GDPR Enforcement Tracker

This website contains a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties.
CountryAuthorityDateFine [€]Controller/ProcessorQuoted Art.TypeSummaryInfos
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2018-12-094,800Betting placeArt. 13 GDPRInsufficient fulfilment of information obligationsVideo surveillance was not sufficiently marked and a large part of the sidewalk of the facility was recorded. Surveillance of the public space in this way, i.e. on a large scale by private individuals, is not permitted.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)20181,800Kebab restaurantArt. 5 GDPR, Art. 13 GDPR, Art. 14 GDPRInsufficient legal basis for data processingCCTV was unlawfully used. Sufficient information about the video surveillance was missing. In addition, the storage period of 14 days was too long and therefore against the principle of data minimization. Addendum: Fine has been reduced to EUR 1500 by court, see linklink
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2018-09-27300Private car ownerArt. 5 (1) a) GDPR, Art. 6 GDPRInsufficient legal basis for data processingA Dashcam was unlawfully used.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2018-12-202,200Private personArt. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPRInsufficient legal basis for data processingThe fine was imposed against a private person who was using CCTV at his home. The video surveillance covered areas which are intended for the general use of the residents of the multi-party residential complex, namely: parking lots, sidewalks, courtyard, garden and access areas to the residential complex; in addition, the video surveillance covered garden areas of an adjacent property. The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller. Video surveillance is therefore not proportionate to the purpose and not limited to what is necessary. The video surveillance records the hallway of the house and films residents entering and leaving the surrounding apartments, thereby intervening in their highly personal areas of life without the consent to record their image data. The video surveillance was not properly indicated.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-05-282,000MayorArt. 5 (1) b) GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe administrative fine was imposed for the misuse of personal data by a mayor for campaign purposes.link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2018-12-04500BankArt. 5 (1) b) GDPR, Art. 6 GDPRInsufficient legal basis for data processingA fine of 1000 BGN (or roughly 500 EUR) was imposed on a bank for calling a client for the unresolved bills of his neighbor. This provoked the client to evoke his right to be forgotten. After not receiving any answer from the bank he filed another motion, for which the bank did take action in the statutory period. Nonetheless, the client filed a complaint to KZLD. The infringement for which the bank was fined was for the processing of the client’s personal data was not linked to his consumer credit agreement. Since the purpose for which the data were processed was different from that communicated at the time of conclusion of the contract, the bank had, in the point of view of KZLD, to request additional consent from its client.link link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2019-02-2627,100Telecommunication service providerArt. 6 GDPR, Art. 5 (1) a) GDPRInsufficient legal basis for data processingRepeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not identical and the persons personal identification number was indicated, but the identity card number was not the complainants one.link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2019-01-17500BankArt. 6 GDPR, Art. 5 (1) a) GDPRInsufficient legal basis for data processingA bank gained personal data concernign a student wihtout a legal basis.link
BULGARIA
BULGARIA
Bulgarian Commission for Personal Data Protection (KZLD)2019-02-22500EmployerArt. 15 GDPRInsufficient fulfilment of data subjects rightsAn employee sent a request to his employer for access to personal data concerning him. The request was not answered in time and not in a complete way.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner20195,000State HospitalArt. 15 GDPRInsufficient fulfilment of data subjects rightsA patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner201910,000NewspaperArt. 6 GDPRInsufficient legal basis for data processingThe publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator. The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-01-10388EmployerArt. 6 GDPRInsufficient legal basis for data processingA former employee of a company requested the deletion of information relating to him/her which was published on the Facebook website of the employer and which was still available long after the termination of the employment relationship. The fine was imposed because the employer did not delete the information relating to the former employee.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-041,165Car renting companyArt. 5 (1) a) GDPRInsufficient fulfilment of information obligationsA person who rented a car found out that the car was tracked via GPS by the renting company even though there was no information provided on the fact that the car is being tracked. The Czech Data Protection Authority found that there was no information provided in terms of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis under the concrete circumstances. Due to that the UOOU found that there was a violation of Art. 5 (1) a) GDPR for which it imposed the fine.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-28582UnknownArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityData was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-041,165Credit brokerageArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityData was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2018-10-25388UnknownArt. 15 GDPRInsufficient fulfilment of data subjects rightsInformation was not provided.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-02-26776UnknownArt. 15 GDPRInsufficient fulfilment of data subjects rightsInformation was not provided.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-03-2110,000UnknownArt. 5 (1) GDPRNon-compliance with general data processing principlesData was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation") and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation").link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)Unknown3,140UniCredit Bank Czech Republic and Slovakia, a.s.Art. 6 GDPRInsufficient legal basis for data processingThe bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)2019-05-06194UnknownArt. 15 GDPRInsufficient fulfilment of data subjects rightsInformation was not provided.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2019160,000Taxa 4x35Art. 5(1) e) GDPRNon-compliance with general data processing principlesThe Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers.  Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2019-06-03200,850IDdesign A / SArt. 5 (1) e) GDPR, Art. 5 (2) GDPRNon-compliance with general data processing principlesThe fine was imposed as a result of an inspection carried out in autumn of 2018. IDdesign had processed personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the deadline for the information had been reached. Also, the controller had not adequately documented its personal data deletion procedures. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an uncomplicated case and the accused person consented), fines will be imposed by courts.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-01-2150,000,000Google Inc.Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPRInsufficient legal basis for data processingThe fine was imposed on the basis of complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net". The complaints were filed on 25th and 28th of May 2018 - immediately after the GDPR became applicable. The complaints concerned the creation of a Google account during the configuration of a mobile phone using the Android operating system. The CNIL imposed a fine of 50 million euros for lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given "specific" and not "unambigous" (Art. 4 nr. 11 GDPR).link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-05-28400,000SERGIC (Real Estate)Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2018-11-2120,000Knuddels.deArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityAfter a hacker attack in July personal data of approx. 330.000 users, including passwords and email addresses had been revealed.link
GERMANY
GERMANY
Data Protection Authority of Hamburg2018-12-175,000Kolibri Image Regina und Dirk Maass GbRArt. 28 (3) GDPRInsufficient data processing agreementPlease note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the service provider. Kolibri Image has stated that they will challenge the decision in front of court since they are of the opinion that the service provider does not act as a processor.link link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2019-04-1280,000Company in the financial sectorArt. 5 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityIn an administrative decision dated 12 April 2019, the authority imposed a fine of 80,000 euros on a medium-sized financial services company. This company had failed to take the necessary care to preserve the integrity and confidentiality of information within the meaning of Art. 5 para. 1 lit. f GDPR when disposing of documents containing personal data of two customers. Thus, without prior anonymisation, the papers were disposed of in the general waste paper recycling system, where the documents were found by a neighbour.link
GERMANY
GERMANY
Data Protection Authority of Sachsen-Anhalt2019-02-052,500Private personArt. 6 GDPR, Art. 5 GDPRInsufficient legal basis for data processingThe fine was impossed against a private person who sent several e-mails between July and September 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences between mid-July and the end of July 2018. According to the authority's letter, between 131 and 153 personal mail addresses were identifiable in his mailing list.link
GERMANY
GERMANY
Data Protection Authority of Hamburg201820,000UnknownArt. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPRInsufficient fulfilment of data breach notification obligationsLate notification of a data breach and failure to notify the data subjects.Page 134 of the activity report of the Data Protection Commissioner of Hamburg, accessible under link
GERMANY
GERMANY
Data Protection Authority of SaarlandUnknown118UnknownArt. 6 GDPRInsufficient legal basis for data processingIllegal disclosure of personal data relating to a third party.link
GERMANY
GERMANY
Data Protection Authority of Hamburg2018500UnknownUnknownUnknownUnknownlink
GERMANY
GERMANY
