond to the data subject's request for information in a timely manner. Finally, the municipality failed to maintain a register of processing activities for certain periods.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Douglas Italia S.p.a.
2022-10-20
€1,400,000.00
Non-compliance with general data processing principles
Art. 5 (1) b), e) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 12 (1) GDPR
Art. 13 (2) a) GDPR
Art. 24 GDPR
Art. 25 (1) GDPR
The Italian DPA has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a. for various GDPR violations.
In the course of its investigation, the DPA initially found that customers were supposed to give their consent to the privacy notices, the cookie policy, and the GTC at the same time. The DPA considered this to be a breach of Art. 6 GDPR and Art. 7 GDPR, as the data subject's consent to the processing of their personal data could not be considered voluntary due to the lack of separate options for consenting to the different notices.
Douglas had merged with other companies and in the process acquired additional personal data. The DPA found that after acquiring the data, Douglas had kept the data for an excessive period of time without obtaining consent from the data subjects to use it for its own purposes.
The DPA also found that Douglas retained data of customers who had not renewed their loyalty cards for an excessive period of time.
Douglas also failed to provide its customers with sufficient and accurate information about the data processing.
The DPA also found that Douglas did not use the data for direct marketing in accordance with customer consent. For example, customers who had only consented to telemarketing also received SMS marketing messages.
Finally, the DPA found that Douglas had breached its accountability obligations regarding the processing of personal data on its blog.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-10-20
€1,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 1,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
GARANTE
Italian Data Protection Authority
Health Care
I.S.P.R.O.
2022-10-20
€7,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 9 GDPR
The Italian DPA (Garante) has imposed a fine of EUR 7,000 on the oncology health care facility I.S.P.R.O.. An individual had mistakenly received medical records from another patient via e-mail.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Fondazione Teatro Regio di Torino
2022-10-20
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 (1) GDPR
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 5,000 on Fondazione Teatro Regio di Torino. A foundation member had filed a complaint with the DPA due to the fact, that the foundation had published a document, containing personal health data of them, on their website. In the course of its investigation, the DPA found that the foundation had published the data without a valid legal basis and therefore had acted unlawfully.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Ospedaliero-Universitaria Careggi di Firenze
2022-10-20
€9,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 9 GDPR
Art. 32 GPDR
The Italian DPA has imposed a fine of EUR 9,000 on Azienda Ospedaliero-Universitaria Careggi di Firenze. The controller had mistakenly sent a patient medical record to the wrong patient. The DPA found that the healthcare facility had not taken sufficient technical and organizational measures to protect personal data, which allowed such an incident to occur.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
RESTEXPERIENCE, S.L.
2022-10-19
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has fined RESTEXPERIENCE, S.L. EUR 5,000. The controller had accidentally sent an email containing tax information of 36 individuals to 11 unauthorized individuals. The DPA considered this to be a breach of the principle of integrity and confidentiality. It also found that the company had failed to implement appropriate technical and organizational measures to protect personal data.
ICO
Information Commissioner
Industry and Commerce
Interserve Group Limited
2022-10-19
€5,033,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The British DPA has fined the construction group Interserve Group Limited EUR 5,033,000. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR.
Interserve had suffered a cyber attack in which the attackers sent a phishing mail to the mailbox of Interserve's accounting team. The mail was opened by an employee who also downloaded and opened an attached zip file. This allowed the attackers to install malware and siphon off personal data from 113,000 employees. The siphoned data contained bank account information, social security numbers, ethnicity, sexual orientation and religion of the data subjects, among other things.
The DPA's investigation found that inadequate security measures allowed the attack to occur.
Interservere employees, for example, had not been adequately trained on data privacy.
In addition, Interserve processed personal data on unsupported operating systems that were no longer subject to security updates to address vulnerabilities in the system. Also, Interserve had not conducted adequate vulnerability scans. Finally, Interserve's information security team had not sufficiently investigated the attack as antivirus software reported that the malware had been removed.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
SC Materiale Constructii Online SRL
2022-10-18
€2,000.00
Insufficient cooperation with supervisory authority
Art. 58 (1) GDPR
The Romanian DPA (ANSPDCP) has fined SC Materiale Constructii Online SRL EUR 2,000 for failing to provide information requested by the DPA during an investigation.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Private individual
2022-10-18
€150.00
Insufficient legal basis for data processing
Art. 6 (1) a) GDPR
The Romanian DPA has imposed a fine of EUR 150 on a private individual. The individual had made unauthorized use of another person's personal data without their consent.
AEPD
Spanish Data Protection Authority
Industry and Commerce
INMUR JOYEROS, S.L.
