background cover photo

GDPR Fines

A list of GDPR fines across all European data protection agencies since 2019, comprising a total cost of €3,994,443,726.

Data Protection Authority
Name
Fined CompanyFineViolationDescriptionLink
APD
Belgian Data Protection Authority
Health Care
Medical laboratory
2022-08-19
€20,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 32 GDPR
Art. 35 (1), (3) GDPR
The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory. During its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. In addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients' personal data on the website without encryption. Finally, the DPA found that the laboratory had not published a privacy statement on its website, in violation of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR.
AEPD
Spanish Data Protection Authority
Real Estate
RODALI GESTIÓN INMOBILIARIA, S.L.
2022-08-16
€5,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
The Spanish DPA has imposed a fine of EUR 5,000 on RODALI GESTIÓN INMOBILIARIA, S.L.. An individual had filed a complaint with the DPA due to the fact that the controller had not informed them about the processing of their personal data in the context of an apartment acquisition. For this reason, the DPA found that the controller had violated its information obligations under Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-08-12
€180.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 180 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization.
DATATILSYNET
Danish Data Protection Authority
Public Sector and Education
Lolland municipiality
2022-08-11
€6,700.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has imposed a fine of EUR 6,700 on Lolland municipiality. The municipality had reported a data breach to the DPA in accordance with Art. 33 GDPR. One of the municipality's employees had their work phone stolen. The employee used the phone to access their work email account which contained information on the names of several citizens, social security numbers and health data. During its investigation, the DPA found that the phone was not protected by a password. Therefore, it was possible to access the information stored on the phone. The DPA concluded that this incident had occurred due to the municipality's failure to take sufficient technical and organizational measures to protect personal data. The municipality should have ensured, at least, that each employee secured their cell phone with a password.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
AMPLIFON Hungary Trade and Service Provider LLC
2022-08-11
€197,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
Art. 6 (1) GDPR
Art. 12 (1) GDPR
Art. 14 GDPR
The Hungarian DPA has imposed a fine of EUR 197,000 on AMPLIFON Hungary Trade and Service Provider LLC. The DPA had received complaints from several data subjects for having received unsolicited invitations to a hearing screening. During its investigation, the DPA found that the company had contacted the data subjects without first obtaining their consent. The company had received the data from the Ministry of the Interior for market research purposes. The DPA found that the company had processed the data unlawfully and contrary to the original purpose for market research. In addition, the DPA found that the company had not provided the data subjects with sufficient information on the data processing.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Transportation and Energy
CDI Transport Intern și Internațional SRL
2022-08-09
€7,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (1) GDPR
Art. 58 (1) a), e) GDPR
The Romanian DPA has imposed a fine of EUR 7,000 on CDI Transport Intern și Internațional SRL. During its investigation, the DPA found that the company's website did not provide information on what rights data subjects are entitled to under the GDPR and how they can exercise those rights. In addition, the company had failed to provide the DPA with requested information in a timely manner.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Employment
Wabag Water Services SRL
2022-08-09
€1,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
The Romanian DPA has imposed a fine of EUR 1,000 on SC Wabag Water Services SRL. An employee of the company had filed a complaint with the DPA due to the fact that their employer had processed their personal data without their consent for the purpose of registering and booking a Covid-19 vaccination appointment.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Restaurant owner
2022-08-08
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a restaurant owner. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller did not comply with its duty to properly inform about the CCTV.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-08-08
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
NAIH
Hungarian National Authority for Data Protection and the Freedom of Information
Industry and Commerce
Company
2022-08-08
€735.00
Non-compliance with general data processing principles
Art. 5 (1) b), c) GDPR
Art. 5 (2) GDPR
Art. 6 (1) GDPR
Art. 13 (1), (2) GDPR
The Hungarian DPA has imposed a fine of EUR 735 on a company. An individual had filed a complaint against the company with the DPA. An employee of the company had made sound recordings with a mobile phone during repair work at the complainant's home without informing the complainant.
HDPA
Hellenic Data Protection Authority
Industry and Commerce
IDIKA SA
2022-08-08
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) e) GDPR
Art. 25 GDPR
The Hellenic DPA has imposed a fine of EUR 10,000 on IDIKA SA. IDIKA was operating in the context of providing free COVID-19 tests. The DPA found that IDIKA, in the course of its processing activities, did not sufficiently inform data subjects about the processing of their personal data. In addition, IDIKA stored personal data longer than necessary and had failed to implement sufficient technical and organizational measures to protect personal data.
AEPD
Spanish Data Protection Authority
Employment
Prodesspa Decoratius i Pintures , S.L.
