A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.
Data Protection Authority Name
Fined Company
Fine
Violation
Description
Link
HDPA
Hellenic Data Protection Authority
Industry and Commerce
Gas station
2022-09-22
€3,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 14 GDPR
The Hellenic DPA has imposed a fine of EUR 3,000 on a gas station operator. A person had filed a complaint with the DPA due to the controller's failure to grant them access to images of their minor child recorded by the video surveillance system in the gas station. The DPA considered this to be a violation of Art. 12 GDPR. In addition, the operator had shared the images from the video surveillance system with the police in the course of a police investigation without informing the parent. The DPA found that failure to inform the parent constituted a violation of Art. 14 GDPR.
Data Protection Authority of Baden-Wuerttemberg
Real Estate
Property development company
2022-09-21
€50,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
Art. 14 GDPR
The DPA of Baden-Württemberg has imposed a fine of EUR 50,000 on a property development company.
The company had sent a letter to a property owner in which it made a purchase price offer for their property. The letter did not contain any information on the origin of the data. Even after the owner asked the company where the data had been obtained, the company did not reply.
In the course of its investigation, the DPA discovered that a surveyor had made use of his authority to inspect the electronic land register and, in two cases, had identified several hundred property owners without their knowledge. Subsequently, the surveyor had passed the relevant information to the company, which contacted the property owners.
The DPA considered this to be, on the one hand, a violation of Art. 6 (1) GDPR and, on the other hand, a violation of Art. 14 GDPR due to the lack of information on the origin of the data.
Data Protection Authority of Baden-Wuerttemberg
Real Estate
Surveyor
2022-09-21
€5,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The DPA of Baden-Württemberg has imposed a fine of EUR 5,000 on a surveyor. The surveyor had used his authority to inspect the electronic land register to identify several hundred property owners in two cases without their knowledge and had passed on the relevant information to a property developer. The latter in turn contacted the identified owners. The DPA determined that both the surveyor and the developer had unlawfully processed the data of the property owners.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Curtea Veche Publishing SRL
2022-09-21
€5,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b), c) GDPR
Art. 32 (2) GDPR
The Romanian DPA has imposed a fine of EUR 5,000 on Curtea Veche Publishing SRL.
The controller had reported two data breaches to the DPA pursuant to Art. 33 GDPR.
In the first data breach, the controller had inadvertently published a file containing the customer database in a public forum.
This resulted in the unauthorized disclosure of personal data such as first name, last name, phone number, email, password in encrypted form and IP address of 10,793 customers.
The second data breach concerned a ransomware attack that resulted in unauthorized access and loss of integrity as well as availability of personal data of about 100 data subjects.
During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. This failure to implement protective measures permitted the data breaches to occur.
Data Protection Authority of Berlin
Industry and Commerce
Company
2022-09-20
€525,000.00
Insufficient involvement of data protection officer
Art. 38 (6) GDPR
The DPA of Berlin has imposed a fine of EUR 525,000 on the subsidiary of a Berlin-based e-commerce group.
The company had appointed a data protection officer, who however was also the managing director of two service companies that processed personal data on behalf of the very same company for which they acted as data protection officer. These service companies are also part of the group to which the e-commerce company belongs. The DPA considered this to be a conflict of interest and found a violation of Art. 38 (6) GDPR.
The DPA had already issued a warning to the company in 2021 due to the conflict of interest. When a new inspection this year revealed that no new data protection officer had been appointed, the DPA imposed the fine.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Union Sindical Obrera
2022-09-20
€1,800.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine on the trade union Union Sindical Obrera. An individual had filed a complaint with the DPA for repeatedly receiving emails from the controller despite having requested that their data be deleted. The original fine of EUR 3,000 was reduced to EUR 1,800 due to voluntary payment and admission of guilt.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Banca Comercială Română SA
2022-09-19
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 (1) b), d), e) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Banca Comercială Română SA.
The bank had notified the DPA of a data breach pursuant to Art. 33 GDPR.
Due to an error in the IT application of the controller, emails containing personal data of customers were sent to the wrong recipients.
This data breach resulted in the unauthorized disclosure of and access to certain personal data such as first and last name, home address, phone number, email address, and financial information. The incident affected 564 individuals.
The DPA found that the bank had failed to take appropriate technical and organizational measures to ensure a level of security commensurate with the processing risk.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-16
€480.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. The original fine of EUR 600 was reduced to EUR 480 due to voluntary payment.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SOPHIE ET VOILA, S.L
2022-09-16
€10,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine of EUR 10,000 on SOPHIE ET VOILA, S.L..The wedding dress company had published a picture of a customer in a wedding dress on its Instagram account without the customer's consent. For this reason, the DPA determined that the processing of the customer's personal data was unlawful.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MARIELI GABRIELA, S.L.
