GDPR Enforcement Tracker

This website contains a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties.
  • Hungary: New fine over 92k EUR
    NAIH imposed a fine of 92.146 EUR: link
  • UK: 2nd fine proposed
    The ICO issued a notice of its intention to fine Marriott GBP 99,200,396 for GDPR infringements (no final decision): link
  • The Netherlands: First GDPR fine
    First GDPR fine from the Netherlands over 460k EUR: link
  • UK: 204.6 Mio fine proposed
    The ICO issued a notice of its intention to fine British Airways GBP 183.39 Mio for GDPR infringements (no final decision): link
  • Germany: Fine against police officer
    First fine against a person working in the public sector - 1.400 EUR for misuse of data for private purposes: link
  • Germany: 102 fines
    101 fines worth 484.900 EUR publicly known - overview under: link
  • Romania: New fine
    New fine over 2,5k EUR: link
CountryAuthorityDateFineController/ProcessorQuoted ArticleSummaryInfos
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2018-12-094,800Betting placeArt. 13 GDPRVideo surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)Unknown-20181,800Kebab restaurantUnknownCCTV was unlawfully used. No further information available.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)Unknown-2018unknownRestaurantUnknownCCTV was unlawfully used. No further information available.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)Unknown-2018300Private car ownerUnknownA Dashcam was unlawfully used. No further information available.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2018-12-202,200Private personArt. 5 (1) a) and c GDPR, Art. 6 (1) GDPR, Art. 13 GDPRThe fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-05-282,000MayorArt. 5 (1) b) GDPR, Art. 6 GDPRThe administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2018-04-12500BankArt. 5 (1) b) GDPR, Art. 6 GDPRA fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.link link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2019-02-2627,100Telecommunication service providerArt. 6 GDPR, Art. 5 (1) a) GDPRRepeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one.link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2019-01-17500BankArt.6 GDPR, Art. 5 (1) a) GDPRA bank gained personal data concernign a student wihtout a legal basis.link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2019-02-22500EmployerArt 5 (1) b) c) GDPR, Art. 12 GDPR, Art. 15 (1) (GDPR), Art. 15 (1) a), b), c), g) GDPR, Art. 15 (3) GDPRAn employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.link
CYPRUS
CYPRUS
Cyprian Data Protection CommissionerUnknown-20195,000State HospitalArt. 15 GDPRA patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.link
CYPRUS
CYPRUS
Cyprian Data Protection CommissionerUnknown-201910,000NewspapaerArt. 6 GDPRThe publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-01-10388EmployerArt. 6 GDPRA former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-041,165Car renting companyArt. 5 (1) a) GDPRA person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-28582UnknownArt. 5 (1) f) GDPRData was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-041,165Credit brokerageArt. 5 (1) f) GDPRData was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2018-10-25388UnknownArt. 15 GDPRInformation was not provided.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-26776UnknownArt. 15 GDPRInformation was not provided.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-03-219,704UnknownArt. 5 (1) c) and e) GDPRData was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation").link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-05-133,105UnknownArt. 5 (1) a) and b) GDPR, Art. 32 (1) GDPRlink
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-05-06194UnknownArt. 15 GDPRInformation was not provided.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)Tbd-2019160,000Taxa 4x35Art. 5(1) e) GDPRThe Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers.  Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2019-06-03200,850IDdesign A / SArt. 5 (1) e) and (2) GDPRThe fine was imposed as a result of an inspection carried out in autumn of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-01-2150,000,000Google Inc.Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPRThe fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the DSGVO became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given "specific" and not "unambigous" (Art. 4 nr. 11 GDPR).link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-05-28400,000SERGIC, a company specialized in real estate development, purchase, sale, rental and property managementArt. 32 and 5 (1) e) GDPRThe CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2018-11-2120,000Knuddels.deArt. 32 (1) a) GDPRAfter a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed.link
GERMANY
GERMANY
Data Protection Authority of Hamburg2018-12-175,000Kolibri Image Regina und Dirk Maass GbRArt. 28 (3) GDPRPlease note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.link link
