Germany: Possible new high fine on H&M
Since the fashion retailer H&M has been suspected of spying on employees and of having stored private data on illnesses, the company is threatened with a high fine: link

Italy: Two new fines in the amount of 11.5 Mio EUR
Fines imposed on Eni Gas e Luce for unlawful advertising activities and activation of unsolicited contracts.

Czech DPA publishes overview of fines issued to date
So far 17 fines imposed in the Czech Republic under the GDPR: link

GDPR Enforcement Tracker

tracked by

This website contains a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties.

Country	Authority	Date	Fine [€]	Controller/Processor	Quoted Art.	Type	Summary	Infos
AUSTRIA	Austrian Data Protection Authority (dsb)	2018-12-09	4,800	Betting place	Art. 13 GDPR	Insufficient fulfilment of information obligations	Video surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted.	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2018	1,800	Kebab restaurant	Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPR	Insufficient legal basis for data processing	CCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see link	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2018	Unknown	Restaurant	Unknown	Insufficient legal basis for data processing	CCTV was unlawfully used. No further information available.	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2018-09-27	300	Private car owner	Art. 5 (1) a) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	A Dashcam was unlawfully used.	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2018-12-20	2,200	Private person	Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR	Insufficient legal basis for data processing	The fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated.	link
BELGIUM	Belgian Data Protection Authority (APD)	2019-05-28	2,000	Mayor	Art. 5 (1) b) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.	link
BULGARIA	Bulgarian Commission for Personal Data Protection (KZLD)	2018-12-04	500	Bank	Art. 5 (1) b) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	A fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.	link link
BULGARIA	Bulgarian Commission for Personal Data Protection (KZLD)	2019-02-26	27,100	Telecommunication service provider	Art. 6 GDPR, Art. 5 (1) a) GDPR	Insufficient legal basis for data processing	Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one.	link
BULGARIA	Bulgarian Commission for Personal Data Protection (KZLD)	2019-01-17	500	Bank	Art. 6 GDPR, Art. 5 (1) a) GDPR	Insufficient legal basis for data processing	A bank gained personal data concernign a student wihtout a legal basis.	link
BULGARIA	Bulgarian Commission for Personal Data Protection (KZLD)	2019-02-22	500	Employer	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	An employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.	link
CYPRUS	Cyprian Data Protection Commissioner	2019	5,000	State Hospital	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.	link
CYPRUS	Cyprian Data Protection Commissioner	2019	10,000	Newspaper	Art. 6 GDPR	Insufficient legal basis for data processing	The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-01-10	388	Employer	Art. 6 GDPR	Insufficient legal basis for data processing	A former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-02-04	1,165	Car renting company	Art. 5 (1) a) GDPR	Insufficient fulfilment of information obligations	A person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-02-28	582	Unknown	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-02-04	1,165	Credit brokerage	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2018-10-25	388	Unknown	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	Information was not provided.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-02-26	776	Unknown	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	Information was not provided.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-03-21	9,704	Unknown	Art. 5 (1) GDPR	Non-compliance with general data processing principles	Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation").	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	Unknown	3,140	UniCredit Bank Czech Republic and Slovakia, a.s.	Art. 6 GDPR	Insufficient legal basis for data processing	The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	2019-05-06	194	Unknown	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	Information was not provided.	link
DENMARK	Danish Data Protection Authority (Datatilsynet)	2019	160,000	Taxa 4x35	Art. 5(1) e) GDPR	Non-compliance with general data processing principles	The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.	link
DENMARK	Danish Data Protection Authority (Datatilsynet)	2019-06-03	200,850	IDdesign A / S	Art. 5 (1) e) GDPR, Art. 5 (2) GDPR	Non-compliance with general data processing principles	The fine was imposed as a result of an inspection carried out in autumn of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.	link
FRANCE	French Data Protection Authority (CNIL)	2019-01-21	50,000,000	Google Inc.	Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR	Insufficient legal basis for data processing	The fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the GDPR became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given "specific" and not "unambigous" (Art. 4 nr. 11 GDPR).	link
FRANCE	French Data Protection Authority (CNIL)	2019-05-28	400,000	SERGIC (Real Estate)	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.	link
GERMANY	Data Protection Authority of Baden-Wuerttemberg	2018-11-21	20,000	Knuddels.de	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	After a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed.	link
GERMANY	Data Protection Authority of Hamburg	2018-12-17	5,000	Kolibri Image Regina und Dirk Maass GbR	Art. 28 (3) GDPR	Insufficient data processing agreement	Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.	link link
GERMANY	Data Protection Authority of Baden-Wuerttemberg	2019	80,000	Unknown	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	A company in the financial sector had improperly disposed personal data.	link
GERMANY	Data Protection Authority of Sachsen-Anhalt	2019-02-05	2,500	Private person	Art. 6 GDPR, Art. 5 GDPR	Insufficient legal basis for data processing	The fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list.	link
GERMANY	Data Protection Authority of Hamburg	2018	20,000	Unknown	Art. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR	Insufficient fulfilment of data breach notification obligations	Late notification of a data breach and failure to notify the data subjects.	Page 134 of the activity report of the Data Protection Commissioner of Hamburg, accessible under link