Data Protection Authority of Berlin2019-0350,000N26Art. 6 GDPRInsufficient legal basis for data processingThe fine was imposed against against a bank (according to a newspaper N26) that had processed "personal data of all former customers" without permission.The Bank has acknowledged that it had retained data relating to former customers in order to maintain a blacklist, a kind of warning file, so that it would not make a new account available to these persons. The bank initially justified this by stating that it was obliged under the German Banking Act to take security measures against customers suspected of money laundering. The Berlin supervisory authority judged this to be illegal. The authority argues that in order to prevent a new bank account from being opened, only those affected may be included in a comparison file who are actually suspected of money laundering or for whom there are other valid reasons for refusing a new bank account. The authority told a newspaper that the fine proceedings initiated against the bank had "not yet been legally concluded".Page 131 of the activity report of the Data Protection Commissioner of Berlin link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-02-081,560BankArt. 5 (1) d) GDPRNon-compliance with general data processing principlesA bank mistakenly sent SMS messages about a subject's credit card debt to the telephone number of another person. After receiving an incorrect telephone number from the client at the time of contracting, the bank did not comply with the data subject's request to erase the data and continued to send SMS message to the incorrect telephone number. The fine represents 0.0016% of the annual profit of the bank.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-02-201,560Debt collectorArt. 5 (1) a) GDPR, Art. 5 (1) c) GDPRNon-compliance with general data processing principlesA data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency. The fine constitutes 0.0025% of the annual profit of the controller.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2018-12-183,200UnknownArt. 12 (4) GDPR, Art. 15 GDPR, Art. 18 (1) c) GDPR, Art. 13 GDPRInsufficient fulfilment of data subjects rightsThe fine was imposed for (i) not providing a data subject with CCTV recordings, (ii) not retaining recordings for further use by the data subject, and (iii) not informing the data subject about his right to lodge a complaint to the supervisory authority.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-02-283,200Mayor's Office of the city of KecdkemétArt. 5 (1) a) GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe fine was imposed on the Mayor’s Office of the city of Kecskemét for unlawful disclosure of the personal information of a whistleblower.NAIH imposed the fine after an employee of an organisation that it supervised reported a public interest complaint directly to it against his employer. After the organisation learned of the complaint, it requested details in order to investigate, and the local government accidentally revealed the complainant's name. The NAIH considered it an aggravating factor that as a result of the data breach, the organisation fired the person who made the report.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-03-043,200Unnamed financial institutionArt. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 13 (3) GDPR, Art. 17 (1) GDPR, Art. 6 (4) GDRPInsufficient fulfilment of data subjects rightsThe fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.link link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-04-0534,375Hungarian political partyArt. 33 (1) GDPR, Art. 33 (5) GDPR, Art. 34 (1) GDPRInsufficient fulfilment of data breach notification obligationsNAIH imposed a fine of HUF 11,000,000 (EUR 34,375) on an undisclosed Hungarian political party for failing to notify the NAIH and relevant individuals about a data breach, and failing to document the breach according to GDPR Article 33.5. As mandated by law, the fine was based on 4% of the party's annual turnover and 2.65 % of its anticipated turnover for the coming year. The breach was the result of a cyber attack by an anonymous hacker who accessed and disclosed information on the vulnerability of the organisation’s system – a database of more than 6,000 individuals – and the command used for the attack. The system was vulnerable to attack because of a redirection problem with the organisation's webpage. After the attacker published the command, even people with low IT knowledge were able to retrieve information from the database.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2019-04-1750,000Italian political party Movimento 5 StelleArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityA number of websites affiliated to the Italian political party Movimento 5 Stelle are run, by means of a data processor, through the platform named Rousseau. The platform had suffered a data breach during the summer 2017 that led the Italian data protection authority, the Garante, to require the implementation of a number of security measures, in addition to the obligation to update the privacy information notice in order to give additional transparency to the data processing activities performed.While the update of the privacy information notice was timely completed, the Italian data protection authority, raised its concerns as to the lack of implementation on the Rousseau platform of some of GDPR related security measures. It is worth it to mention that the proceeding initiated before May 2018, but the Italian data protection authority issued a fine under the GDPR since the Rousseau platform had not adopted security measures required by means of an order issued after the 25th of May 2018. Interestingly, the fine was not issued against the Movimento 5 Stelle that is the data controller of the platform, but against the Rousseau association that is the data processor.link
LITHUANIA
LITHUANIA
Lithuanian Data Protection Authority (VDAI)2019-05-1661,500Payment service provider UAB MisterTangoArt. 5 GDPR, Art. 32 GDPR, Art. 33 GDPRInsufficient fulfilment of data breach notification obligationsDuring an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursuant to Art. 33 GDPR would have been necessary. The controller did not report the Data Breach.link
MALTA
MALTA
Data Protection Commissioner of Malta2019-02-185,000Lands AuthorityArt. 5 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityAs a result of the lack of appropriate security measures on the Lands Authority website, over 10 gigabytes of personal data became easily accessible to the public via a simple google search. The majority of the leaked data contained highly-sensitive information and correspondence between individuals and the Authority itself. The Lands Authority chose not to appeal. In Malta, in the case of a breach by a public authority or body, the Data Protection Commissioner may impose an administrative fine of up to €25,000 for each violation and may additionally impose a daily fine of €25 for each day such violation persists.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2019-03170,000Bergen MunicipalityArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe incident relates to computer files with usernames and passwords to over 35000 user accounts in the municipality’s computer system. The user accounts related to both pupils in the municipality’s primary schools, and to the employees of the same schools. Due to insufficient security measures, these files have been unprotected and openly accessible. The lack of security measures in the system made it possible for anyone to log in to the school’s various information systems, and thereby to access various categories of personal data relating to the pupils and employees of the schools. The fact that the security breach encompasses personal data to over 35 000 individuals, and that the majority of these are children, were considered to be aggravating factors. The municipality had also been warned several times, both by the authority and an internal whistleblower, that the data security was inadequate.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2019-03-26220,000Private company working with data from publicly available sourcesArt. 14 GDPRInsufficient fulfilment of information obligationsThe fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient. Addendum: In the meantime, the court has cancelled the fine due to procedural errors. The amount of the fine has to be determined by the concrete number of data records concerned. However, the Office had not submitted any verifiable evidence in this regard, but had simply assumed that 6 million data sets were involved, which the data controller had denied. Therefore, important statements were missing. In particular, it was incorrect to justify the amount of the fine on the basis of general preventive considerations. Art. 58 GDPR expressly states that a fine imposed must be related to the specific facts of the case. The Polish data protection authority has already announced that the fine will be revised in a new administrative procedure.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2019-04-2512,950Sports associationArt. 6 GDPRInsufficient legal basis for data processingOne sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the association itself noticed its own error, as evidenced by the notification of a personal data protection breach to the President of the PDPA, the fact that attempts to remove it were ineffective determined the imposition of a penalty. When determining the amount of the fine (PLN 55,750.50), the President of UODO also took into account, among others, the duration of the infringement and the fact that it concerned a large group of persons (585 judges). It concluded that although the infringement was finally removed, it was of a serious nature.However, when imposing a penalty, the President of the Office of Competition and Consumer Protection also took into account mitigating circumstances, such as good cooperation between the controller and the supervisory authority or lack of evidence that damage had been caused to the persons whose data had been disclosed.link link
PORTUGAL
PORTUGAL
Portuguese Data Protection Authority (CNPD)2018-07-17400,000Public HospitalArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityInvestigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown5,000Vodafone España, S.A.U.Art. 5 (1) d) GDPRNon-compliance with general data processing principlesThe spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-06-11250,000Professional Football League (LaLiga)Art. 5 (1) a), Art. 7 (3) GDPRInsufficient fulfilment of information obligationsThe national Football League (LaLiga) was fined for offering an app which once per minute accessed the microphone of users' mobile phones in order to detect pubs screening football matches without paying a fee. In the opinion of the AEPD LaLiga did not adequately inform the users of the app about this practice. Furthermore, the app did not meet the requirements for withdrawal of consent.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown60,000Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)Art. 5 (1) f) GDPRInsufficient legal basis for data processingAfter the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown27,000Vodafone España, S.A.U.Art. 5 (1) d) GDPRInsufficient fulfilment of data subjects rightsAlthough the complainant (a former Vodafone customer) had requested Vodafone to delete his data in 2015 and this request had been confirmed by the company, he received more than 200 SMS from the company from 2018 onwards. Following Vodafone's statement, this happened because the complainant's mobile phone number was erroneously used for testing purposes and accidentally appeared in various customer files belonging to other customers than the complainant. Since the company agreed to both payment and admission of responsibility the fine was reduced in accordance with Spanish administrative law to EUR 27k.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2019-05-091,400Police OfficerArt. 6 GDPRInsufficient legal basis for data processingThe police officer, using his official user ID but without reference to official duties, queried the owner data concerning the license plate of a person who he did not know well via the Central Traffic Information System (ZEVIS) of the Federal Motor Transport Authority. Using the personal data obtained in this way, he then carried out a so-called SARS enquiry with the Federal Network Agency, in which he asked not only for the personal data of the injured parties but also for the home and mobile phone numbers stored there. Using the mobile phone number obtained in this way, the police officer contacted the injured party by telephone - without any official reason or consent given by the injured party. Through the ZEVIS and SARS enquiry for private purposes and the use of the mobile phone number obtained in this way for private contact, the police officer has processed personal data outside the scope of the law on his own authority. This infringement is not attributable to the police officer's department, since he did not commit the act in the exercise of his official duties, but exclusively for private purposes. The prohibition of punishment under § 28 LDSG, according to which the sanctions of the GDPR cannot be imposed on public bodies, does not apply in the present case, since it was neither a case of misconduct attributable to the authority nor is the person concerned to be classified as a separate public body within the meaning of § 2 (1) or (2) LDSG in the case of the acts in question.