GERMANY
GERMANY
Data Protection Authority of Baden-WuerttembergUnknown (not published)-201980,000UnknownUnknownThere is no further information available. This fine should not be mixed up with the one fine dealing with health data and which was also issued by the same authority, since the one dealing with health data was issued under the old German Data Protection Act. The existents of a second fine worth the same amount of money is only known due to a tweet of the Data Protection Commissioner of Baden-Wuerttemberg.link
GERMANY
GERMANY
Data Protection Authority of Sachsen-Anhalt2019-02-052,000Private personArt. 6 GDPR, Art. 5 GDPRThe fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list.link
GERMANY
GERMANY
Data Protection Authority of HamburgUnknown-201820,000UnknownArt. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPRLate notification of a data breach and failure to notify the data subjects.Page 134 of the activity report of the Data Protection Commissioner of Hamburg, accessible under link
GERMANY
GERMANY
Data Protection Authority of SaarlandUnknown118UnknownArt. 6 GDPRIllegal disclosure of personal data relating to a third party.link
GERMANY
GERMANY
Data Protection Authority of HamburgUnknown-2018500UnknownUnknownUnknownlink
GERMANY
GERMANY
Data Protection Authority of BerlinUnknown-201850,000N26Art. 6 GDPRThe fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had "not yet been legally concluded".Page 131 of the activity report of the Data Protection Commissioner of Berlin link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-02-081,560BankArt. 5 (1) d) GDPR - principle of accuracyA bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-02-201,560Debt collectorArt. 5 (1) a) and c) GDPR - principles of transparency and data minimisationA data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2018-12-183,200UnknownArt. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPRThe fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-02-283,200Mayor's Office of the city of KecdkemétArt. 5 (1) a) GDPR, Art. 6 GDPRThe fine was imposed on the Mayor’s Office of the city of Kecskemét for unlawful disclosure of the personal information of a whistleblower.NAIH imposed the fine after an employee of an organisation that it supervised reported a public interest complaint directly to it against his employer. After the organisation learned of the complaint, it requested details in order to investigate, and the local government accidentally revealed the complainant's name. The NAIH considered it an aggravating factor that as a result of the data breach, the organisation fired the person who made the report.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-03-043,200Unnamed financial institutionArt. 5 (1) b) and c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDRPThe fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-04-0534,375Hugarian political partyArt. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPRNAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year. The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2019-04-1750,000Italian political party Movimento 5 StelleArt. 32 GDPRA number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. It is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required by means of an order issued after the 25th of May 2018. Interestingly, the fine was not issued against the Movimento 5 Stelle that is the data controller of the platform, but against the Rousseau association that is the data processor.link
LITHUANIA
LITHUANIA
Lithuanian Data Protection Authority (VDAI)2019-05-1661,500Payment service provider UAB MisterTangoArt. 5 GDPR, Art. 32 GDPR, Art. 33 GDPRDuring an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 DSGVO would have been necessary. The controller did not report the Data Breach.link
MALTA
MALTA
Data Protection Commissioner of Malta2019-02-185,000Lands AuthorityArt. 5 GDPR, Art. 32 GDPRAs a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2019-03-XX170,000Bergen MunicipalityArt. 5 (1) f) GDPR, Art. 32 GDPRThe incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.link
POLAND
POLAND
Polisch National Personal Data Protection Office (UODO)2019-03-26219,538Private company working with data from publicly available sourcesArt. 14 GDPRThe fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.link
POLAND
POLAND
Polisch National Personal Data Protection Office (UODO)2019-04-2512,950Sports associationArt. 6 GDPROne sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty. When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). It concluded that although the infringement was finally removed, it was of a serious nature.However, when imposing a penalty, the President of the Office of Competition and Consumer Protection also took into account mitigating circumstances, such as good cooperation between the controller and the supervisory authority or lack of evidence that damage had been caused to the persons whose data had been disclosed.link link