GERMANY	Data Protection Authority of Saarland	Unknown	118	Unknown	Art. 6 GDPR	Insufficient legal basis for data processing	Illegal disclosure of personal data relating to a third party.	link
GERMANY	Data Protection Authority of Hamburg	2018	500	Unknown	Unknown	Unknown	Unknown	link
GERMANY	Data Protection Authority of Berlin	2019-03	50,000	N26	Art. 6 GDPR	Insufficient legal basis for data processing	The fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had "not yet been legally concluded".	Page 131 of the activity report of the Data Protection Commissioner of Berlin link link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-02-08	1,560	Bank	Art. 5 (1) d) GDPR	Non-compliance with general data processing principles	A bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank.	link link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-02-20	1,560	Debt collector	Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR	Non-compliance with general data processing principles	A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.	link link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2018-12-18	3,200	Unknown	Art. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPR	Insufficient fulfilment of data subjects rights	The fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-02-28	3,200	Mayor's Office of the city of Kecdkemét	Art. 5 (1) a) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The fine was imposed on the Mayor’s Office of the city of Kecskemét for unlawful disclosure of the personal information of a whistleblower.NAIH imposed the fine after an employee of an organisation that it supervised reported a public interest complaint directly to it against his employer. After the organisation learned of the complaint, it requested details in order to investigate, and the local government accidentally revealed the complainant's name. The NAIH considered it an aggravating factor that as a result of the data breach, the organisation fired the person who made the report.	link link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-03-04	3,200	Unnamed financial institution	Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDRP	Insufficient fulfilment of data subjects rights	The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.	link link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-04-05	34,375	Hungarian political party	Art. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPR	Insufficient fulfilment of data breach notification obligations	NAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year. The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.	link
ITALY	Italian Data Protection Authority (Garante)	2019-04-17	50,000	Italian political party Movimento 5 Stelle	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	A number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. It is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required by means of an order issued after the 25th of May 2018. Interestingly, the fine was not issued against the Movimento 5 Stelle that is the data controller of the platform, but against the Rousseau association that is the data processor.	link
LITHUANIA	Lithuanian Data Protection Authority (VDAI)	2019-05-16	61,500	Payment service provider UAB MisterTango	Art. 5 GDPR, Art. 32 GDPR, Art. 33 GDPR	Insufficient fulfilment of data breach notification obligations	During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 GDPR would have been necessary. The controller did not report the Data Breach.	link
MALTA	Data Protection Commissioner of Malta	2019-02-18	5,000	Lands Authority	Art. 5 GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	As a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists.	link
NORWAY	Norwegian Supervisory Authority (Datatilsynet)	2019-03	170,000	Bergen Municipality	Art. 5 (1) f) GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.	link
POLAND	Polish National Personal Data Protection Office (UODO)	2019-03-26	220,000	Private company working with data from publicly available sources	Art. 14 GDPR	Insufficient fulfilment of information obligations	The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient. Addendum: In the meantime, the court has cancelled the fine due to procedural errors. The amount of the fine has to be determined by the concrete number of data records concerned. However, the Office had not submitted any verifiable evidence in this regard, but had simply assumed that 6 million data sets were involved, which the data controller had denied. Therefore, important statements were missing. In particular, it was incorrect to justify the amount of the fine on the basis of general preventive considerations. Art. 58 DSGVO expressly states that a fine imposed must be related to the specific facts of the case. The Polish data protection authority has already announced that the fine will be revised in a new administrative procedure.	link
POLAND	Polish National Personal Data Protection Office (UODO)	2019-04-25	12,950	Sports association	Art. 6 GDPR	Insufficient legal basis for data processing	One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty. When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). It concluded that although the infringement was finally removed, it was of a serious nature.However, when imposing a penalty, the President of the Office of Competition and Consumer Protection also took into account mitigating circumstances, such as good cooperation between the controller and the supervisory authority or lack of evidence that damage had been caused to the persons whose data had been disclosed.	link link
PORTUGAL	Portuguese Data Protection Authority (CNPD)	2018-07-17	400,000	Public Hospital	Art. 5 (1) f) GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	5,000	VODAFONE ESPANA, S.A.U.	Art. 5 (1) d) GDPR	Non-compliance with general data processing principles	The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-06-11	250,000	Professional Football League (LaLiga)	Art. 5 (1) a), Art. 7 (3) GDPR	Insufficient fulfilment of information obligations	The national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	60,000	Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)	Art. 5 (1) f) GDPR	Insufficient legal basis for data processing	After the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	27,000	VODAFONE ESPAÑA, S.A.U.	Art. 5 (1) d) GDPR	Insufficient fulfilment of data subjects rights	Although the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k.	link