2022-10-17
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on INMUR JOYEROS, S.L.. The controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-10-17
€500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) fined a private individual EUR 500. The individual had installed video surveillance cameras on their property which covered, among other things, the public space and a neighboring property. The AEPD found that such extensive video surveillance constituted a violation of the principle of data minimization.
CNIL
French Data Protection Authority
Industry and Commerce
Clearview Al Inc.
2022-10-17
€20,000,000.00
Insufficient fulfilment of data subjects rights
Art. 6 GDPR
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 31 GDPR
The French DPA has fined Clearview Al Inc. EUR 20,000,000. The company holds a database of more than 20 billion facial images (including those of french residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals to be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such as image tags and geolocation.
In the course of its investigation the DPA found that the personal data contained in the company's database had been processed unlawfully and without a valid legal basis.
In addition, the DPA found that Clearview AI restricted the exercise of data subjects' rights.
For example, it limited the exercise of data subjects' rights to twice a year without justification. Also, data subjects had to submit several requests before one was answered. Moreover, requests were often not answered at all or only inadequately.
Finally, the DPA criticized the cooperation of Clearview AI. The company did not respond to investigation forms at all or only very incompletely.
AEPD
Spanish Data Protection Authority
Not assigned
Company
2022-10-17
€6,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine of EUR 6,000 on a company. The data controller had installed video surveillance cameras which also recorded sound. However, the DPA found that the controller did not have a sufficient legal basis for the surveillance and the recordings therefore had been obtained unlawfully.
AEPD
Spanish Data Protection Authority
Transportation and Energy
OES GLOBAL ENERGY S.L.
2022-10-17
€35,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA imposed a fine of EUR 35,000 on OES GLOBAL ENERGY S.L.. A customer of the controller had filed a complaint with the DPA after receiving an e-mail from the controller containing documents relating to the termination of electricity contracts of other customers. These documents contained personal data of the customers such as their names and ID numbers. The DPA considered this unlawful disclosure of personal to be a violation of the principle of confidentiality and integrity, as well as a lack of sufficient technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Public Sector and Education
SEAN SERIOS S.L.
2022-10-14
€12,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 12,000 on SEAN SERIOS S.L. The controller had published the results of a selection procedure on a website. This included, among other things, personal data of the participants, such as surname, first name and score in the selection process. In the course of its investigation, the DPA found that the controller did not have a sufficient legal basis for publishing the data.
AEPD
Spanish Data Protection Authority
Real Estate
PUNTO BADAL-BCN S.L.
2022-10-09
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA has imposed a fine on the real estate agency PUNTO BADAL-BCN S.L.. The controller had sent marketing e-mails to several people in an open distribution list, making the email addresses of all recipients visible to the other recipients. The original fine of EUR 5,000 was reduced to EUR 4,000 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
CAJA DE SEGUROS REUNIDOS, COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A.
2022-10-09
€24,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on CAJA DE SEGUROS REUNIDOS, COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A.. A data subject filed a complaint with the DPA. The data subject had taken out an insurance policy with the controller, the beneficiary of which was his ex-life partner at the time. After the separation, the ex-life partner asked the controller to change the debit entry for the premium from the data subject's account to her account. The controller carried out this change without the consent of the data subject. The DPA considered this to be an unlawful change to the personal data of the data subject. The original fine of EUR 40,000 was reduced to EUR 24,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-10-09
€900.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA has imposed a fine on a private individual. The individual unauthorizedly sent e-mails with personal data to several recipients in an open distribution list. This made it possible for the recipients to view the e-mail addresses of all other recipients. The original fine of EUR 1,200 was reduced to EUR 900 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Not assigned
Company
2022-10-09
€800.00
Insufficient legal basis for data processing
Art. 6 (1) e) GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 800 on a company. The controller had installed video surveillance cameras without obtaining authorization for the installation. In addition, the controller failed to provide signs regarding the CCTV with the contact details of the data controller.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
UNION DE OFICIALES DE LA GUARDIA CIVIL PROFESIONAL
2022-10-09
€6,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 6,000 on the association UNION DE OFICIALES DE LA GUARDIA CIVIL PROFESIONAL.
A person had filed a complaint with the DPA because the controller had contacted them without them being a member of the association or otherwise having given their permission to be contacted.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
EVERIS SPAIN S.L
2022-10-09
€64,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on EVERIS SPAIN S.L.. Everis had published information on sold data of users of an insurance company as well as records with personal data of Spanish customers of the insurance company. The DPA considered this a violation of the confidentiality of the data. The DPA also found that the unlawful publication of the data had been possible due to, among other things, a lack of technical and organizational measures to protect personal data at the time of the data breach. The original fine of EUR 80,000 was reduced to EUR 64,000 due to voluntary payment.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Servizio Idrico Integrato S.c.p.a.