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-06-1320,000Employer UNIONTRAD COMPANYArt. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPRInsufficient legal basis for data processingBetween 2013 and 2017, the CNIL received complaints from several employees of the company who were filmed at their workstation. On two occasions, it alerted the company to the rules to be observed when installing cameras in the workplace, in particular, that employees should not be filmed continuously and that information about the data processing has to be provided. In the absence of satisfactory measures at the end of the deadline set in the formal notice, the CNIL carried out a second audit in October 2018 which confirmed that the employer was still breaching data protection laws when recording employees with CCTV. When determening the amount of the fine, the CNIL took into account the size (9 employees) and the financial situation of the company, which presented a negative net result in 2017 (turnover of 885,739 EUR in 2017 and a negative net result of 110,844 EUR), to retain a dissuasive but proportionate administrative fine.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-04-179,400UnknownArt. 5 (1) a) GDPR, Art. 6 GDPRInsufficient legal basis for data processingA data controller used a, in the point of view of NAIH, wrong legal basis for processing of personal data (Art. 6.1.b) for the assignment of claims.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-04-051,900UnknownArt. 15 GDPRInsufficient fulfilment of data subjects rightsThe data controller did not fulfil the data subject's access request.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-04-08510Medical centersArt. 5 (1) a) GDPR, Art. 9 (1) GDPR, Art. 9 (2) GDPR, Art. 6 (1) GDPRInsufficient legal basis for data processingThe sanction of 510 EUR was imposed on each medical center for unlawful processing of the personal data of data subject G.B. by a medical centre for the purpose of changing his GP. The medical centre used a software to generate a registration form for change of GP which was submitted to the Regional Health Insurance Fund and then to another medical centre, which subsequently also unlawfully processed the personal data of G.B.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-03-265,100A.P. EOODArt. 5 (1) a) GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe sanction was imposed on personal data administrator A.P. EOOD for unlawful processing of personal data. The personal data of data subject D.D. was used by A.P. EOOD for preparing an Employment Contract, while he was in prison.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown60,000ENDESA (energy supplyer)Art. 5 (1) f) GDPRInsufficient legal basis for data processingThe complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confidentiality.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-06-27130,000UNICREDIT BANK SAArt. 25 (1) GDPR, Art. 5 (1) c) GDPRInsufficient technical and organisational measures to ensure information securityThe fine was issued as a result of the failure to implement appropriate technical and organisational measures (related to (1) the determination of the processing means/operations, and (2) the integration the necessary safeguards) resulting in the online-disclosure of IDs and addresses (interla/external transactions) of 337,042 data subjects to their respective beneficiary (between 25.05.2018 -10.12.2018).link
UNITED KINGDOM
UNITED KINGDOM
Information Commissioner (ICO)2019-07-08204,600,000British AirwaysArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityPlease note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-07-0215,000WORLD TRADE CENTER BUCHAREST SAArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe breach of data security was that a printed paper list used to check breakfast customers and containing personal data of 46 clients who stayed at the hotel's WORLD TRADE CENTER BUCHAREST SA was photographed by unauthorized people outside the company, which led to the disclosure of the personal data of some clients through online publication. The operator of WORLD TRADE CENTER BUCHAREST SA has been sanctioned because it has not taken steps to ensure that data is not disclosed to unauthorized parties.link
UNITED KINGDOM
UNITED KINGDOM
Information Commissioner (ICO)2019-07-09110,390,200Marriott International, IncArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityPlease note: This fine is not final but will be decided on when the company and other involved supervisory authorities of other member states have made their representations. The ICO issued a notice of its intention to fine Marriott International Inc which relates to a cyber incident which was notified to the ICO by Marriott in November 2018.GDPR infringements are likely to involve a breach of Art. 32 GDPR. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-05-2392,146Organizer of SZIGET festival and VOLT festivalArt. 6 GDPR, Art. 5 (1) b) GDPR, Art. 13 GDPRInsufficient legal basis for data processingThe NAIH found that there were inappropriate legal bases is use and that the controller did not comply with the principle of purpose limitation. Also, information on the data processing was not fully provided to data subjects.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-07-053,000LEGAL COMPANY & TAX HUB SRLArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine was imposed because adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing were not implemented. This has led to unauthorized disclosure and unauthorized access to the personal data of people who have made transactions received by the avocatoo.ro website (name, surname, mailing address, email, phone, job, details of transactions made), due to publicly accessible documents between 10th of December 2018 and 1st of February 2019. The National Supervisory Authority applied the sanction following a notification dated 12th of October 2018 indicating that a set of files regarding the details of the transactions received by the avocatoo.ro website which contained the name, surname, address correspondence, email, telephone, job and details of transactions made, was publicly accessible through two links.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2019-06-18460,000Haga HospitalArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe Haga Hospital does not have a proper internal security of patient records in place. This is the conclusion of an investigation by the Dutch Data Protection Authority. This investigation followed when it appeared that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before 2nd of October 2019, the hospital must pay 100,000 EUR every two weeks, with a maximum of 300,000 EUR. The Haga Hospital has meanwhile indicated to take measures.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-07-25180,000ACTIVE ASSURANCES (car insurer)Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityLarge amount of customer accounts, clients' documents (including copies of driver's licences, vehicle registration, bank statements and documents to determine whether a person had been the subject of a licence withdrawal) and data were easily accesible online. The CNIL, between others, critizised the password management (unauthorized access was possible without any authentication).link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2019-07-30150,000PWC Business SolutionsArt. 5 (1) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 13 (1) c) GDPR, Art. 14 (1) c) GDPRInsufficient legal basis for data processingThe processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis. This was in violation of the principle of transparency and thus in breach of the obligation to provide information under Articles 13(1)(c) and 14(1)(c) of the GDPR. Lastly, in violation of the accountability principle, the company failed to provide the HDPA with evidence that it had carried out a prior assessment of the appropriate legal bases for processing employee personal datalink
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-10-172,500UTTIS INDUSTRIES SRLArt. 12 GDPR, Art. 13 GDPR, Art. 5 (1) c) GDPR, Art. 6 GDPRInsufficient fulfilment of information obligationsThe sanctions were applied to the controller because he could not prove that the data subjects were informed about the processing of personal data / images through the video surveillance system, which they have been operating since 2016. And because he made the disclosure of the CNP of the employees, by displaying the Report for the training of the authorized ISCIR personnel for the year 2018 to the company notifier and could not prove the legality of the processing of the CNP, by disclosure, according to Art. 6 GDPR.link
SWEDEN
SWEDEN
Data Protection Authority of Sweden2019-08-2018,630School in SkellefteåArt. 5 (1) c) GDPR, Art. 9 GDPR, Art. 35 GDPR, Art. 36 GDPRInsufficient legal basis for data processingA school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is applicable. Additionally, the authority argued that consent can not be applied since students and their guardians cannot freely decide if they/their children want to be monitored for attendance purposes. When examining if the school board can rely on any of the exemptions listed in Art. 9 (2), the supervisory authority found that this was not the case. The supervisory authority also found that there was a case of a processing activity with high risks since new technology was used to process sensitive personal data concerning children who are in a dependency position to the high school board and due to camera surveillance being used in the students everyday environment. In the view of the authority, the school board was not able to demonstrate compliance with Art. 35 GDPR and that the school board was required to consult the authority in accordance with Art. 36 (1) GDPR.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2019-0850,000Company in the medical sectorArt. 13 GDPR, Art. 37 GDPRInsufficient fulfilment of information obligationsThe (none-final) fine was imposed on a company in the medical sector for non-compliance with information obligations and for not appointing a data protection officer.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2019-0711,000Private person (soccer coach)Art. 6 GDPRInsufficient legal basis for data processingThe fine was imposed on a soccer coach who had secretly filmed female players while they were naked in the shower cubicle for years.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-08-1660,000AVON COSMETICSArt. 6 GDPRInsufficient legal basis for data processingA consumer claimed that AVON COSMETICS had unlawfully processed his data without adequately verifying his identity, which led to his data being erroneously entered in a register of claims, preventing him from working with his bank. As a result, a third party fraudulently used the consumers personal data.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-08-282,600,000National Revenue AgencyArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityLeakage of personal data in a hacking attack due to inadequate technical and organisational measures to ensure the protection of information security. It was found that personal data concerning about 6 million persons was illegally accessible.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-08-28511,000DSK BankArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityLeakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.link
LATVIA
LATVIA