GERMANY	Data Protection Authority of Baden-Wuerttemberg	2019-05-09	1,400	Police Officer	Art. 6 GDPR	Insufficient legal basis for data processing	The police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. This infringement is not attributable to the police officer's department, since he did not commit the act in the exercise of his official duties, but exclusively for private purposes. The prohibition of punishment under § 28 LDSG, according to which the sanctions of the GDPR cannot be imposed on public bodies, does not apply in the present case, since it was neither a case of misconduct attributable to the authority nor is the person concerned to be classified as a separate public body within the meaning of § 2 (1) or (2) LDSG in the case of the acts in question.	link
FRANCE	French Data Protection Authority (CNIL)	2019-06-13	20,000	Employer UNIONTRAD COMPANY	Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR	Insufficient legal basis for data processing	Between 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. When determening the amount of the fine, the CNLIN took into account the size (9 employees) and the financial situation of the company, which presented a negative net result in 2017 (turnover of 885,739 EUR in 2017 and a negative net result of 110,844 EUR), to retain a dissuasive but proportionate administrative fine.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-04-17	9,400	Unknown	Art. 5 (1) a) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	A data controller used a, in the point of view of NAIH, wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-04-05	1,900	Unknown	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	The data controller did not fulfil the data subject's access request.	link
BULGARIA	Data Protection Commision of Bulgaria (KZLD)	2019-04-08	510	Medical centers	Art. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 9 (2) GDPR, Art. 6 (1) GDPR	Insufficient legal basis for data processing	The sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical centre for the purpose of changing his GP. The medical centre used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical centre, which subsequently also unlawfully processed the personal data of G.B.	link
BULGARIA	Data Protection Commision of Bulgaria (KZLD)	2019-03-26	5,100	A.P. EOOD	Art. 5 (1) a) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	60,000	ENDESA (energy supplyer)	Art. 5 (1) f) GDPR	Insufficient legal basis for data processing	The complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confidentiality.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-06-27	130,000	UNICREDIT BANK SA	Art. 25 (1) GDPR, Art. 5 (1) c) GDPR	Insufficient technical and organisational measures to ensure information security	The fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (interla/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).	link
UNITED KINGDOM	Information Commissioner (ICO)	2019-07-08	204,600,000	British Airways	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-07-02	15,000	WORLD TRADE CENTER BUCHAREST SA	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.	link
UNITED KINGDOM	Information Commissioner (ICO)	2019-07-09	110,390,200	Marriott International, Inc	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Please note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc which relates to a cyber incident which was notified to the ICO by Marriott in November 2018.GDPR infringements are likely to involve a breach of Art. 32 GDPR. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-05-23	92,146	Organizer of SZIGET festival and VOLT festival	Art. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPR	Insufficient legal basis for data processing	The NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-07-05	3,000	LEGAL COMPANY & TAX HUB SRL	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019. The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.	link
THE NETHERLANDS	Dutch Supervisory Authority for Data Protection (AP)	2019-06-18	460,000	Haga Hospital	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures.	link
FRANCE	French Data Protection Authority (CNIL)	2019-07-25	180,000	ACTIVE ASSURANCES (car insurer)	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Large amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).	link
GREECE	Hellenic Data Protection Authority (HDPA)	2019-07-30	150,000	PWC Business Solutions	Art. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPR	Insufficient legal basis for data processing	The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal data	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-10-17	2,500	UTTIS INDUSTRIES SRL	Art. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPR	Insufficient fulfilment of information obligations	The sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.	link
SWEDEN	Data Protection Authority of Sweden	2019-08-20	18,630	School in Skellefteå	Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPR	Insufficient legal basis for data processing	A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2019-08	50,000	Company in the medical sector	Art. 13 GDPR, Art. 37 GDPR	Insufficient fulfilment of information obligations	The (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2019-07	11,000	Private person (soccer coach)	Art. 6 GDPR	Insufficient legal basis for data processing	The fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-08-16	60,000	AVON COSMETICS	Art. 6 GDPR	Insufficient legal basis for data processing	A consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.	link
BULGARIA	Data Protection Commision of Bulgaria (KZLD)	2019-08-28	2,600,000	National Revenue Agency	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Leakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible.	link
BULGARIA	Data Protection Commision of Bulgaria (KZLD)	2019-08-28	511,000	DSK Bank	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.	link
LATVIA	Data State Inspectorate (DSI)	2019-08-26	7,000	Online Services	Art. 17 GDPR	Insufficient fulfilment of data subjects rights	A merchant who provides services in an online store has infringed the "right to be forgotten" pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-06-25	15,150	Unknown	Art. 33 GDPR	Insufficient fulfilment of data breach notification obligations	The data controller did not fulfil its data breach notification obligations when a flash memory with personal data was lost.	link
NORWAY	Norwegian Supervisory Authority (Datatilsynet)	2019-04-29	203,000	Oslo Municipal Education Department	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees.	link
PORTUGAL	Portuguese Data Protection Authority (CNPD)	2019-02-05	20,000	Unknown	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	Denial of the right to access recorded phone calls by the Data Subject	link