2022-10-06
€15,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA has fined Servizio Idrico Integrato S.c.p.a. EUR 15,000. The controller had operated a website where personal data was being processed without using an SSL form. The DPA found that the use of an SSL form would have been necessary for the security of the data. It therefore concluded that the controller had failed to implement appropriate technical and organizational measures to protect personal data.
GARANTE
Italian Data Protection Authority
Media, Telecoms and Broadcasting
Alpha Exploration
2022-10-06
€2,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), e), f) GDPR
Art. 6 GDPR
Art. 7 GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 27 (4) GDPR
Art. 28 GDPR
Art. 32 GDPR
Art. 35 GDPR
The Italian DPA has imposed a fine of EUR 2 million on Alpha Exploration. Alpha Exploration operates the social network Clubhouse.
In the course of its investigation, the DPA found numerous violations of the GDPR. For example, the DPA found that there was a lack of transpanency regarding the use of users' data and their chat contacts. In addition, users of the network were able to store and share audio messages from other users without their consent. Moreover, account information was shared with unauthorized third parties without a valid legal basis. In addition, the company failed to define retention periods for personal data.
Also, the company failed to provide users with sufficient information about numerous aspects of the processing of their personal data and had not implemented sufficient technical and organizational measures to protect personal data.
Finally, the DPA found that the company failed to conduct a data protection impact assessment. At the end of the investigation, the DPA not only imposed a fine but also ordered a number of measures to be taken by the company. For example, the company must define retention periods and introduce a function that informs users that their chats are being recorded.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Codess Sociale, Soc. Coop. sociale.
2022-10-06
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3), (4) GDPR
Art. 17 GDPR
The Italian DPA has imposed a fine of EUR 10,000 on Codess Sociale, Soc. Coop. sociale. A former voluntary member had filed a complaint with the DPA. The data subject states that when they resigned, they had requested the deletion of their personal data from the controller's archives. However, the controller failed to comply with the request in due time.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
Associazione Rescue Drones Network ODV
2022-10-06
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 15 (3) GDPR
The Italian DPA has imposed a fine of EUR 3,000 on Associazione Rescue Drones Network ODV. A founding member of the association had filed a complaint with the DPA. The member learned of disciplinary actions against them, consequently they intended to use documents from their email account for their defense. However, the controller had blocked access to their email account, preventing them from accessing the documents they needed. Against this background, they had asked the controller to grant them access to their e-mail account. However, the controller had never responded to the request. The DPA considered this to be a violation of the data subject's right to information under Art. 12 GDPR and Art. 15 (3) GDPR.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Poste Italiane S.p.a.
2022-10-06
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3), (4) GDPR
The Italian DPA (Garante) fined Poste Italiane S.p.a. EUR 10,000 for failing to respond to the data subject's request for access to their data in a timely manner.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Finance, Insurance and Consulting
Bank
2022-10-05
€72,500.00
Insufficient legal basis for data processing
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 12 (1) GDPR
The Hungarian DPA has imposed a fine of EUR 72,500 on a bank. An individual had filed a complaint with the DPA. The bank had conducted a credit check on the individual based on a credit application. However, the bank later conducted a second credit check, although the individual had not requested a new credit offer. The DPA therefore found that this second credit check was carried out unlawfully due to the lack of a legal basis.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Club Náutico el Estacio
2022-10-04
€6,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club's ordinary meeting on its website, disclosing personal data without access restrictions.
ICO
Information Commissioner
Industry and Commerce
Easylife Ltd.
2022-10-04
€1,547,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 13 (1) c) GDPR, Regulation 21 PECR
The UK DPA has imposed a fine of EUR 1,547,000 on Easylife Ltd. Easylife is a retailer that sells household items as well as services and products under its health, motor, supercard and garden clubs.
When purchasing certain products, the company made assumptions about the customer's health condition, whereupon the customer was then offered further products for purchase by phone or SMS that were related to their health condition.
Of the 122 products in Easylife's Health Club catalog, 80 items were classified as 'trigger products.' Once customers purchased these products, Easlylife created a profile of them in order to target them with a health-related item.
During its investigation, the DPA found that the company collected and used the personal data (health data) of a total of 145,500 data subjects without their consent or even knowledge.
The DPA found that this 'invisible' processing of the personal data constituted a serious violation of the data subjects' rights, as they were not able to exercise their privacy and data protection rights at all due to lack of knowledge of the processing.