2022-09-16
€3,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 3,000 on MARIELI GABRIELA, S.L.. A person had filed a complaint with the DPA due to the fact that the company had debited their bank account even though there was no contractual relationship.
AEPD
Spanish Data Protection Authority
Real Estate
Agent of the real estate agency BARCELONA DREAM HOUSE AGENCY
2022-09-16
€2,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on an agent of the real estate agency BARCELONA DREAM HOUSE AGENCY. An individual had filed a complaint with the DPA because the real estate agent had not sufficiently informed them about the processing of their personal data in the context of the conclusion of a rental agreement. For example, information on the purpose of the processing as well as on the controller was missing.
GARANTE
Italian Data Protection Authority
Health Care
Lazio Region
2022-09-15
€100,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), d) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 24 GDPR
The Italian DPA has imposed a fine of EUR 100,000 on Lazio Region.
An individual had filed a complaint with the DPA because she had received an invitation from the regional health authority to participate in the cervical cancer screening program that was addressed to her daughter, who died in 1995.
During its investigation, the DPA discovered that the daughter's data was still in the region's database even though she had already died.
For this reason, the DPA found that the Region had violated the principles of accuracy and correctness.
As the owner of the data, the Region should have ensured that the personal information was accurate and updated as necessary, and taken all reasonable steps to delete or correct the information it used in a timely manner.
In addition to the above, the Garante also found that the Region had not properly provided data subjects with the required information about the processing of their personal data when sending out the invitation letters for a cervical cancer screening campaign.
In imposing the fine, the DPA took into account, as an aggravating factor, that the Region had already received a fine.
GARANTE
Italian Data Protection Authority
Real Estate
Immobiliare Riscostruzione Meloria s.r.l.
2022-09-15
€2,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has imposed a fine of EUR 2,000 on Immobiliare Riscostruzione Meloria s.r.l.. The controller had installed a video surveillance system at its office which covered parts of a common entrance to the building and thus also recorded residents of the building. During its investigation, the DPA found that the information sign regarding the video surveillance did not contain sufficient information on the purpose of the processing of personal data and the contact details of the data controller.
GARANTE
Italian Data Protection Authority
Finance, Insurance and Consulting
Bper Banca S.p.A.
2022-09-15
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
The Italian DPA has imposed a fine of EUR 10,000 on Bper Banca S.p.A.. An individual had filed a complaint with the DPA regarding the failure to fulfill their right to erasure of personal data. The individual had requested the bank to delete their personal data processed by the bank. The bank then asked the data subject to send their identification documents in order to verify their identity for the purpose of fulfilling their request. The data subject submitted their data, but did not receive a response to their request for deletion. For this reason, the DPA found that the Bank had violated Art. 12 GDPR by failing to respond to the request in a timely manner.
GARANTE
Italian Data Protection Authority
Employment
Thiene municipality
2022-09-15
€3,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), c) GDPR
Art. 6 GDPR
Art. 2-ter Codice della privacy
The Italian DPA (Garante) imposed a fine of EUR 3,000 on Thiene municipality. A former employee of the municipality filed a complaint with the DPA because a document containing their personal data was published on the municipality's website. The document contained information on the termination of the employment relationship.
GARANTE
Italian Data Protection Authority
Individuals and Private Associations
FCA Italy S.p.A.
2022-09-15
€40,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (1), (2), (3), (4) GDPR
Art. 15 GDPR
The Italian DPA has imposed a fine of EUR 40,000 on FCA Italy S.p.A.. An employee of the controller had requested access to personal data processed in the context of their employment relationship. However, the controller had failed to comply with this request in a timely manner, contrary to the requirements of Art. 12 GDPR and Art. 15 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-13
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 300 on a private individual. The private individual had installed three video surveillance cameras on his property which, among other things, also covered the access road of a neighbor.
CNIL
French Data Protection Authority
Public Sector and Education
GIE INFOGREFFE
2022-09-13
€250,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) e) GDPR
Art. 32 GDPR
The French DPA has imposed a fine of EUR 250,000 on GIE INFOGREFFE. The portal operates a website where people can access legal information about companies and order documents certified by the commercial courts.