2022-08-05
€9,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine on Prodesspa Decoratius i Pintures , S.L.. A former employee had filed a complaint with the DPA due to the company's unlawful disclosure of their data to a credit reporting agency. The original fine of EUR 15,000 was reduced to EUR 9,000 due to voluntary payment and admission of responsibility.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Cosmopol Security S.p.A.
2022-08-05
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 12 (3) GDPR
Art. 15 GDPR
The Italian DPA has fined Cosmopol Security S.p.A. EUR 20,000. An individual had filed a complaint with the DPA against the controller. The individual had received invoices without ever having had a contractual relationship with the company. Therefore, the data subject requested information on the origin of their personal data. However, the controller did not respond to the data subject's request for information in a timely manner.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Colosseo S.r.l.
2022-08-05
€1,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (2) GDPR
Art. 6 (1) a) GDPR
Art. 12 (3) GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 21 GDPR
Art. 24 GDPR
The Italian DPA has imposed a fine of EUR 1,000 on Colosseo S.r.l.. An individual had filed a complaint with the DPA because the controller had sent him an unsolicited commercial email. Thereafter, the data subject requested the controller to provide access to their personal data, to delete their personal data and the objection to receive future promotional emails. However, the controller did not respond to the data subject's requests.
ANSPDCP
Romanian National Supervisory Authority for Personal Data Processing
Industry and Commerce
Sephora Cosmetics România SA
2022-08-04
€2,000.00
Insufficient fulfilment of data subjects rights
Art. 21 GDPR
The Romanian DPA has imposed a fine of EUR 2,000 on Sephora Cosmetics România SA. A data subject had received promotional SMS from Sephora despite having objected several times to the processing of her personal data for marketing purposes and Sephora having confirmed the termination of the SMS sending.
AEPD
Spanish Data Protection Authority
Not assigned
JAÉN SENTIDO Y COMÚN
2022-08-04
€2,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA has imposed a fine of EUR 2,000 on JAÉN SENTIDO Y COMÚN. The controller had sent an e-mail to 241 people in an open distribution list, making the email addresses of all recipients visible to the other recipients.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-08-03
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
HDPA
Hellenic Data Protection Authority
Health Care
Private Polyclinic and Diagnostic Centre of Pyle Axiou
2022-08-03
€30,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Hellenic DPA has fined Private Polyclinic and Diagnostic Centre of Pyle Axiou EUR 30,000. A patient had requested access to data from an imaging examination. Due to lack of availability of the images, the clinic could not grant the request for access. The DPA found that the clinic had failed to provide adequate storage facilities for the images and thus violated Art. 5 (1) f) GDPR.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
Banco Bilbao Vizcaya Argentaria S.L.
2022-08-02
€42,000.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Spanish DPA has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The company had repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of their data. The original fine of EUR 70,000 was reduced to EUR 42,000 due to voluntary payment and admission of responsibility.
DATATILSYNET
Norwegian Supervisory Authority
Real Estate
Krokatjønnvegen 15 AS
2022-08-02
€30,200.00
Insufficient legal basis for data processing
Art. 6 GDPR
The Norwegian DPA (Datatilsynet) has fined Krokatjønnvegen 15 AS EUR 30,200. The controller had carried out credit checks on two data subject without any contractual basis for doing so.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-08-01
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
AEPD
Spanish Data Protection Authority
Industry and Commerce
LAST LAP, S.L.
2022-08-01
€9,600.00
Insufficient legal basis for data processing
Art. 6 GDPR
Art. 9 GDPR
The Spanish DPA has imposed a fine on LAST LAP, S.L.. Last Lap organizes the San Silvestre road running race. Race participants were required to show their vaccination certificate or provide a PCR or antigen test before the race. During its investigation, the DPA found that the company did not have an effective legal basis for processing the health data. The original fine of EUR 16,000 was reduced to EUR 9,600 due to voluntary payment and admission of responsibility.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Policoro municipality
2022-08-01
€26,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), e) GDPR
Art. 5 (2) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 24 GDPR
Art. 38 (6) GDPR
The Italian DPA has imposed a fine of EUR 26,000 on Policoro municipality. The municipality had installed a video surveillance system without, however, providing sufficient information about the surveillance. In addition, the DPA found that the municipality had not established a retention period for the video surveillance recordings and kept them for an excessive period of time. In addition, the DPA found that the municipality had not fulfilled its obligations in appointing a data protection officer. The municipality had appointed its attorney as data protection officer, which the DPA found constituted a conflict of interest.