In addition, the company had made 1,345,732 unsolicited marketing calls to individuals without their consent to the calls. The DPA considered this a violation of the PECR.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2022-10-04
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 600 on a homeowners' association. The controller had installed a video surveillance system that recorded both images and sound. During its investigation, the DPA found that the video surveillance system recorded, among other things, parts of the common area. The DPA considered this to be a violation of the principle of data minimization. In addition, the DPA found that the controller did not sufficiently comply with its information obligations under Art. 13 GDPR regarding the video surveillance.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Individuals and Private Associations
Website operator
2022-10-03
€150.00
Non-compliance with general data processing principles
Art. 5 (1) a), f) GDPR
Art. 6 (1) a) GDPR
The Romanian DPA has imposed a fine of EUR 150 on a website operator. The controller had published unauthorized personal data such as telephone number, ID number and series, e-mail address, bank details and marital status of 383 natural persons.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
ALFA BANK S.A.
2022-10-03
€20,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Hellenic DPA has imposed a fine of EUR 20,000 on ALFA BANK S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers' explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
EUROBANK ERGASIAS S.A.
2022-10-03
€20,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Hellenic DPA has imposed a fine of EUR 20,000 on EUROBANK ERGASIAS S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers' explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
PIRAEUS BANK S.A.
2022-10-03
€20,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Hellenic DPA has imposed a fine of EUR 20,000 on PIRAEUS BANK S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers' explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
NATIONAL BANK OF GREECE S.A.
2022-10-03
€20,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Hellenic DPA has imposed a fine of EUR 20,000 on NATIONAL BANK OF GREECE S.A.. In the context of the use of certain debit/credit cards, information of the last 10 transactions were stored on the chip of the card without the customers' explicit consent. This information could be read out later. The DPA found that the bank had failed to inform affected customers about this storage of transaction information and therefore violated Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Y OTRO MAS C.B.
2022-09-28
€180.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on Y OTRO MAS C.B.. The controller had installed a video surveillance system in a residential complex. During its investigation, the DPA found that the information sign about the video surveillance did not contain sufficient information about the processing of personal data, the controller and the exercise of data subject rights. The DPA considered this to be a violation of Art. 13 GDPR. The original fine of EUR 300 was reduced to EUR 180 due to admission of responsibility and voluntary payment.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
CLUB NATACIO LLEIDA
2022-09-28
€720.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine on CLUB NATACIO LLEIDA. The controller had installed a video surveillance system that recorded the cashier areas of the facility. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 1,200 was reduced to EUR 720 due to voluntary payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
BAYARD REVISTAS, S.A.
2022-09-28
€31,200.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
Art. 33 GDPR
The Spanish DPA has imposed a fine on Bayard Revistas S.A.. Unauthorized persons had accessed the Bayard database and thus unauthorizedly siphoned off location and contact data of users of the database. Approximately 470,000 users were affected by the incident. The DPA's investigation determined that a vulnerability in the controller's systems allowed the incident to occur. The original fine of EUR 52,000 was reduced to EUR 31,200 due to voluntary payment and admission of guilt.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Media, Telecoms and Broadcasting
TV2 Média Csoport Zrt.
2022-09-26
€26,700.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 6 (1) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
The Hungarian DPA has fined TV2 Média Csoport Zrt. EUR 26,700. In the course of its investigation, the DPA found that the controller had operated two websites without providing adequate information on the handling of personal data on the websites. The DPA also found that the controller failed to obtain consent from users in a transparent and clear manner on the websites.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Health Care
Health insurance provider
2022-09-25
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 12 (3), (4) GDPR
Art. 31 GDPR
The Hungarian DPA has imposed a fine of EUR 1,200 on a health insurance provider.
The insurer had published the result of a Covid-19 test of the data subject on its website. This would have allowed unauthorized persons to access the personal data of the data subject. In addition, the insurer had not adequately cooperated with the agency during the DPA's investigation.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-23
€3,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
AEPD
Spanish Data Protection Authority
Not assigned
URBANO DIVERTIA, S.L.
2022-09-23
€1,200.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine on URBANO DIVERTIA S.L.. A customer had filed a complaint with the DPA, for having received a document from the controller with data relating to the previous tenant of the apartment they were now renting from the controller. The DPA considered this to be a violation of the principle of integrity and confidentiality. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Bitfactor SRL
2022-09-22
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 (1), (2) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Bitfactor SRL.
The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR.
Due to a malfunction of an application of the controller, marketing messages were sent to users of the website, resulting in a breach of confidentiality of the personal data concerning 1757 data subjects.
During its investigation, the DPA found that the controller did not take adequate technical and organizational measures to protect the personal data of the data subjects.