Data State Inspectorate (DSI)2019-08-267,000Online ServicesArt. 17 GDPRInsufficient fulfilment of data subjects rightsA merchant who provides services in an online store has infringed the "right to be forgotten" pursuant to Art. 17 GDPR when he was repeatedly requested by a data subject to delete all his personal data, in particular his/her mobile phone number, which the merchant had received as part of an order. Nevertheless, the merchant repeatedly sent advertising messages by SMS to the data subjects mobile phone number.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-06-2515,150UnknownArt. 33 GDPRInsufficient fulfilment of data breach notification obligationsThe data controller did not fulfil its data breach notification obligations when a flash memory with personal data was lost.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2019-04-29120,000Oslo Municipal Education DepartmentArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityFine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees. The fine has meanwhile been reduced to EUR 120.000, see linklink
PORTUGAL
PORTUGAL
Portuguese Data Protection Authority (CNPD)2019-02-0520,000UnknownArt. 15 GDPRInsufficient fulfilment of data subjects rightsDenial of the right to access recorded phone calls by the Data Subjectlink
PORTUGAL
PORTUGAL
Portuguese Data Protection Authority (CNPD)2019-03-252,000UnknownArt. 13 GDPRInsufficient fulfilment of information obligationsInexistence of signalization regarding the use of CCTV systemslink
GERMANY
GERMANY
Data Protection Authority of Berlin2019-09-19195,407Delivery HeroArt. 15 GDPR, Art. 17 GDPR, Art. 21 GDPRInsufficient fulfilment of data subjects rightsAccording to the findings of the Berlin data protection officer, Delivery Hero Germany GmbH had not deleted accounts of former customers in ten cases, even though those data subjects had not been active on the company's delivery service platform for years - in one case even since 2008. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. A data subject who had expressly objected to the use of his data for advertising purposes nevertheless received further 15 advertising e-mails from the delivery service. In further five cases, the company did not provide the data subjects with the required information or only after the Berlin data protection officer had intervened.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2019-09-10645,000Morele.netArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe Polish data protection authority imposed a fine of over PLN 2.8 million (approx. €644,780) on Morele.net for insufficient organisational and technical safeguards, which led to unauthorised access to the personal data of 2.2 million people.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-09-1710,000MerchantArt. 5 (1) c) GDPRNon-compliance with general data processing principlesThe Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. In the meantime, the decision of the data protection authority has been annulled by a court: linklink
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown9,600Restaurant (SANTI 3000, S.L.)Art. 5 (1) a) GDPR, Art. 6 GDPRInsufficient legal basis for data processingA restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2019-10-07200,000Telecommunication Service ProviderArt. 5 (1) c) GDPR, Art. 25 GDPRNon-compliance with general data processing principlesA large number of customers were subject to telemarketing calls, although they had declared an opt-out for this. This was ignored due to technical errors.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2019-10-07200,000Telecommunication Service ProviderArt. 21 (3) GDPR, Art. 25 GDPRNon-compliance with general data processing principlesInappropriate technical measures resulted in the data of 8,000 customers not being deleted upon request.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-10-09150,000Raiffeisen Bank SAArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityRaiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-10-0920,000Vreau Credit SRLArt. 32 GDPR, Art. 33 GDPRInsufficient technical and organisational measures to ensure information securityRaiffeisen Bank Romania carried out scoring assessments on the basis of personal data of individuals registered on the Vreau Credit platform provided by the platform's staff via WhatsApp and then returned the result to Vreau Credit using the same means of communication.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-10-0130,000Vueling AirlinesArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, which could be reduced to 18,000 for immediate payment.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner201914,000DoctorArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingA patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller. After investigating the case, an administrative fine of €5,000 was imposed on the hospital.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-09-269,000Inteligo Media SAArt. 5 (1) a) GDPR, Art. 6 (1) a) GDPRInsufficient legal basis for data processingAs part of the registration process on the webseite avocatnet.ro, the operator used an unfilled checkbox, by means of which users could declare that they did not wish to receive information letters via e-mail (opt-out). Without any action, the user was automatically sent information letters via e-mail. This did not fulfil the requirements for a GDPR-compliant consent.link
SLOVAKIA
SLOVAKIA
Slovak Data Protection OfficeUnknownUnknownUnknownArt. 15 GDPRInsufficient fulfilment of data subjects rightsA Data Controller failed to comply with data subject´s request to access his/her personal data processed by audio recordings.link
SLOVAKIA
SLOVAKIA
Slovak Data Protection OfficeUnknownUnknownUnknownArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityDocuments containing personal data were disposed of in the area of the municipal garbage dump.link
SLOVAKIA
SLOVAKIA
Slovak Data Protection OfficeUnknownUnknownUnknownArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityViolation of information security measures (no further information available at the moment)link
SLOVAKIA
SLOVAKIA
Slovak Data Protection OfficeUnknownUnknownUnknownArt. 5 (1) a) GDPR, Art. 6 (1) a) GDPRInsufficient legal basis for data processingPersonal data have been unlawfully published on the website of a city within the framework of fulfilling its disclosure obligation under the Freedom of Information Act. However, the Data Protection Authority stated that the City had published the personal data in violation of the law and without the consent of the person concerned.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-10-1660,000Xfera Moviles S.A.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingXfera Movile has used personal data without a legal basis for the conclusion of a telephone contract and has continued to process personal data even when the data subject requested that the processing be discontinued.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-10-168,000Iberdrola ClientesArt. 31 GDPRInsufficient cooperation with supervisory authorityIberdrola Clientes, an electricity company, had refused to make a request to a person to change its electricity supplier because it claimed that its data would be included in the solvency list. As a result, the AEPD requested that Iberdola Clientes provide information about the possibility of adding the person's data to the solvency list to which the company did not respond. This lack of cooperation with the AEPD was a violation of Article 31 of the GDPR.link
SLOVAKIA
SLOVAKIA
Slovak Data Protection OfficeUnknown40,000Slovak TelekomArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe controller did not take adequate security measures when processing personal data, thereby breaching the obligation to protect the processed personal data.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2019-10-2318,000,000Austrian PostArt. 5 (1) a) GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe Austrian Post had created profiles of more than three million Austrians, which included information about their home addresses, personal preferences, habits and possible party affinity - which were subsequently resold, for example to political parties and companies. (In the case, also a civil court judgement about compensation claims at a value of 800 € has been issued: link - however, this court decision has already been overturned due to lack of evidence of actual damage: linklink
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2019-10-189,380Major of Aleksandrów KujawskiArt. 28 GDPRInsufficient data processing agreementNo data processing agreement has been concluded with the company whose servers contained the resources of the Public Information Bulletin (BIP) of the Municipal Office in Aleksandrów Kujawski. For this reason, a fine of 40.000 PLN (9400 EUR) was imposed on the mayor of the city.link
GERMANY
GERMANY
Data Protection Authority of Berlin2019-10-3014,500,000Deutsche Wohnen SEArt. 5 GDPR, Art. 25 GDPRNon-compliance with general data processing principlesThe company used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. It was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements. In addition to sanctioning this structural violation, the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases. See the separate entry.link
GERMANY
GERMANY
Data Protection Authority of Berlin2019-10-30UnknownDeutsche Wohnen SEArt. 5 GDPRNon-compliance with general data processing principlesIn addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-10-2536,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe claimant, whose data had been provided to the company by his daughter, as authorised by him, received a call from the company offering its services, which he refused. However, Vodafone España proceeded to providing him services and seeking payment from him, so Vodafone España had processed the claimant's personal data without his consent.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg201980,000UnknownArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityIn a digital publication, health data was accidentally published due to inadequate internal control mechanisms.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2019-10-1647,000ClickQuickNowArt. 5 GDPRNon-compliance with general data processing principlesThe UODO imposed a fine of EUR 47000 for obstructing the exercise of the right of withdrawal for the processing of personal data. The company has not taken appropriate technical and organisational measures that allow the simple and effective withdrawal of consent to the processing of personal data and the exercise of the right to request the erasure of personal data.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-07900TODOTECNICOS24H S.L.Art. 13 GDPRInsufficient fulfilment of information obligationsTODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown12,000Madrileña Red de GasArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-06900Cerrajero OnlineArt. 13 GDPRInsufficient fulfilment of information obligationsThe company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-10-316,000Jocker Premium InvexArt. 6 GDPRInsufficient legal basis for data processingAfter registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2019-10-31900,000UWV (Dutch employee insurance service provider)Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityAs the UWV (the Dutch employee insurance service provider - "Uitvoeringsinstituut Werknemersverzekeringen") did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system.link
PORTUGAL
PORTUGAL
Portuguese Data Protection Authority (CNPD)2019-03-192,000UnknownArt. 13 GDPRInsufficient fulfilment of information obligationsInexistence of signalization regarding the use of CCTV systemslink
SLOVAKIA
SLOVAKIA
Slovak Data Protection OfficeUnknown50,000Social Insurance AgencyArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityApplications for social benefits from Slovak citizens were sent by post to foreign authorities. These were lost by post, with the result that the whereabouts of these personal data could not be clarified.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-133,000General Confederation of Labour ('CGT')Art. 6 GDPRInsufficient legal basis for data processingThe CGT, with the aim of convening a meeting, e-mailed personal data of the complainant, including her home address, family relationship, pregnancy status and the date of an ongoing verbal abuse and harassment case, to 400 union members without her consent.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)Unknown588Alza.cz a.s.Art. 6 GDPR, Art. 7 GDPRInsufficient legal basis for data processingThe company obtained a copy of photographic ID of the personal data subject with his consent, however did not react to his consent withdrawal and continued in processing of his personal data.link