As part of its investigation, the DPA found that the personal data of 25% of members and subscribers, such as bank details, surnames, first names, addresses and telephone numbers, were kept for longer than intended (36 months). The DPA considered this to be a violation of Art. 5 (1) e) GDPR.
In addition, the DPA found that the portal did not require the use of a secure password when creating an account, resulting in 3.7 million accounts not having a sufficiently secure password.
Furthermore, the portal transmitted passwords that allowed access to accounts unencrypted via email. Besides, the portal also stored the passwords and secret questions and answers used during the process of resetting passwords by users in a database without encryption.
For this reason, the DPA found that the portal had failed to implement adequate technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-13
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 2,000 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Hørsholm municipality
2022-09-12
€6,700.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has imposed a fine of EUR 6,700 on Hørsholm municipality.
The municipality had reported a data breach to the DPA pursuant to Art. 33 GDPR. An employee's work computer, which contained sensitive and confidential information about approximately 1,600 municipality employees, had been stolen. During its investigation, the DPA determined that the data on the computer was not adequately secured and that the municipality had failed to take appropriate technical measures to protect personal data.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Coin dealer
2022-09-12
€80,700.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 6 (1) GDPR
Art. 7 (2) GDPR
Art. 12 (1) GDPR
Art. 13 GDPR
The Hungarian DPA imposed a fine of EUR 80,700 on a coin dealer. During its investigation, the DPA found that the privacy policy did not contain sufficient information about the data processing regarding data of new or prospective customers. The DPA also found that due to the lack of information, the data subjects could not give their informed consent and the data processing was therefore unlawful.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-09
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
SC Raiffeisen Bank SA
2022-09-09
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) d) GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on SC Raiffeisen Bank SA.
An individual had filed a complaint with the DPA for receiving text messages about money transfers to certain persons that they had not effected.
During its investigation, the DPA found that the bank had accidentally used the telephone number of the data subject for transaction purposes in 44 cases. The data subject was not a customer of the bank and had not requested the transactions.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
EURO DONER KEBAB
2022-09-09
€180.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine on EURO DONER KEBAB. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 300 was reduced to EUR 180 due to voluntary payment and admission of responsibility.
HDPA
Hellenic Data Protection Authority
Public Sector and Education
School
2022-09-09
€15,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), b) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 30 GDPR
The Hellenic DPA has fined a school EUR 15,000. The school had installed several video surveillance cameras on the building, which permanently recorded students, teachers and visitors.
During its investigation, the DPA found that the school did not have a sufficient legal basis for the video surveillance. In view of the extensive video surveillance and the resulting restriction of the personal rights of the data subjects, the school could not rely on a legitimate interest (protection of property). In addition, the DPA found that the controller had violated its duty to inform by informing teachers and parents only verbally and incompletely about the video surveillance system.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Media, Telecoms and Broadcasting
Realmedia Network SA
2022-09-08
€8,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Romanian DPA has fined Realmedia Network SA EUR 8,000. The company had suffered security breaches on a website it operates. This allowed it to leak and access unauthorized data. The data involved included surnames, first names, telephone numbers, e-mail addresses, postal addresses, signatures, copies of ID cards, bank data and information from land register extracts of the data subjects. A total of 194,309 people were affected by the security incident. The DPA found that the company had failed to take adequate technical and organizational measures to ensure a level of data security appropriate to the processing risk.
UODO
Polish National Personal Data Protection Office
Individuals and Private Associations
Sułkowice Cultural Center
2022-09-07
€530.00
Insufficient data processing agreement
Art. 28 (1), (3), (9) GDPR
The Polish DPA has imposed a fine of EUR 530 on the Sułkowice Cultural Center.
During its investigation, the DPA found that the controller had transferred the processing of personal data to a processor without concluding a written concession agreement.
In addition, the controller did not verify the processor and did not verify whether the processor provides sufficient guarantees to ensure that appropriate technical and organizational measures are taken to protect personal data.
AEPD
Spanish Data Protection Authority
Employment
MUXERS CONCEPT, S.L.
2022-09-06
€20,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has fined MUXERS CONCEPT, S.L. EUR 20,000. The company had installed video surveillance cameras and microphones in the employee changing room in one of the restaurants it operates. The DPA found that there was no legal basis for such extensive processing of the employees' personal data and that the processing was therefore unlawful.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
EDYTE SA
2022-09-06
€5,000.00
Insufficient legal basis for data processing
Art. 29 GDPR
The Hellenic DPA has imposed a fine of EUR 5,000 on EDYTE SA. EDYTE, as a processor, had unlawfully disclosed personal data to third parties without the authorization of the data controller.