PORTUGAL	Portuguese Data Protection Authority (CNPD)	2019-03-25	2,000	Unknown	Art. 13 GDPR	Insufficient fulfilment of information obligations	Inexistence of signalization regarding the use of CCTV systems	link
GERMANY	Data Protection Authority of Berlin	2019-09-19	195,407	Delivery Hero	Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR	Insufficient fulfilment of data subjects rights	According to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.	link
POLAND	Polish National Personal Data Protection Office (UODO)	2019-09-10	645,000	Morele.net	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.	link
BELGIUM	Belgian Data Protection Authority (APD)	2019-09-17	10,000	Merchant	Art. 5 (1) c) GDPR	Non-compliance with general data processing principles	The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	9,600	Restaurant (SANTI 3000, S.L.)	Art. 5 (1) a) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600.	link
GREECE	Hellenic Data Protection Authority (HDPA)	2019-10-07	200,000	Telecommunication Service Provider	Art. 5 (1) c) GDPR, Art. 25 GDPR	Non-compliance with general data processing principles	A large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.	link
GREECE	Hellenic Data Protection Authority (HDPA)	2019-10-07	200,000	Telecommunication Service Provider	Art. 21 (3) GDPR, Art. 25 GDPR	Non-compliance with general data processing principles	Inappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-10-09	150,000	Raiffeisen Bank SA	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-10-09	20,000	Vreau Credit SRL	Art. 32 GDPR, Art. 33 GDPR	Insufficient technical and organisational measures to ensure information security	Raiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-10-01	30,000	Vueling Airlines	Art. 5 GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, which could be reduced to 18,000 for immediate payment.	link
CYPRUS	Cyprian Data Protection Commissioner	2019	14,000	Doctor	Art. 5 GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	A patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-09-26	9,000	Inteligo Media SA	Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR	Insufficient legal basis for data processing	As part of the registration process on the webseite avocatnet.ro, the operator used an unfilled checkbox, by means of which users could declare that they did not wish to receive information letters via e-mail (opt-out). Without any action, the user was automatically sent information letters via e-mail. This did not fulfil the requirements for a GDPR-compliant consent.	link
SLOVAKIA	Slovak Data Protection Office	Unknown	Unknown	Unknown	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	A Data Controller failed to comply with data subject´s request to access his/her personal data processed by audio recordings.	link
SLOVAKIA	Slovak Data Protection Office	Unknown	Unknown	Unknown	Art. 5 (1) f) GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Documents containing personal data were disposed of in the area of the municipal garbage dump.	link
SLOVAKIA	Slovak Data Protection Office	Unknown	Unknown	Unknown	Art. 5 (1) f) GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Violation of information security measures (no further information available at the moment)	link
SLOVAKIA	Slovak Data Protection Office	Unknown	Unknown	Unknown	Art. 5 (1) a) GDPR, Art. 6 (1) a) GDPR	Insufficient legal basis for data processing	Personal data have been unlawfully published on the website of a city within the framework of fulfilling its disclosure obligation under the Freedom of Information Act. However, the Data Protection Authority stated that the City had published the personal data in violation of the law and without the consent of the person concerned.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-10-16	60,000	Xfera Moviles S.A.	Art. 5 GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	Xfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-10-16	8,000	Iberdrola Clientes	Art. 31 GDPR	Insufficient cooperation with supervisory authority	Iberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provide information about the possibility of adding the person's data to the solvency list to which the company did not respond. This lack of cooperation with the AEPD was a violation of Article 31 of the GDPR.	link
SLOVAKIA	Slovak Data Protection Office	Unknown	40,000	Slovak Telekom	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The controller did not take adequate security measures when processing personal data, thereby breaching the obligation to protect the processed personal data.	link
AUSTRIA	Austrian Data Protection Authority (dsb)	2019-10-23	18,000,000	Austrian Post	Art. 5 (1) a) GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The Austrian Post had created profiles of more than three million Austrians, which included information about their home addresses, personal preferences, habits and possible party affinity - which were subsequently resold, for example to political parties and companies. (In the case, also a civil court judgement about compensation claims at a value of 800 € has already been issued: link )	link
POLAND	Polish National Personal Data Protection Office (UODO)	2019-10-18	9,380	Major of Aleksandrów Kujawski	Art. 28 GDPR	Insufficient data processing agreement	No data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.	link
GERMANY	Data Protection Authority of Berlin	2019-10-30	14,500,000	Deutsche Wohnen SE	Art. 5 GDPR, Art. 25 GDPR	Non-compliance with general data processing principles	The company used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. It was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry.	link
GERMANY	Data Protection Authority of Berlin	2019-10-30	Unknown	Deutsche Wohnen SE	Art. 5 GDPR	Non-compliance with general data processing principles	In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-10-25	36,000	VODAFONE ESPANA, S.A.U.	Art. 5 GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone España proceeded to providing him services and seeking payment from him, so Vodafone España had processed the claimant's personal data without his consent.	link
GERMANY	Data Protection Authority of Baden-Wuerttemberg	2019	80,000	Unknown	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	In a digital publication, health data was accidentally published due to inadequate internal control mechanisms.	link