CZECH REPUBLIC
CZECH REPUBLIC
Czech Data Protection Auhtority (UOOU)Unknown980Individual entrepreneur - no further details publishedArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe operator of an online game was exposed to several DDoS attacks which caused the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As part of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a "backdoor" in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The Office for Personal Data Protection concluded that the operator did not take apropriate security measures.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-1960,000Corporación radiotelevisión espanolaArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityCORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment data, data about criminal convictions and health data.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-2160,000Viaqua Xestión Integral Augas de GaliciaArt. 6 GDPRInsufficient legal basis for data processingProcessing (modification) of the personal data of a customer included in a contract by a third party without the consent of the customer.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-11-2511,000Courier Services CompanyArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder's address, personal identification number, serial and identity card number, bank account number, authorised credit limit) of approximately 1,100 data subjects.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-11-222,000BNP Paribas Personal Finance S.A.Art. 12 GDPR, Art. 17 GDPRInsufficient fulfilment of data subjects rightsBNP Paribas Personal Finance did not react to a request for erasure within the period set by the GDPR.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-1430,000Telefónica SAArt. 5 GDPRNon-compliance with general data processing principlesTelefónica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant's bank account was linked to another Telefónica customer, which led to the charges being debited from the complainant's account. According to the AEPD, this is contrary to the principle of accuracy as required by Article 5(1)(d) GDPR.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2019-11-21500,000Futura InternationaleArt. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPRInsufficient fulfilment of data subjects rightsFutura Internationale was fined for cold calls after several complainants obtained cold calls, despite having declared directly to the caller and by post that this was not wanted. In particular, the decision pointed out that the CNIL's on-site investigation of Futura Internationale revealed, inter alia, that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about customers and their health and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-1960,000Xfera Moviles S.A.Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityAn individual complainant had received an SMS from Xfera Móviles which was to be addressed to a third party and which allowed him to access the account and personal data of this third party on the Xfera Móviles website via the telephone number and password received by SMS.link
LATVIA
LATVIA
Data State Inspectorate (DSI)2019-11150,000UnknownArt. 6 GDPRInsufficient legal basis for data processingUnlawful data processing. No further information available yet.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)Unknown10,000Ikea IbéricaArt. 6 GDPRInsufficient legal basis for data processingThe company installed cookies on an end users terminal device without prior consent of the data subject.link
GERMANY
GERMANY
Data Protection Authority of Rheinland-Pfalz2019-12-03105,000HospitalArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine is based on several breaches of the GDPR in connection with a patient mix-up at the admission of the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital's patient management.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-11-285,000MayorArt. 6 GDPRInsufficient legal basis for data processingFine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-11-285,000Municipal aldermanArt. 6 GDPRInsufficient legal basis for data processingFine for sending election mailings without a sufficient legal basis. The e-mail addresses used have not been collected for this purpose.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-0420,000S CNTAR TAROM SA (Airline)Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe Romanian data protection authority imposed a sanction on an airline because it has not taken appropriate measures to ensure that any natural person acting under its supervision processes personal data in accordance with its instructions (Article 32(4) of the GDPR). This resulted in an employee having unauthorized access to the booking application and being able to photograph a list with the personal data of 22 passengers/customers to disclose this list on the Internet.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-11-2880,000ING Bank N.V.Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityING Bank has not taken appropriate technical and organisational measures for an automated data processing system during the settlement process of card transactions affecting 225,525 customers, resulting in double transactions being executed between 8 and 10 October.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-11-292,500Royal President S.R.L.Art. 15 GDPR, Art. 6 GDPR, Art. 32 GDPRInsufficient fulfilment of data subjects rightsRoyal President refused a request for access to personal data pursuant to Article 15 of the GDPR and disclosed personal data without the consent of the data subjects. In addition, Royal President has not taken appropriate technical or organisational measures to ensure the security of the data processed.link
GERMANY
GERMANY
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)2019-12-099,550,000Telecoms provider (1&1 Telecom GmbH)Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 GDPR, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale.link
GERMANY
GERMANY
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)2019-12-0910,000Rapidata GmbHArt. 37 GDPRLack of appointment of data protection officerDespite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201921,000Vodafone España, S.A.U.Art. 6 (1) GDPRInsufficient legal basis for data processingVodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201936,000VODAFONE ONO, S.A.U.Art. 5 (1) f) GDPRNon-compliance with general data processing principlesThe company sent a marketing email to a large number of recipients (clients) without using the blind copy feature. The initial fine of EUR 60.000 was reduced to EUR 36.000.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201948,000VODAFONE ONO, S.A.U.Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityCustomers could access personal data of other customers in the customer area. The initial fine of EUR 60.000 was reduced to EUR 48.000.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201948,000TELEFONICA MOVILES ESPAÑA, S.A.U.Art. 5 (1) a) GDPRNon-compliance with general data processing principlesThe claimant's bank account was charged by the company with two invoices for the services he had contracted, however, displaying personal data of another customer. The initial fine of EUR 60.000 was reduced to EUR 48.000.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201930,000Vodafone España, S.A.U.Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityDisclosure of customer personal data (i.a. purchase history) via an SMS to another customer. The initial fine of EUR 50.000 was reduced to EUR 30.000.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201940,000Vodafone España, S.A.U.Art. 6 GDPRInsufficient legal basis for data processingThe company had charged a Netflix service that had not been solicited by the claimant. The claimant could prove that the service had been used by another household which allegedly had received the claimant's bank account and phone number from Vodafone. Since Vodafone could not prove that the claimant had consented to the conclusion of the contract concerning the Netflix services, the AEPD imposed a fine of EUR 40.000.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)201920,000individualArt. 5 (1) c) GDPRNon-compliance with general data processing principlesVideo surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)20199,000individualArt. 5 (1) c) GDPRNon-compliance with general data processing principlesVideo surveillance cameras have not only been used to protect property, but have also monitored employees (violation of principle of data minimisation).link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)20193,600AMADOR RECREATIVOS, S.LArt. 5 (1) c) GDPRNon-compliance with general data processing principlesSurveillance of the public space by video surveillance cameras against violation of the principles of data minimisation.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-1015,100Town of KerepesArt. 6 (1) GDPRInsufficient legal basis for data processingThe city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their tasks. The processing could not be based on another legal basis.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2019-09-0328,100National Revenue AgencyArt. 6 (1) GDPR, Art. 58 (2) e) GDPR, Art. 83 (5) a) GDPRInsufficient legal basis for data processingThe pecuniary sanction of EUR 28, 121 was imposed on the National Revenue Agency for unlawful processing of the personal data of data subject G.B.I. The personal data of G.B.I. was unlawfully collected and subsequently used to form an enforcement case against her for recovery of the sum of EUR ca. 86, 569. In relation to the enforcement case formed, additional data concerning the bank accounts of G.B.I was collected by the National Revenue Agency from the register of the Bulgarian National Bank. The additional collected data was also unlawfully processed by the National Revenue Agency in sending distraint orders to the banks with which G.B.I. had bank accounts.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-2875,000Curenergía Comercializador de último recursoArt. 6 GDPRInsufficient legal basis for data processingAn individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-12-031,500Cerrajeria Verin S.L.Art. 13 GDPRInsufficient fulfilment of information obligationsThe company collected personal data without providing accurate information on their data processing activities in their privacy policy published on their website.link
GERMANY
GERMANY
Data Protection Authority of Mecklenburg-Vorpommern2019800Police OfficerArt. 6 GDPRInsufficient legal basis for data processingA police officer used a witness's personal data to contact her personally.link
SWEDEN
SWEDEN
Data Protection Authority of Sweden2019-12-1635,000Nusvar ABArt. 6 GDPRInsufficient legal basis for data processingNusvar AB, operator of the website Mrkoll.se, which provides information on all Swedes over 16 years of age, had published information on people who are overdue.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-162,000Globus Score SRLArt. 58 GDPRInsufficient cooperation with supervisory authorityThe company did not comply with measures ordered by the National Supervisory Authority.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-12-035,000Linea Directa AseguradoraArt. 6 GDPRInsufficient legal basis for data processingThe insurance company has sent advertising e-mails for the "Reto Nuez" platform without the required consent.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-12-101,600Megastar SLArt. 5 (1) c) GDPR, Art. 13 GDPRNon-compliance with general data processing principlesThe company operated a video surveillance system in which the observation angle of the cameras extended unnecessarily far into the public traffic area. Furthermore, no sign with data protection notices was affixed.