PORTUGAL
PORTUGAL
Portuguese Data Protection Authority (CNPD)2018-07-17400,000HospitalArt. 5 (1) f) GDPR, Art. 32 GDPRInvestigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown-20185,000VODAFONE ESPANA, S.A.U.Art. 5 (1) d) GDPRThe spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown250,000Professional Football League (LaLiga)Art. 5 (1) a), 7 (3) GDPRThe national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown60,000Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)Art. 5 (1) f GDPRAfter the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown27,000VODAFONE ESPANA, S.A.U.Art. 5 (1) d GDPRAlthough the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2019-05-091,400Police OfficerArt. 6 GDPRThe police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. This infringement is not attributable to the police officer's department, since he did not commit the act in the exercise of his official duties, but exclusively for private purposes. The prohibition of punishment under § 28 LDSG, according to which the sanctions of the DSGVO cannot be imposed on public bodies, does not apply in the present case, since it was neither a case of misconduct attributable to the authority nor is the person concerned to be classified as a separate public body within the meaning of § 2 (1) or (2) LDSG in the case of the acts in question.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-06-1320,000Employer UNIONTRAD COMPANYArt. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPRBetween 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. When determening the amount of the fine, the CNLIN took into account the size (9 employees) and the financial situation of the company, which presented a negative net result in 2017 (turnover of 885,739 EUR in 2017 and a negative net result of 110,844 EUR), to retain a dissuasive but proportionate administrative fine.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-04-179,400UnknownArt. 5 (1) a) GDPR, Art. 6 GDPRA data controller used a, in the point of view of NAIH, wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-04-051,900UnknownArt. 15 GDPRThe data controller did not fulfil the data subject's access request.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-04-08510Medical centersArt. 5 (1) a) GDPR; Art. 9 (1) and Art. 9 (2) GDPR; Art. 6 (1) GDPR.The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical centre for the purpose of changing his GP. The medical centre used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical centre, which subsequently also unlawfully processed the personal data of G.B.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-03-265,100A.P. EOODArt. 5 (1) a) GDPR, Art. 6 GDPRThe sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown-201960,000ENDESA (energy supplyer)Art. 5 (1) f) GDPRThe complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confidentiality.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-06-27130,000UNICREDIT BANK SAArt. 25 (1) and Art. 5 (1) c) GDPRThe fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (interla/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).link
UNITED KINGDOM
UNITED KINGDOM
Information Commissioner (ICO)2019-07-08204,600,000British AirwaysArt. 32 GDPRPlease note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-07-0215,056WORLD TRADE CENTER BUCHAREST SAArt. 32 GDPRThe breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.link
UNITED KINGDOM
UNITED KINGDOM
Information Commissioner (ICO)2019-07-09110,390,200Marriott International, IncArt. 32 GDPRPlease note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc which relates to a cyber incident which was notified to the ICO by Marriott in November 2018.GDPR infringements are likely to involve a breach of Art. 32 GDPR. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-05-2392,146Organizer of SZIGET festival and VOLT festivalArt. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPRThe NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-07-053,000LEGAL COMPANY & TAX HUB SRLArt. 32 (1) and (2) GDPRThe fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019. The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2019-06-18460,000Haga HospitalArt. 32 GDPRThe Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-07-25180,000ACTIVE ASSURANCES (car insurer)Art. 32 GDPRLarge amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2019-07-30150,000PWC Business SolutionsArt. 5 (1) a), b) and c) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, 14 (1) c) GDPRThe processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal datalink
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-07-XX2,500UTTIS INDUSTRIES SRLArt. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPRThe sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.link
GERMANY
GERMANY
Data Protection Authority of Berlin2019-08-13200,000Online-companyUnknownUnknownlink link