POLAND	Polish National Personal Data Protection Office (UODO)	2019-10-16	47,000	ClickQuickNow	Art. 5 GDPR	Non-compliance with general data processing principles	The UODO imposed a fine of EUR 47000 for obstructing the exercise of the right of withdrawal for the processing of personal data. The company has not taken appropriate technical and organisational measures that allow the simple and effective withdrawal of consent to the processing of personal data and the exercise of the right to request the erasure of personal data.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-07	900	TODOTECNICOS24H S.L.	Art. 13 GDPR	Insufficient fulfilment of information obligations	TODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	12,000	Madrileña Red de Gas	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-06	900	Cerrajero Online	Art. 13 GDPR	Insufficient fulfilment of information obligations	The company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-10-31	6,000	Jocker Premium Invex	Art. 6 GDPR	Insufficient legal basis for data processing	After registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration.	link
THE NETHERLANDS	Dutch Supervisory Authority for Data Protection (AP)	2019-10-31	900,000	UWV (Dutch employee insurance service provider)	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	As the UWV (the Dutch employee insurance service provider - "Uitvoeringsinstituut Werknemersverzekeringen") did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system.	link
PORTUGAL	Portuguese Data Protection Authority (CNPD)	2019-03-19	2,000	Unknown	Art. 13 GDPR	Insufficient fulfilment of information obligations	Inexistence of signalization regarding the use of CCTV systems	link
SLOVAKIA	Slovak Data Protection Office	Unknown	50,000	Social Insurance Agency	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Applications for social benefits from Slovak citizens were sent by post to foreign authorities. These were lost by post, with the result that the whereabouts of these personal data could not be clarified.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-13	3,000	General Confederation of Labour ('CGT')	Art. 6 GDPR	Insufficient legal basis for data processing	The CGT, with the aim of convening a meeting, e-mailed personal data of the complainant, including her home address, family relationship, pregnancy status and the date of an ongoing verbal abuse and harassment case, to 400 union members without her consent.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	Unknown	588	Alza.cz a.s.	Art. 6 GDPR, Art. 7 GDPR	Insufficient legal basis for data processing	The company obtained a copy of photographic ID of the personal data subject with his consent, however did not react to his consent withdrawal and continued in processing of his personal data.	link
CZECH REPUBLIC	Czech Data Protection Auhtority (UOOU)	Unknown	980	Individual entrepreneur - no further details published	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The operator of an online game was exposed to several DDoS attacks which caused the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As part of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a "backdoor" in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The Office for Personal Data Protection concluded that the operator did not take apropriate security measures.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-19	60,000	Corporación radiotelevisión espanola	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment data, data about criminal convictions and health data.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-21	60,000	Viaqua Xestión Integral Augas de Galicia	Art. 6 GDPR	Insufficient legal basis for data processing	Processing (modification) of the personal data of a customer included in a contract by a third party without the consent of the customer.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-11-25	11,000	Courier Services Company	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder's address, personal identification number, serial and identity card number, bank account number, authorised credit limit) of approximately 1,100 data subjects.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-11-22	2,000	BNP Paribas Personal Finance S.A.	Art. 12 GDPR, Art. 17 GDPR	Insufficient fulfilment of data subjects rights	BNP Paribas Personal Finance did not react to a request for erasure within the period set by the GDPR.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-14	30,000	Telefónica SA	Art. 5 GDPR	Non-compliance with general data processing principles	Telefónica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant's bank account was linked to another Telefónica customer, which led to the charges being debited from the complainant's account. According to the AEPD, this is contrary to the principle of accuracy as required by Article 5(1)(d) GDPR.	link
FRANCE	French Data Protection Authority (CNIL)	2019-11-21	500,000	Futura Internationale	Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR	Insufficient fulfilment of data subjects rights	Futura Internationale was fined for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted. In particular, the decision pointed out that the CNIL's on-site investigation of Futura Internationale revealed, inter alia, that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about customers and their health and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-19	60,000	Xfera Moviles S.A.	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	An individual complainant had received an SMS from Xfera Móviles which was to be addressed to a third party and which allowed him to access the account and personal data of this third party on the Xfera Móviles website via the telephone number and password received by SMS.	link
LATVIA	Data State Inspectorate (DSI)	2019-11	150,000	Unknown	Art. 6 GDPR	Insufficient legal basis for data processing	Unlawful data processing. No further information available yet.	link
SPAIN	Spanish Data Protection Authority (aepd)	Unknown	10,000	Ikea Ibérica	Art. 6 GDPR	Insufficient legal basis for data processing	The company installed cookies on an end users terminal device without prior consent of the data subject.	link
GERMANY	Data Protection Authority of Rheinland-Pfalz	2019-12-03	105,000	Hospital	Art. 5 GDPR	Non-compliance with general data processing principles	The fine is based on several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient management.	link
BELGIUM	Belgian Data Protection Authority (APD)	2019-11-28	5,000	Mayor	Art. 6 GDPR	Insufficient legal basis for data processing	Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.	link