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-11-263,000Modern BarberArt. 58 GDPRInsufficient cooperation with supervisory authorityThe company did not comply with measures ordered by the National Supervisory Authority.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-022,000Nicola Medical Team 17 SRLArt. 58 GDPRInsufficient cooperation with supervisory authorityThe company did not comply with measures ordered by the National Supervisory Authority.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-10-247,400Military HospitalArt. 32 GDPR, Art. 33 GDPRInsufficient fulfilment of data breach notification obligationsA military hospital did not meet the reporting deadline for data breaches. Another part of the fine relates to a lack of technical and organisational measures.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-196,000Sports BarArt. 5 (1) c) GDPRNon-compliance with general data processing principlesThe sports bar operated a video surveillance system in which the observation angle of the cameras extended into the public traffic area.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-11-0660,000Vodafone España, S.A.U.Art. 6 GDPRInsufficient legal basis for data processingVodafone has sent the customer's invoice data to unauthorised third parties following a customer invoice complaint. Originally, a fine of EUR 75,000 was threatened, but was reduced to EUR 60,000 against immediate payment and waiver of appeal.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-10-2360,000Vodafone España, S.A.U.Art. 5 (1) f) GDPRNon-compliance with general data processing principlesVodafone sent an invoice history to the subscriber as part of the invoice complaint by the subscriber. The history also contained invoice data of an unknown third party.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2019-10-3150,000Menzis (Health Insurance Company)Art. 5 GDPRNon-compliance with general data processing principlesMarketing staff had access to patient data. Among other things, this violated the purpose limitation principle.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2019-10-1820,000Wind Hellas TelecommunicationsArt. 21 GDPRInsufficient fulfilment of data subjects rightsAmong other things, the company has ignored objections raised by affected parties against advertising calls.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-182,000Telekom Romania Mobile Communications SAArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a clients personal data to another client.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-12-111,430Unknown CompanyArt. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPRNon-compliance with general data processing principlesThe employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related document. The director received no warning that his former inbox would be activated and did not have a chance to copy / delete his private data (passwords and financial information). According to NAIH, an employee or a representative should be present when the employee's data is being accessed, even if the employment has been terminated. Employees should be able to request a copy or the deletion of their private data. Employers must record the access with minutes and photos; when the employee cannot be present, then in the presence of independent witnesses. Employers must adopt internal policies on archiving and the use of IT assets and e-mail accounts, including procedural rules such as the steps of an inspection and the officials authorised to carry it out.link
UNITED KINGDOM
UNITED KINGDOM
Information Commissioner (ICO)2019-12-17320,000Doorstep Dispensaree Ltd. (Pharmacy)Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-12-172,000Nursing Care OrganisationArt. 12 GDPR, Art. 15 GDPR, Art. 17 GDPRInsufficient fulfilment of data subjects rightsThe company failed to act on requests from the data subject to get access to his data and to have his data erased.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-11-29500Homeowners AssociationArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe association used video surveillance systems without proper information according to Art. 13 GDPR and without adequate security measures regarding the persons having access to the system.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2019-12-105,000Shop Macoyn, S.L.Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company has sent advertising e-mails to several recipients where the e-mail addresses of all other recipients were visible to all recipients, because the recipient addresses were inserted as CC and not as BCC.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-09-031,022Telecommunication service provideArt. 6 (1) GDPR, Art. 25 (1) GDPRInsufficient legal basis for data processingThe pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-09-035,113Telecommunication service provideArt. 6 (1) GDPR, Art. 25 (1) GDPRInsufficient legal basis for data processingThe pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-09-0311,760Commercial representative of telecommunication service providerArt. 6 (1) GDPRInsufficient legal basis for data processingThe pecuniary sanction of EUR 11, 760 was imposed on the commercial representative of telecommunications service provider for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of a contract for mobile services and leasing contracts.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-09-031,121Private enforcement agentArt. 12 (4) GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsThe fine of EUR 1, 121 was imposed on a private enforcement agent for processing of the personal data of data subject through recording by technical means for video surveillance and for refusal to grant access to the collected data. The data subject submitted an application for access to his personal data to the private enforcement agent, who failed to inform him of the reasons for the rejection of his request.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-10-28511EmployerArt. 12 (3) GDPR, Art. 15 (1) GDPRInsufficient fulfilment of data subjects rightsThe pecuniary sanction of EUR 511 was imposed on an employer for refusal to grant access to the personal data of a data subject who submitted an application for access to his personal data to his former employer.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-10-07511B.D.Art. 31 GDPRInsufficient cooperation with supervisory authorityThe fine of EUR 511 was imposed on B.D. for failure to provide access to information which the Commission for Personal Data Protection needed for performance of its tasks and execution of a disposition.link
BULGARIA
BULGARIA
Commission for Personal Data Protection (KZLD)2019-10-085,112The Ministry of Interior AffairsArt. 5 (1) GDPR, Art. 6 (1) GDPRInsufficient legal basis for data processingThe fine of EUR 5,112 was imposed on the Ministry of Interior Affairs for unlawfully processing the personal data of data subject A.K. The Ministry of Interior sent the personal data of A.K. to the Togolese Republic (Togo).link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2019-12-1715,000Website providing legal informationArt. 6 GDPR, Art. 12 GDPR, Art. 13 GDPRInsufficient fulfilment of information obligationsAn operator of a website for legal news had the privacy statement only available in English, although it was also addressed to a Dutch and French speaking audience. In addition, the first version of the privacy statement was not easily accessible and did not mention the legal basis for data processing under the GDPR. Furthermore, with reference to the ECJ ruling on Planet 49, it was determined that effective consent was required for the use of Google Analytics.link
GERMANY
GERMANY
Data Protection Authority of Niedersachsen2019294,000UnknownArt. 5 GDPRNon-compliance with general data processing principlesA company was fined EUR 294 000 for 'unnecessarily long' storage and retention of personnel files and for 'excessive' data collection in the personnel selection process, during which also health data were requested.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-01-0744,000Vodafone España, S.A.U.Art. 5 (1) f) GDPRNon-compliance with general data processing principlesThe company had sent a contract with personal data, including the applicant's name, address and telephone number, to the wrong recipient.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-01-093,000Vodafone España, S.A.U.Art. 58 GDPRInsufficient cooperation with supervisory authorityFailure to provide information to the AEPD within the required timeframe in violation of Article 58link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-01-0775,000EDP España S.A.U.Art. 6 GDPRInsufficient legal basis for data processingThe company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subjectlink
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-01-0775,000EDP Comercializadora, S.A.U.Art. 6 GDPRInsufficient legal basis for data processingThe company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant received an invoice for a gas contract which he did not sign and that EDP Comercializadora claims that the applicant is party to a contract with another energy company which has a supply contract with EDP Comercializadora and that the processing of data is therefore justified. The AEPD stated that EDP Comercializadora had to prove that the plaintiff had agreed to a contract with a second entity and not only with its direct energy supplier.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-01-0710,000Asociación de Médicos DemócratasArt. 6 GDPRInsufficient legal basis for data processingThe Asociación de Médicos Demócratas has processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-1014,000Hora Credit IFN SAArt. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 33 GDPRInsufficient technical and organisational measures to ensure information securityThe sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient security measures for personal data, according to art. 25 and 32 of the GDPR, so as to avoid unauthorized and accessible disclosure of personal data to third parties. At the same time, Hora Credit IFN SA did not notify the Supervisory Authority of the security incident that was brought to its notice, according to art. 33 of the GDPR, within 72 hours from the date it became aware of it. The fine consists of three partial fines of EUR 3000, EUR 10000 and EUR 1000.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-166,000SC Enel Energie S.A. (Electricity Distributor)Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 21 GDPRInsufficient legal basis for data processingThe sanctions were imposed following a complaint alleging that Enel Energie had unlawfully processed an individual's personal data and was unable to prove that it had obtained the individual's consent to send e-mail notifications. In addition, the ANSPDCP pointed out that the operator had not taken the necessary measures to stop the transmission of notifications, despite the fact that the person had repeatedly exercised his right to object. The operator of SC Enel Energie SRL was sanctioned contraventionally with two fines, each amounting to 14,334.30 lei, the equivalent of the amount of 3000 EUR.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner2020-01-139,000Social Insurance Services of the Ministry of Labor, Welfare and Social InsuranceArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityGranting the police access to personal data and failing to take adequate measures to secure the data, despite the warnings of the Supervisor, constituted a breach of Article 32 of the GPPR.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner2019-10-2570,000LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation LtdArt. 6 GDPR, Art. 9 GDPRInsufficient legal basis for data processingThe decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner2019-10-2510,000LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation LtdArt. 6 GDPR, Art. 9 GDPRInsufficient legal basis for data processingThe decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner2019-10-252,000LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation LtdArt. 6 GDPR, Art. 9 GDPRInsufficient legal basis for data processingThe decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.link
CYPRUS
CYPRUS