Data Protection Authority of Ireland
Media, Telecoms and Broadcasting
Meta Platforms, Inc.
2022-09-05
€405,000,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 6 (1) GDPR
Art. 12 (1) GDPR
Art. 24 GDPR
Art. 25 (1), (2) GDPR
Art. 35 GDPR
The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram).
Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested the DPC to increase the proposed fine.
The DPC's investigation revealed that on Instagram business accounts of minors, their cell phone numbers and email addresses were publicly displayed. In addition, the settings for the underage users' accounts were set to 'public' by default , making their social media content publicly viewable unless they changed the account settings. The breach potentially affects millions of teenagers.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Store owner
2022-09-04
€360.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine on a store owner. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 600 was reduced to EUR 360 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-04
€1,500.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR on a private individual. The data subject had filed a complaint against his ex-wife with the DPA. The ex-wife had installed video surveillance cameras in the jointly occupied house, which also recorded his living areas and thus interfered with his privacy. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
MH VILASECA S.L.
2022-09-01
€240.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on MH VILASECA S.L.. The controller had failed to provide a notice with information about video surveillance in its premises. The original fine of EUR 400 was reduced to EUR 240 due to voluntary payment and admission of responsibility.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Liceo Statale 'Edoardo Amaldi”
2022-09-01
€4,000.00
Insufficient legal basis for data processing
Art. 5 GDPR
Art. 6 GDPR
Art. 9 GDPR
Art. 2-ter Codice della privacy
Art. 2-sexies Codice della privacy
Art. 2-septies (8) Codice della privacy
The Italian DPA has imposed a fine of EUR 4,000 on the school 'Edoardo Amaldi'. The school had published a circular on the school website about the summer vacations which contained the exact vacation dates of the school staff.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-09-01
€10,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The individual had published personal data of another person on a blog without their consent and in a defamatory manner.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Sindicato Intersectorial Trabajadores/as Provincia de Alicante
2022-08-30
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on the Sindicato Intersectorial Trabajadores/as Provincia de Alicante union. The union published the protocols of a works council on their bulletin board and in a WhatsApp group. As a result, the handwritten signatures of all union representatives on the works council were published.
AEPD
Spanish Data Protection Authority
Public Sector and Education
COLEGIO VILLAEUROPA, S.C.L
2022-08-30
€3,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine on COLEGIO VILLAEUROPA, S.C.L. The school did not provide sufficient information on the video surveillence, as required by Art. 13 GDPR. The information sign contained neither a reference to the data controller nor an address to contact if one wishes to exercise their data subjects rights. The original fine of EUR 5,000 was reduced to EUR 3,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Bazar Pekin
2022-08-30
€1,700.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 30 GDPR
The Spanish DPA has imposed a fine of EUR 1,700 on Bazar Pekin. The controller had failed to provide a notice with information about video surveillance in its premises. In addition, the controller failed to keep a proper register of processing activities.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Finance, Insurance and Consulting
Alpha Bank Romania SA
2022-08-29
€1,000.00
Insufficient technical and organisational measures to ensure information security
Art. 29 GDPR
Art. 32 (1) b) GDPR
Art. 32 (2), (4) GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on Alpha Bank Romania SA. The bank had accidentally sent a document to the wrong recipient via WhatsApp. The document contained personal data of four data subjects, such as first and last names and information on loans and contracts. During its investigation, the DPA found that the bank had failed to implement sufficient technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Industry and Commerce
DIGITECNIA SOLUTIONS, S.L.
2022-08-28
€1,200.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on DIGITECNIA SOLUTIONS, S.L.. An individual had filed a complaint with the DPA due to the fact that the company had published a picture of themselves without their permission. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Transportation and Energy
NATURGY ENERGY GROUP, S.A.
2022-08-28
€48,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on NATURGY ENERGY GROUP, S.A.. A person had contacted the energy company pretending to be a relative of a customer. The person requested to receive electricity bills using a new email address. To verify the identity, the person had to provide name, address, ID number, contract number and the last 4 digits of the bank account details of the customer. However, the DPA found that this verification did not comply with the requirements of the GDPR for identity verification and considered it to be a violation of Art. 5 (1) f) GDPR and Art. 32 GDPR. The original fine of EUR 80,000 was reduced to EUR 48,000 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
SOLIVESA MASTER FRANCHISE S.L.
2022-08-28
€5,600.00
Insufficient fulfilment of data subjects rights
Art. 28 GDPR
Art. 48 (1) b) LGT
The Spanish DPA (AEPD) imposed a fine of EUR 5,600 on SOLIVESA MASTER FRANCHISE S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list.