BELGIUM	Belgian Data Protection Authority (APD)	2019-11-28	5,000	Municipal alderman	Art. 6 GDPR	Insufficient legal basis for data processing	Fine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-04	20,000	S CNTAR TAROM SA (Airline)	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The Romanian data protection authority imposed a sanction on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) of the GDPR). This resulted in an employee having unauthorized access to the booking application and being able to photograph a list with the personal data of 22 passengers/customers to disclose this list on the Internet.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-11-28	80,000	ING Bank N.V.	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	ING Bank has not taken appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers, resulting in double transactions being executed between 8 and 10 October.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-11-29	2,500	Royal President S.R.L.	Art. 15 GDPR, Art. 6 GDPR, Art. 32 GDPR	Insufficient fulfilment of data subjects rights	Royal President refused a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects. In addition, Royal President has not taken appropriate technical or organisational measures to ensure the security of the data processed.	link
GERMANY	The Federal Commissioner for Data Protection and Freedom of Information (BfDI)	2019-12-09	9,550,000	Telecoms provider (1&1 Telecom GmbH)	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 DSGVO, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale.	link
GERMANY	The Federal Commissioner for Data Protection and Freedom of Information (BfDI)	2019-12-09	10,000	Rapidata GmbH	Art. 37 GDPR	Lack of appointment of data protection officer	Despite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	21,000	VODAFONE ESPAÑA, S.A.U.	Art. 6 (1) GDPR	Insufficient legal basis for data processing	Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	36,000	VODAFONE ONO, S.A.U.	Art. 5 (1) f) GDPR	Non-compliance with general data processing principles	The company sent a marketing email to a large number of recipients (clients) without using the blind copy feature. The initial fine of EUR 60.000 was reduced to EUR 36.000.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	48,000	VODAFONE ONO, S.A.U.	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Customers could access personal data of other customers in the customer area. The initial fine of EUR 60.000 was reduced to EUR 48.000.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	48,000	TELEFONICA MOVILES ESPAÑA, S.A.U.	Art. 5 (1) a) GDPR	Non-compliance with general data processing principles	The claimant's bank account was charged by the company with two invoices for the services he had contracted, however, displaying personal data of another customer. The initial fine of EUR 60.000 was reduced to EUR 48.000.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	30,000	VODAFONE ESPAÑA, S.A.U.	Art. 5 (1) f) GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Disclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	40,000	VODAFONE ESPAÑA, S.A.U.	Art. 6 GDPR	Insufficient legal basis for data processing	The company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by another household which allegedly had received the claimant's bank account and phone number from Vodafone. Since Vodafone could not prove that the claimant had consented to the conclusion of the contract concerning the Netflix services, the AEPD imposed a fine of EUR 40.000.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	20,000	individual	Art. 5 (1) c) GDPR	Non-compliance with general data processing principles	Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	9,000	individual	Art. 5 (1) c) GDPR	Non-compliance with general data processing principles	Video surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).	link
SPAIN	Spanish Data Protection Authority (aepd)	2019	3,600	AMADOR RECREATIVOS, S.L	Art. 5 (1) c) GDPR	Non-compliance with general data processing principles	Surveillance of the public space by video surveillance cameras against violation of the principles of data minimisation.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-10	15,100	Town of Kerepes	Art. 6 (1) GDPR	Insufficient legal basis for data processing	The city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their tasks. The processing could not be based on another legal basis.	link
BULGARIA	Data Protection Commision of Bulgaria (KZLD)	2019-09-03	28,100	National Revenue Agency	Art 6 (1) GDPR, Art 58 (2) e) GDPR, Art 83 (5) a) GDPR	Insufficient legal basis for data processing	The pecuniary sanction of EUR 28, 121 was imposed on the National Revenue Agency for unlawful processing of the personal data of data subject G.B.I. The personal data of G.B.I. was unlawfully collected and subsequently used to form an enforcement case against her for recovery of the sum of EUR ca. 86, 569. In relation to the enforcement case formed, additional data concerning the bank accounts of G.B.I was collected by the National Revenue Agency from the register of the Bulgarian National Bank. The additional collected data was also unlawfully processed by the National Revenue Agency in sending distraint orders to the banks with which G.B.I. had bank accounts.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-28	75,000	Curenergía Comercializador de último recurso	Art. 6 GDPR	Insufficient legal basis for data processing	An individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-12-03	1,500	Cerrajeria Verin S.L.	Art. 13 GDPR	Insufficient fulfilment of information obligations	The company collected personal data without providing accurate information on their data processing activities in their privacy policy published on their website.	link
GERMANY	Data Protection Authority of Mecklenburg-Vorpommern	2019	800	Police Officer	Art. 6 GDPR	Insufficient legal basis for data processing	A police officer used a witness's personal data to contact her personally.	link
SWEDEN	Data Protection Authority of Sweden	2019-12-16	35,000	Nusvar AB	Art. 6 GDPR	Insufficient legal basis for data processing	Nusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-16	2,000	Globus Score SRL	Art. 58 GDPR	Insufficient cooperation with supervisory authority	The company did not comply with measures ordered by the National Supervisory Authority.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-12-03	5,000	Linea Directa Aseguradora	Art. 6 GDPR	Insufficient legal basis for data processing	The insurance company has sent advertising e-mails for the "Reto Nuez" platform without the required consent.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-12-10	1,600	Megastar SL	Art. 5 (1) c) GDPR, Art. 13 GDPR	Non-compliance with general data processing principles	The company operated a video surveillance system in which the observation angle of the cameras extended unnecessarily far into the public traffic area. Furthermore, no sign with data protection notices was affixed.