AEPD
Spanish Data Protection Authority
Public Sector and Education
ESTUDIOS EUROPEOS DE POSTGRADO Y EMPRESA, S.L.
2022-07-29
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 (1) GDPR
The Spanish DPA has imposed a fine of EUR 3,000 on ESTUDIOS EUROPEOS DE POSTGRADO Y EMPRESA, S.L.. An employee had filed a complaint with the DPA. The employee stated that she had been given access to a company email account when she was hired. However, upon accessing the account, she discovered that the email account was not actually her account, but rather the email account of another employee. Thus, she was able to access all emails sent and received by the other employee. During its investigation, the DPA determined that the controller had not properly configured the account and had therefore breached its duty to implement appropriate technical and organizational measures to protect personal data.
Data Protection Authority of Niedersachsen
Finance, Insurance and Consulting
Hannoversche Volksbank
2022-07-28
€900,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The DPA of Lower Saxony has imposed a fine of EUR 900,000 on Hannoversche Volksbank. The bank had analyzed data from active and former customers without their consent. For this purpose, the bank analyzed digital usage behavior and evaluated, among other things, purchases in app stores, the frequency of use of bank statement printers and the total number of transfers in online banking compared to the use of in-branch services. In addition, the results were cross-checked with a credit agency, where they were further supplemented. The aim was to identify customers with an increased willingness to use digital media and to address them more intensively via electronic communication channels for promotional purposes. Most customers were provided with information in advance. However, the DPA found that this did not replace the required consent. In determining the fine, it was taken into account that the bank did not make further use of the results of its evaluations. In addition, the bank cooperated with the DPA during the investigation.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Auto Hi-Fi System S.n.c
2022-07-28
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) a), c) GDPR
Art. 13 GDPR
The Italian DPA has fined Auto Hi-Fi System S.n.c in the amount of EUR 2,000. The controller had installed a video surveillance system that covered not only the public road but also a private property. The DPA considered this a violation of the principle of data minimization. Also, the controller had not posted a sign with information about the video surveillance. The DPA considered this to be a violation of Art. 13 GDPR.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private Person
2022-07-27
€300.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Usage of CCTV camera that was also capturing foreign private space of a neighbour and the public space.
Data Protection Authority of Niedersachsen
Industry and Commerce
Volkswagen
2022-07-26
€1,100,000.00
Insufficient fulfilment of information obligations
Art. 13 GDPR
Art. 28 GDPR
Art. 30 GDPR
Art. 35 GDPR
The DPA of Lower Saxony has imposed a fine of EUR 1. 1 million on Volkswagen. The company had installed cameras on a test vehicle. The vehicle was being used to test and train the functionality of a driving assistance system to prevent traffic accidents. For this purpose, the traffic around the vehicle was recorded with the cameras. However, Volkswagen failed to provide information in accordance with Art. 13 GDPR about the data processing by the cameras attached to the vehicle. The DPA further found that, contrary to its obligation under Art. 28 GDPR, Volkswagen had not concluded a processing agreement with the company that carried out the journeys. Also, no data protection impact assessment pursuant to Art. 35 DSGVO had been carried out and the technical and organizational protection measures had not been outlined in the list of processing activities. Volkswagen has cooperated extensively with the DPA.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
TELEFÓNICA MÓVILES ESPAÑA, S.A.U.
2022-07-26
€15,000.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
A former customer had received e-mails containing electronic bills even after they had terminated their contract with the company resulting in a processing of personal data without sufficient legal basis.
AEPD
Spanish Data Protection Authority
Real Estate
Homeowners Association
2022-07-26
€2,500.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has fined a homeowners association EUR 2,500 for publishing information (name, surname, apartments) regarding several owners on their website.
AEPD
Spanish Data Protection Authority
Industry and Commerce
EFS MANTENIMIENTO Y SERVICIOS TÉCNICOS, S.L.
2022-07-26
€800.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has fined EFS MANTENIMIENTO Y SERVICIOS TÉCNICOS, S.L. EUR 800. A trade union had filed a complaint with the DPA because the company had unauthorizedly shared information of one of its employees with the works council. The information shared caused the employee to be placed in a disadvantageous position. The DPA considered this to be a violation of the principles of integrity and confidentiality.
AEPD
Spanish Data Protection Authority
Media, Telecoms and Broadcasting
ESVETEL, S.L.
2022-07-22
€40,000.00
Insufficient fulfilment of data subjects rights
Art. 28 GDPR
Art. 48 (1) b) LGT
The Spanish DPA (AEPD) imposed a fine of EUR 40,000 on ESVETEL, S.L.. The data subject had received an advertising call from the controller made on behalf of Vodafone España, S.A.U., although the data subject was registered in the Robinson advertising exclusion list.