AEPD
Spanish Data Protection Authority
Industry and Commerce
SERVICIOS PROFESIONALES LA PARADA S.L.
2022-08-25
€480.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine on SERVICIOS PROFESIONALES LA PARADA S.L.. The company had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 800 was reduced to EUR 480 due to voluntary payment and admission of responsibility.
DATATILSYNET
Norwegian Supervisory Authority
Industry and Commerce
Recover AS
2022-08-25
€20,000.00
Insufficient legal basis for data processing
Art. 6 (1) e) GDPR
The Norwegian DPA (Datatilsynet) has fined Recover AS
EUR 20,000. The controller had carried out a credit check on the data subject without any valid legal basis for doing so.
APD
Belgian Data Protection Authority
Industry and Commerce
Company
2022-08-23
€2,500.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) d) GDPR
Art. 5 (2) GDPR
Art. 24 (1) GDPR
Art. 32 (1), (2) GDPR
The Belgian DPA has imposed a fine of EUR 2,500 on a company. The company operates a digital management platform where suppliers and customers can communicate and upload administrative documents. An individual, who is not themselves a member of the platform, had filed a complaint with the DPA. Since the complainant's roommate is a member of the platform, the complainant asked them to upload the joint water bill, which was in the complainant's name. The platform recognized the complainant's name and sent the roommate an invitation to connect with additional companies through the platform where the complainant was a customer. Although the roommate did not accept the invitation, they were able to view various data concerning the complainant. The DPA found that the company had failed to implement appropriate technical and organizational measures to protect personal data, in order, for example, to prevent easy access to third-party data.
DSB
Austrian Data Protection Authority
Not assigned
Operator of a public toilet
2022-08-23
€25,000.00
Insufficient legal basis for data processing
Art. 5 (1) a), b), c) GDPR
Art. 6 (1) f) GDPR
Art. 13 GDPR
The Austrian DPA has imposed a fine of EUR 25,000 on an operator of a public toilet. The controller had installed a video surveillance camera on the restrooms and secretly recorded people using the toilets. The DPA found that the controller had no legal basis for installing the cameras. In assessing the fine, the fact that the privacy of the data subjects had been significantly violated was taken into account as an aggravating factor.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
UNONO NET 3.0, S.L.
2022-08-22
€900.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish DPA has imposed a fine on UNONO NET 3.0, S.L.. The company had forwarded an email to numerous recipients without using the blind copy function, making it possible for all recipients to see the email addresses of the other recipients. The original fine of EUR 1,500 was reduced to EUR 900 due to voluntary payment and admission of responsibility.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-08-22
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
Enel Energie Muntenia S.A.
2022-08-22
€10,000.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Romanian DPA has fined Enel Energie Muntenia S.A. EUR 10,000. A customer had mistakenly received an email addressed to another customer containing documents with personal data of the other customer. In the course of its investigation, the DPA found that the incident had occurred due to the company's failure to take adequate technical and organizational measures to protect personal data.
CNIL
French Data Protection Authority
Accomodation and Hospitalty
ACCOR SA
2022-08-19
€600,000.00
Insufficient fulfilment of data subjects rights
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 21 GDPR
Art. 32 GDPR, L. 34-5 CPCE
The French DPA (CNIL) has imposed a fine of EUR 600,000 on ACCOR SA.
Both CNIL and other European DPAS had received complaints against ACCOR from several individuals.
In the course of its investigation, CNIL found that hotel guests who made a booking directly with the hotel or on one of the hotel group's websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the CNIL found that due to technical problems, many individuals were unable to opt-out of receiving the promotional emails.
In this context, CNIL found that ACCOR had not sufficiently informed data subjects about the processing of their personal data in the context of promotional messages and thus violated Art. 12 GDPR and Art. 13 GDPR.
Further, ACCOR had failed to respond to data subjects' requests for access to personal data in a timely manner, and thus the CNIL found a violation of Art. 12 GDPR and Art. 15 GDPR.
The company had also failed to comply with the data subjects' right to object due to the technical problems. The CNIL therefore found a violation of Art. 12 GDPR and Art. 21 GDPR.
Finally, the CNIL found a violation of Art. 32 GDPR because ACCOR allowed the use of passwords that were not sufficiently secure.
In imposing the fine, CNIL considered aggravatingly that the violations affected several fundamental principles of personal data protection and constituted a fundamental infringement of the rights of the data subjects, as well as the number of data subjects involved.