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-11-26	3,000	Modern Barber	Art. 58 GDPR	Insufficient cooperation with supervisory authority	The company did not comply with measures ordered by the National Supervisory Authority.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-02	2,000	Nicola Medical Team 17 SRL	Art. 58 GDPR	Insufficient cooperation with supervisory authority	The company did not comply with measures ordered by the National Supervisory Authority.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-11-18	90	Hospital	Art. 15 GDPR	Insufficient fulfilment of data subjects rights	A patient's right to access data was violated and a copying fee was unlawfully charged.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-10-24	7,400	Military Hospital	Art. 32 GDPR, Art. 33 GDPR	Insufficient fulfilment of data breach notification obligations	A military hospital did not meet the reporting deadline for data breaches. Another part of the fine relates to a lack of technical and organisational measures.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-19	6,000	Sports Bar	Art. 5 (1) c) GDPR	Non-compliance with general data processing principles	The sports bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-11-06	60,000	VODAFONE ESPANA, S.A.U.	Art. 6 GDPR	Insufficient legal basis for data processing	Vodafone has sent the customer's invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 was threatened, but was reduced to EUR 60,000 against immediate payment and waiver of appeal.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-10-23	60,000	VODAFONE ESPANA, S.A.U.	Art. 5 (1) f) GDPR	Non-compliance with general data processing principles	Vodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an unknown third party.	link
THE NETHERLANDS	Dutch Supervisory Authority for Data Protection (AP)	2019-10-31	50,000	Menzis (Health Insurance Company)	Art. 5 GDPR	Non-compliance with general data processing principles	Marketing staff had access to patient data. Among other things, this violated the purpose limitation principle.	link
GREECE	Hellenic Data Protection Authority (HDPA)	2019-10-18	20,000	Wind Hellas Telecommunications	Art. 21 GDPR	Insufficient fulfilment of data subjects rights	Among other things, the company has ignored objections raised by affected parties against advertising calls.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-18	2,000	Telekom Romania Mobile Communications SA	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a clients personal data to another client.	link
HUNGARY	Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)	2019-12-11	1,500	Unknown Company	Art. 6 GDPR	Insufficient legal basis for data processing	The company failed to delete a former employee's private emails and therefore processed personal data without legal basis and exceeding data retention requirements.	link
UNITED KINGDOM	Information Commissioner (ICO)	2019-12-17	320,000	Doorstep Dispensaree Ltd. (Pharmacy)	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.	link
BELGIUM	Belgian Data Protection Authority (APD)	2019-12-17	2,000	Nursing Care Organisation	Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR	Insufficient fulfilment of data subjects rights	The company failed to act on requests from the data subject to get access to his data and to have his data erased.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-11-29	500	Homeowners Association	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The association used video surveillance systems without proper information according to Art. 13 GDPR and without adequate security measures regarding the persons having access to the system.	link
SPAIN	Spanish Data Protection Authority (aepd)	2019-12-10	5,000	Shop Macoyn, S.L.	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	The company has sent advertising e-mails to several recipients where the e-mail addresses of all other recipients were visible to all recipients, because the recipient addresses were inserted as CC and not as BCC.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-09-03	1,022	Telecommunication service provide	Art. 6 (1) GDPR, Art. 25 (1) GDPR	Insufficient legal basis for data processing	The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-09-03	5,113	Telecommunication service provide	Art. 6 (1) GDPR, Art. 25 (1) GDPR	Insufficient legal basis for data processing	The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-09-03	11,760	Commercial representative of telecommunication service provider	Art. 6 (1) GDPR	Insufficient legal basis for data processing	The pecuniary sanction of EUR 11, 760 was imposed on the commercial representative of telecommunications service provider for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of a contract for mobile services and leasing contracts.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-09-03	1,121	Private enforcement agent	Art. 12 (4) GDPR, Art. 15 GDPR	Insufficient fulfilment of data subjects rights	The fine of EUR 1, 121 was imposed on a private enforcement agent for processing of the personal data of data subject through recording by technical means for video surveillance and for refusal to grant access to the collected data. The data subject submitted an application for access to his personal data to the private enforcement agent, who failed to inform him of the reasons for the rejection of his request.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-10-28	511	Employer	Art. 12 (3) GDPR, Art. 15 (1) GDPR	Insufficient fulfilment of data subjects rights	The pecuniary sanction of EUR 511 was imposed on an employer for refusal to grant access to the personal data of a data subject who submitted an application for access to his personal data to his former employer.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-10-07	511	B.D.	Art. 31 GDPR	Insufficient cooperation with supervisory authority	The fine of EUR 511 was imposed on B.D. for failure to provide access to information which the Commission for Personal Data Protection needed for performance of its tasks and execution of a disposition.	link
BULGARIA	Commission for Personal Data Protection (KZLD)	2019-10-08	5,112	The Ministry of Interior Affairs	Art. 5 (1) GDPR, Art. 6 (1) GDPR	Insufficient legal basis for data processing	The fine of EUR 5,112 was imposed on the Ministry of Interior Affairs for unlawfully processing the personal data of data subject A.K. The Ministry of Interior sent the personal data of A.K. to the Togolese Republic (Togo).	link
BELGIUM	Belgian Data Protection Authority (APD)	2019-12-17	15,000	Website providing legal information	Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR	Insufficient fulfilment of information obligations	An operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics.	link
GERMANY	Data Protection Authority of Niedersachsen	2019	294,000	Unknown	Art. 5 GDPR	Non-compliance with general data processing principles	A company was fined EUR 294 000 for 'unnecessarily long' storage and retention of personnel files and for 'excessive' data collection in the personnel selection process, during which also health data were requested.	link