Cyprian Data Protection Commissioner2020-01-131,000eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD)Art. 6 GDPRInsufficient legal basis for data processingSending SMS marketing messages without consent. In particular, no appropriate measures were taken, such as the possibility for telephone users to block marketing messages from the eShop for Sports by opting out of receiving SMS marketing messages.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2020-01-1315,000Allseas Marine S.A.Art. 5 (1) a), (2) GDPRNon-compliance with general data processing principlesThe data protection supervisory authority has fined the extent to which employee data are processed by a video surveillance system in the workplace, the fact that the introduction of the video surveillance system was unlawful and the fact that the company did not sufficiently inform its employees about it.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-135,000Entirely Shipping & Trading S.R.L.Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPRNon-compliance with general data processing principlesThe company has excessively processed the personal data of his employees through the video cameras installed in the offices and in the places where there are cabinets where the employees store their spare clothes (changing rooms) (violation of principle of "data minimization")link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2019-12-135,000Entirely Shipping & Trading S.R.L.Art. 5 (1) GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 9 GDPRNon-compliance with general data processing principlesThe company processed biometric data (fingerprints) of the employees for access to certain rooms tough less intrusive means for the privacy of the data subjects could be used (violation of principle of "data minimization")link
ITALY
ITALY
Italian Data Protection Authority (Garante)2019-12-118,500,000Eni Gas e LuceArt. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPRInsufficient legal basis for data processingThe Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person's refusal to receive promotional calls, or without triggering the special procedures for checking the public opt-out register. In addition, there was lack of technical and organisational measures to take account of the information provided by users; data was processed longer than the permitted data retention periods; and data on potential customers was collected from entities (list providers) who had not obtained consent to the disclosure of such data.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2019-12-113,000,000Eni Gas e LuceArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The second fine of EUR 3 million concerns infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under 'market economy' conditions. Many persons complained to the Authority that they only learned of the conclusion of a new contract after receiving the letter of termination of the contract with the previous supplier or the first Egl invoices. In some cases, the complaints reported false information in the contracts and forged signatures.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2019-12-19150,000Aegean Marine Petroleum Network Inc.Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityCompanies outside the Aegean Marine Petroleum Group had access to its servers containing personal data and copied the contents of the servers, since Aegean Marine Petroleum failed to take the necessary technical measures to secure the processing of large amounts of data and to keep the relevant software separate from the personal data stored on the servers. Furthermore, Aegean Marine Petroleum had not informed the data subjects of the processing of their personal data stored on the servers.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-01-1527,800,000TIM (telecommunications operator)Art. 5 GDPR, Art. 6 GDPR, Art. 17 GDPR, Art. 21 GDPR, Art. 32 GDPRInsufficient legal basis for data processingBetween January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided by the Company and invalid methods of consent were used. In some cases, paper forms requesting one single consent were used for various purposes, including marketing. Furthermore, data was kept longer than necessary and thus violated deletion periods. For these violations, the telecommunications company received a fine of EUR 27.8 million. Among other things, the fine was imposed for: lack of consent for marketing activities (telemarketing and cold calling), addressing of data subjects who asked not to be contacted with marketing offers, invalid consents collected in TIM apps, lack of appropriate security measures to protect personal data (including incorrect exchange of blacklists with call centres), lack of clear data retention periods. The supervisory authority also imposed 20 corrective measures on TIM, prohibiting the use of personal data for marketing purposes from those who had refused to receive promotional calls from the call centres.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2019-10-24100,000Food companyArt. 5 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company had set up an applicant portal on its website where interested parties could submit their application documents online. However, the company did not offer an encrypted transmission of the data, nor did it store the applicant data in an encrypted or password-protected manner. In addition, the unsecured applicant data was linked to Google, so that anyone searching for the respective applicant names on Google could find their application documents and retrieve them without access restrictions.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-01-143,600Zhang Bordeta 2006, S.L. (Store and Restaurant)Art. 5 GDPRNon-compliance with general data processing principlesThe store and restaurant owner installed a video surveillance system which, among others, also took pictures of the sidewalk and thus of the public space, which violates the fundamental principle of data minimization.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-0360,000Xfera Moviles S.A.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAccording to the data protection authority, XFERA MOVILES has violated Article 6(1) of the GDPR, as the company has unlawfully processed data, including bank details, customer address and name of the data subjects.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-0375,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe fine preceded the complaint by the data subject, who argued that Vodafone España had signed a contract for the transfer of a telephone subscription with a third party without the data subject's knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-0360,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe fine was preceded by a complaint from the data subject, who argued that he had received an e-mail from Vodafone España, which contained the billing of a telephone line that the data subject had never requested, which led to his personal data being processed without his consent. As a result, the data subject's personal data were incorporated into the information systems of Vodafone España without Vodafone being able to show that the data subject had consented to the collection and subsequent processing of his personal data. The fine of 100,000 EUR was reduced to 60,000 EUR due to a voluntary payment.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-0350,000Vodafone España, S.A.U.Art. 5 GDPRNon-compliance with general data processing principlesThe fine was preceded by a complaint from a data subject who argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to its neighbour.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-0320,000Iberia Lineas Aereas de Espana, S.A. Operadora UnipersonalArt. 5 GDPR, Art. 6 GDPR, Art. 21 GDPRInsufficient legal basis for data processingIberia continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent and the erasure of his personal data and that the execution of these measures had already been confirmed to him.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-0375,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe data subject, a former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship. As a reason for the incorrect mailings Vodafone indicated a technical error.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-036,670Banco Bilbao Vizcaya Argentaria S.L.Art. 5 GDPR, Art. 6 GDPR, Art. 21 GDPRInsufficient legal basis for data processingThe company repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-035,000Queseria Artesenal Ameco S.L.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company processed personal data of customers without required consent.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-03800AutomociónArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAn employee created a fake profile about a female colleague on an erotic portal, which contained, among other things, her contact details, a photo of her and information about her sexual nature. Based on the profile, the data subject received several phone calls from people who wanted to contact her regarding the information provided on the website. As the private person was found to have a personality disorder, the fine was reduced from initial EUR 1000 to EUR 800.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-041,500Cafetería NagasakiArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe AEPD found that the Nagasaki Cafetería did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-01-1510,000Community of Francavilla FontanaArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe community published on its website information about a court trial, including personal data such as health data about a data subject.link
GERMANY
GERMANY
Data Protection Authority of Hamburg201951,000Facebook Germany GmbHArt. 37 GDPRLack of appointment of data protection officerWhereas Facebook Ireland had appointed a data proteciton officer for all group companies located in the EU, this appontment was not notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The fine was calculated on the basis of the turnover of the German branch (EUR 35 million). Relevant factors for the calculation were i.a. that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.link
GERMANY
GERMANY
Data Protection Authority of Hamburg201920,000Hamburger Verkehrsverbund GmbH (HVV GmbH)Art. 33 GDPR, Art. 34 GDPRInsufficient fulfilment of data breach notification obligationsOn July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data breach was not reported to the data protection authority in a timely manner.link
GERMANY
GERMANY