AEPD
Spanish Data Protection Authority
Industry and Commerce
CINCON S.C.
2022-07-22
€500.00
Insufficient fulfilment of information obligations
Art. 13 (2) GDPR
The Spanish DPA has imposed a fine of EUR 500 on CINCON S.C.. The company had failed to provide the information required by Art. 13 GDPR on a form through which potential customers could access a free course.
AZOP
Croatian Data Protection Authority
Industry and Commerce
Car dealership
2022-07-21
€4,000.00
Insufficient fulfilment of information obligations
Art. 27 (1) Zakona o provedbi Opće uredbe o zaštiti podataka
The Croatian DPA has fined a car dealership EUR 4,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance.
AZOP
Croatian Data Protection Authority
Media, Telecoms and Broadcasting
Telecommunications company
2022-07-21
€285,000.00
Insufficient technical and organisational measures to ensure information security
Art. 25 (1) GDPR
Art. 32 (1) b) GDPR
Art. 32 (2) GDPR
The Croatian DPA has fined a telecommunications company EUR 285,000. The company had suffered a data breach. Attackers had managed to access data from about 100,000 data subjects. During its investigation, the DPA found that such a breach was facilitated by the company's failure to implement adequate technical and organizational security measures for the processing of personal data. For example, the processing systems lacked access restrictions. In assessing the fine, it was taken into aggravating account that the company is one of the leading telecommunications companies in Croatia and therefore, due to the high volume of data processed there, the risk of an attack on the systems was to be expected. For this very reason, the company should have paid more attention to ensuring that sufficient safety measures were taken.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Global Service s.r.l.
2022-07-21
€2,000.00
Insufficient fulfilment of information obligations
Art. 5 (1) a) GDPR
Art. 13 GDPR
The Italian DPA has fined Global Service s.r.l. EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance. The DPA found that the controller had violated its duty to inform as set out in the GDPR.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Stay over s.r.l.
2022-07-21
€10,000.00
Insufficient fulfilment of data subjects rights
Art. 5 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 15 GDPR
Art. 114 Codice della privacy
The Italian DPA has fined Stay Over s.r.l. EUR 10,000. A former employee had filed a complaint with the DPA. The company had failed to respond to a request for access to personal data in a timely manner. In addition, the company had continued to process data from the employee's e-mail inbox after termination of the employment relationship without the employee's consent.
GARANTE
Italian Data Protection Authority
Health Care
Azienda Socio Sanitaria Territoriale Rhodense
2022-07-21
€3,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Italian DPA has fined Azienda Socio Sanitaria Territoriale Rhodense EUR 3,000. The healthcare facility had reported the loss of a patient's medical record. The file contained personal data such as surname, first name, gender, date and place of birth, tax number, place of residence, telephone numbers of the data subject. The DPA determined that the incident was caused by a lack of technical and organizational measures to protect personal data at the healthcare facility.
GARANTE
Italian Data Protection Authority
Industry and Commerce
Clio S.r.l.
2022-07-21
€10,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 30 (2) GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 10,000 on Clio S.r.l.. Clio provides and manages a whistleblowing reporting application for various private and public entities. As part of its investigation, the DPA found that Clio had not adequately regulated its relationship with customers. In addition, Clio provided data on whistleblowing reports to customers without a valid legal basis. The DPA considered this to be a violation of Art. 5 (1) a) GDPR and Art. 6 GDPR. Further, the DPA found that Clio had failed to maintain a register of activity carried out in its role as a processor. The DPA considered this to be a violation of Art. 30 (2) GDPR.
GARANTE
Italian Data Protection Authority
Public Sector and Education
Ginosa municipality
2022-07-21
€5,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 28 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 5,000 on Ginosa municipality. The fine is related to the fine against Clio S.r.l.. Clio provides and manages a whistleblowing reporting application for various private and public entities, including, Ginosa municipality. During its investigation, the DPA found that the municipality provided personal data to Clio in connection with whistleblowing reports, allowing Clio to collect and store them without a valid legal basis. Furterhmore, the DPA found that the municipality had not adequately regulated its relationship with Clio.
GARANTE
Italian Data Protection Authority
Transportation and Energy
Acqua Novara.VCO S.p.a.