SPAIN	Spanish Data Protection Authority (aepd)	2020-01-07	44,000	VODAFONE ESPANA, S.A.U.	Art. 5 (1) f) GDPR	Non-compliance with general data processing principles	The company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.	link
SPAIN	Spanish Data Protection Authority (aepd)	2020-01-09	3,000	VODAFONE ESPANA, S.A.U.	Art. 58 GDPR	Insufficient cooperation with supervisory authority	Failure to provide information to the AEPD within the required timeframe in violation of Article 58	link
SPAIN	Spanish Data Protection Authority (aepd)	2020-01-07	75,000	EDP España S.A.U.	Art. 6 GDPR	Insufficient legal basis for data processing	The company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject	link
SPAIN	Spanish Data Protection Authority (aepd)	2020-01-07	75,000	EDP Comercializadora, S.A.U.	Art. 6 GDPR	Insufficient legal basis for data processing	The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier.	link
SPAIN	Spanish Data Protection Authority (aepd)	2020-01-07	10,000	Asociación de Médicos Demócratas	Art. 6 GDPR	Insufficient legal basis for data processing	The Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-10	14,000	Hora Credit IFN SA	Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPR	Insufficient technical and organisational measures to ensure information security	The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient security measures for personal data, according to art. 25 and 32 of the GDPR, so as to avoid unauthorized and accessible disclosure of personal data to third parties. At the same time, Hora Credit IFN SA did not notify the Supervisory Authority of the security incident that was brought to its notice, according to art. 33 of the GDPR, within 72 hours from the date it became aware of it. The fine consists of three partial fines of EUR 3000, EUR 10000 and EUR 1000.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-16	6,000	SC Enel Energie S.A. (Electricity Distributor)	Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 21 GDPR	Insufficient legal basis for data processing	The sanctions were imposed following a complaint alleging that Enel Energie had unlawfully processed an individual's personal data and was unable to prove that it had obtained the individual's consent to send e-mail notifications. In addition, the ANSPDCP pointed out that the operator had not taken the necessary measures to stop the transmission of notifications, despite the fact that the person had repeatedly exercised his right to object. The operator of SC Enel Energie SRL was sanctioned contraventionally with two fines, each amounting to 14,334.30 lei, the equivalent of the amount of 3000 EUR.	link
CYPRUS	Cyprian Data Protection Commissioner	2020-01-13	9,000	Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance	Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Granting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.	link
CYPRUS	Cyprian Data Protection Commissioner	2019-10-25	70,000	LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd	Art. 6 GDPR, Art. 9 GDPR	Insufficient legal basis for data processing	The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.	link
CYPRUS	Cyprian Data Protection Commissioner	2019-10-25	10,000	LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd	Art. 6 GDPR, Art. 9 GDPR	Insufficient legal basis for data processing	The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.	link
CYPRUS	Cyprian Data Protection Commissioner	2019-10-25	2,000	LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd	Art. 6 GDPR, Art. 9 GDPR	Insufficient legal basis for data processing	The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.	link
CYPRUS	Cyprian Data Protection Commissioner	2020-01-13	1,000	eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD)	Art. 6 GDPR	Insufficient legal basis for data processing	Sending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.	link
GREECE	Hellenic Data Protection Authority (HDPA)	2020-01-13	15,000	Allseas Marine S.A.	Art. 5 (1) a), (2) GDPR	Non-compliance with general data processing principles	The data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it.	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-13	5,000	Entirely Shipping & Trading S.R.L.	Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR	Non-compliance with general data processing principles	The company has excessively processed the personal data of his employees through the video cameras installed in the offices and in the places where there are cabinets where the employees store their spare clothes (changing rooms) (violation of principle of "data minimization")	link
ROMANIA	Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)	2019-12-13	5,000	Entirely Shipping & Trading S.R.L.	Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPR	Non-compliance with general data processing principles	The company processed biometric data (fingerprints) of the employees for access to certain rooms tough less intrusive means for the privacy of the data subjects could be used (violation of principle of "data minimization")	link
ITALY	Italian Data Protection Authority (Garante)	2019-12-11	8,500,000	Eni Gas e Luce	Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR	Insufficient legal basis for data processing	The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person's refusal to receive promotional calls, or without triggering the special procedures for checking the public opt-out register. In addition, there was lack of technical and organisational measures to take account of the information provided by users; data was processed longer than the permitted data retention periods; and data on potential customers was collected from entities (list providers) who had not obtained consent to the disclosure of such data.	link
ITALY	Italian Data Protection Authority (Garante)	2019-12-11	3,000,000	Eni Gas e Luce	Art. 5 GDPR, Art. 6 GDPR	Insufficient legal basis for data processing	The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The second fine of EUR 3 million concerns infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under 'market economy' conditions. Many persons complained to the Authority that they only learned of the conclusion of a new contract after receiving the letter of termination of the contract with the previous supplier or the first Egl invoices. In some cases, the complaints reported false information in the contracts and forged signatures.	link
GREECE	Hellenic Data Protection Authority (HDPA)	2019-12-19	150,000	Aegean Marine Petroleum Network Inc.	Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPR	Insufficient technical and organisational measures to ensure information security	Companies outside the Aegean Marine Petroleum Group had access to its servers containing personal data and copied the contents of the servers, since Aegean Marine Petroleum failed to take the necessary technical measures to secure the processing of large amounts of data and to keep the relevant software separate from the personal data stored on the servers. Furthermore, Aegean Marine Petroleum had not informed the data subjects of the processing of their personal data stored on the servers.	link

Home License Privacy Imprint