2022-07-21
€20,000.00
Insufficient legal basis for data processing
Art. 5 (1) a) GDPR
Art. 6 GDPR
Art. 28 GDPR
Art. 2-ter Codice della privacy
The Italian DPA has imposed a fine of EUR 20,000 on Acqua Novara.VCO S.p.a.. The fine is related to the fine against Clio S.r.l.. Clio provides and manages a whistleblowing reporting application for various private and public entities, including, Acqua Novara. During its investigation, the DPA found that Acqua Novara provided personal data to Clio in connection with whistleblowing reports, allowing Clio to collect and store them without a valid legal basis. Furterhmore, the DPA found that the Acqua Novara had not adequately regulated its relationship with Clio.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-07-19
€600.00
Insufficient cooperation with supervisory authority
Art. 58 (2) GDPR
The Spanish DPA has imposed a fine of EUR 600 on a private individual. The individual had failed to implement measures repeatedly ordered by the DPA in due time.
AEPD
Spanish Data Protection Authority
Accomodation and Hospitalty
Bar owner
2022-07-19
€5,000.00
Non-compliance with general data processing principles
Art. 5 (1) b) GDPR
The Spanish DPA (AEPD) has fined a bar owner EUR 5,000. The owner had unlawfully shared recordings from the CCTV in the bar via WhatsApp and other social media platforms.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-07-19
€2,000.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
The Spanish DPA has imposed a fine of 2,000 euros on a private individual. The individual had installed video cameras in the apartment building where they live that recorded, among other things, the common areas of all residents. The DPA considered this to be a violation of the principle of data minimization.
AEPD
Spanish Data Protection Authority
Industry and Commerce
Bookstore employee
2022-07-19
€4,000.00
Insufficient technical and organisational measures to ensure information security
Art. 5 (1) f) GDPR
Art. 32 GDPR
The Spanish Data Protection Agency has imposed a fine of EUR 4,000 on an employee of a bookstore. An individual had filed a complaint with the DPA because he had received an invoice from another person containing that person's personal data. The employee had inadvertently sent the invoice to the wrong recipient.
HDPA
Hellenic Data Protection Authority
Finance, Insurance and Consulting
DO VALUE GREECE LOANS & CREDITS CLAIM MANAGEMENT S.A.
2022-07-19
€20,000.00
Insufficient fulfilment of data subjects rights
Art. 5 (1) a) GDPR
Art. 5 (2) GDPR
Art. 6 GDPR
Art. 12 (2) GDPR
The Hellenic DPA has fined DO VALUE GREECE LOANS & CREDITS CLAIM MANAGEMENT S.A. in the amount of EUR 20,000. An individual had filed a complaint with the DPA for receiving numerous calls from the company about debts that had already been settled. The data subject had objected to the processing of their data and demanded the calls to be stopped immediately, as well as the deletion of their personal data from the company's database. During its investigation, the DPA found that the company had unlawfully obstructed the exercise of the data subject's rights.
AEPD
Spanish Data Protection Authority
Finance, Insurance and Consulting
BANKINTER, S.A.
2022-07-18
€56,000.00
Non-compliance with general data processing principles
Art. 5 (1) f) GDPR
The Spanish DPA has imposed a fine of EUR 56,000 on BANKINTER, S.A.. The controller had inadvertently sent a report on the data subject's investment portfolio to a third party. The controller states that the mis-sending occurred due to a computer error. For this reason, the DPA determined that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR.
AEPD
Spanish Data Protection Authority
Industry and Commerce
ECOZONO Y CULTURA, S.L.
2022-07-15
€3,600.00
Insufficient legal basis for data processing
Art. 6 (1) GDPR
The Spanish DPA has imposed a fine on ECOZONO Y CULTURA, S.L.. Econzo, through a service provider, had collected data from data subjects who agreed to disclose the data for survey purposes. However, the data was later used to contact the individuals for advertising purposes. The original fine of EUR 6,000 was reduced to EUR 3,600 due to voluntary payment and admission of guilt.
AEPD
Spanish Data Protection Authority
Individuals and Private Associations
Private individual
2022-07-15
€600.00
Non-compliance with general data processing principles
Art. 5 (1) c) GDPR
Art. 13 GDPR
The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the neighborly shared acces road. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.
DATATILSYNET
Danish Data Protection Authority
Finance, Insurance and Consulting
SIRIUS (law firm)
2022-07-14
€67,200.00
Insufficient technical and organisational measures to ensure information security
Art. 32 GDPR
The Danish DPA has imposed a fine of EUR 67,200 on the law firm SIRIUS. The law firm had suffered a cyber attack in which hackers gained access to the firm's servers and encrypted them. This gave them access to information about the firm's clients and business partners. During its investigation, the DPA found that the law firm lacked basic security measures, which increased the risk of unauthorized access to client data. The firm's systems, for example, did not contain sufficient verification measures, such as multi-factor logins.