Data Protection Authority of Hamburg2019UnknownHamburger Volksbank eGArt. 21 GDPRInsufficient fulfilment of data subjects rightsThe company had sent a customer a newsletter with advertising content by e-mail, although this customer had previously expressly objected to the sending of further advertising letters.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-142,500Grupo Valsor Y Losan, S.L.Art. 5 (1) f) GDPRInsufficient technical and organisational measures to ensure information securityThe controller had disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data)link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-143,000Colegio Arenales Carabanchel (School)Art. 6 GDPRInsufficient legal basis for data processingThe decision of the data protection authority states that the school transferred pictures (and therefore personal data) to third parties, who published them without legal basis.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-181,500Mymoviles Europa 2000, S.L.Art. 13 GDPRInsufficient fulfilment of information obligationsThe AEPD found that the company did not publish a privacy statement on its website and that its legal notice did not sufficiently identify itself.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-1480,000Iberdrola ClientesArt. 6 GDPRInsufficient legal basis for data processingIberdola Clientes, an electricity company, terminated the data subject's contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff's personal data to a third party without legal basis. In addition to this fine the AEPD also imposed another fine in the amount of EUR 50.000 under the old Spanish Data Protection Law.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-1442,000Vodafone España, S.A.U.Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe complainant had access to third party data in his personal Vodafone profile.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-1430,000Xfera Moviles S.A.Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe AEPD found that a third party had access to the name, telephone number and address of another customer.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-01-2330,000Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-01-2330,000Sapienza Università di RomaArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-27120,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingVodafone España was unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasises that Vodafone España also unlawfully disclosed the personal data of the data subject to various credit agencies.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-2848,000Vodafone ONO, S.A.U.Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe decision was taken due to several deficiencies in information security. For example, two people were given the same security access key.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-2548,000HM HospitalesArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe data subject stated that at the time of his admission to hospital he had to fill in a form containing a checkbox indicating that, if he did not tick it, he agreed to the transfer of his data to third parties. This form, provided by HM, was not compatible with the GDPR, since consent was to be obtained through the inactivity of the data subject.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-256,000Casa Gracio OperationArt. 5 (1) c) GDPRNon-compliance with general data processing principlesThe company used CCTV cameras in the premises of a hotel which also captured the public roads outside the hotel resulting in a violation of the so called principle of data minimisation.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2020-03-03525,000Royal Dutch Tennis Association ("KNLTB")Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ("KNLTB") with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-02-283,600AEMA HispánicaArt. 5 (1) f) GDPRNon-compliance with general data processing principlesThe company had sent the payroll of an employee to another employee and therefore disclosed personal data to an unauthorised party.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-031,800Solo EmbragueArt. 13 GDPRInsufficient fulfilment of information obligationsThe corporate website did not present a privacy policy or a cookie banner on its main page.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-0342,000Vodafone España, S.A.U.Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityAccording to the AEPD, the company had not been able to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-0340,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAccording to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-0324,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAccording to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2020-03-044,600School in Gdansk (Danzig) (fine imposed against town of Gdansk)Art. 5 GDPR, Art. 9 GDPRInsufficient legal basis for data processingA school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-0460,000Vodafone España, S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAccording to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-03-064,000Liceo Artistico Statale di NapoliArt. 5 GDPR, Art. 6 GDPR, Art. 9 GDPRInsufficient legal basis for data processingThe AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-03-064,000Liceo Scientifico Nobel di Torre del GrecoArt. 5 GDPR, Art. 6 GDPR, Art. 9 GDPRInsufficient legal basis for data processingThe AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-064,000Private personArt. 5 GDPRNon-compliance with general data processing principlesUnlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization).link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-0915,000Gesthotel Activos BalagaresArt. 5 (1) f) GDPRNon-compliance with general data processing principlesThe data subject argued that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition. In violation of the principle of integrity and confidentiality, the hotel management and union delegates subsequently read the contents of this letter in a meeting with other employees.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2020-03-107,000Hørsholm MunicipalityArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityA city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2020-03-1014,000Gladsaxe MunicipalityArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityA computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.link
SWEDEN
SWEDEN
Data Protection Authority of Sweden2020-03-117,000,000Google LLCArt. 5 GDPR, Art. 6 GDPR, Art. 17 GDPRInsufficient fulfilment of data subjects rightsThe Swedish data protection authority has fined Google LLC €7 million for failing to adequately comply with its obligations regarding the right of data subjects to have search results removed from the results list. Datainspektionen had already completed a review in 2017 of the way in which Google deals with the right of individuals to have search results removed from Google's search engine and that Datainspektionen had instructed Google to remove a number of search results. In addition, data inspections stated that it had initiated a further review of Google's practices in 2018 after it received indications that several of the results that should have been removed still appeared in search results. Datainspektionen also objected to Google's current practice of informing web site owners about which results Google is removing from search results, specifically which link has been removed and who is behind the request for removal from the list, as this is without legal basis.link
ICELAND
ICELAND
Icelandic data protection authority ('Persónuvernd')2020-03-1020,600National Center of Addiction Medicine ('SAA')Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityPersónuvernd noted that a former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.link
ICELAND
ICELAND
Icelandic data protection authority ('Persónuvernd')2020-03-109,000Breiðholt Upper Secondary SchoolArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityIn violation of Art. 32 GDPR, a teacher had sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-02-2673,600Rælingen MunicipalityArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityHealth information on 15 children with physical and mental disabilities was processed in the Showbie digital learning platform, for the transfer of health-related personal information between schools and their homes. Datatilsynet found that no necessary risk assessments, privacy impact assessments or tests had been carried out before using the application and that a lack of security when logging into the application allowed access to the information of other students in the group.link
GERMANY
GERMANY
Data Protection Authority of Saarland20192,000RestaurantArt. 5 (1) c) GDPRNon-compliance with general data processing principlesVideo surveillance cameras have been used in violation of principle of data minimisation (monitoring also of customer areas in restaurants).link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-02-2836,800Coop Finnmark SAArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company had distributed video surveillance footage of children under 16 who had allegedly stolen from a store. There was no sufficient legal basis for this data processing.link
GERMANY
GERMANY
Data Protection Authority of Nordrhein-Westfalen2019-08-05200Private person (YouTube-Channel)Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe private person used a dashcam to make recordings of public road traffic and then published them on YouTube as a compilation.link
CROATIA
CROATIA
Croatian Data Protection Authority (azop)2020-03-13UnknownBank (name not available at the moment)Art. 15 (1), (3) GDPRInsufficient fulfilment of data subjects rightsIn the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers’ right of access. During the procedure initiated based on data subject’s complaints, the DPA ordered the bank to enable the right of access and provide copies of the requested loan documentation. When imposing the fine, the DPA took into consideration especially that the bank failed to comply with the ordered measures, that it continued with such practice for almost a year and denied the right of access to more than 2500 of its customers. The amount of the fine is now known at the moment, but as the DPA qualified the breach as “severe”, a high fine is expected.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-1830,000TelefónicaArt. 58 GDPRInsufficient cooperation with supervisory authorityTelefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects' request for right of access and erasure of data.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-02-113,000Vodafone RomaniaArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityVodafone Romania had incorrectly processed personal data of an individual in order to process a complaint, which was subsequently sent to a wrong e-mail address. The reason for this was that there were insufficient security measures in place to prevent such erroneous data processing.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2020-02-215,000Public Power Corporation S.A.Art. 15 GDPRInsufficient fulfilment of data subjects rightsThe Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-165,000Centro De Estudio Dirigidos Delta, S.L.Art. 5 (1) f) GDPRNon-compliance with general data processing principlesCentro De Estudio Dirigidos Delta sent a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects. This constitutes a violation of the principles of integrity and confidentiality under Article 5(1)(f) GDPR.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-164,000Private PersonArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingOn a beach, a private person secretly photographed female bathers. The incident was reported to the AEPD by the local police.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-063,200RetailerArt. 13 GDPR, Art. 14 GDPRInsufficient fulfilment of information obligationsInsufficient declaration of video surveillance.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-122,000Homeowners AssociationArt. 5 GDPR, Art. 13 GDPR, Art. 14 GDPRNon-compliance with general data processing principlesVideo surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-166,000Amalfi Servicios de Restauracion S.L.Art. 5 GDPR, Art. 13 GDPR, Art. 14 GDPRNon-compliance with general data processing principlesVideo surveillance of public space and thus violation of the principle of data minimization. Furthermore: Violation of information obligations, as insufficient information has been provided about video surveillance.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-196,000Oliveros Ustrell, S.L.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order. For this reason, the personal data of the data subject has been processed without sufficient legal basis.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-02-0620,000RTI - Reti Televisive Italiane s.p.a.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe television station broadcasted a documentary about prostitution in Switzerland, in which the persons interviewed were not made sufficiently anonymous.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2020-03-208,000Speech and Special Education Centre - Mihou DimitraArt. 15 GDPR, Art. 58 GDPRInsufficient fulfilment of data subjects rightsThe complainant had requested access to his child's data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-05-21286Directorate of Social and Child Welfare Institutions of the Ferencvaros District of BudapestArt. 33 GDPRInsufficient fulfilment of data breach obligationsThe employee of the Directorate sent by mistake 9 letters to the wrong recipient, which contained personal data of 18 data subjects (including data of children, criminal data and data related to the private life of the data subjects). The recipient informed the Directorate by telephone 5 days after the posting that it received certain letters by mistake. The Directorate notified NAIH on the data breach only weeks later.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-05-312,000Local bankArt. 12 (3), (4), (5) GDPR, Art. 15 GDPR, Art. 18 GDPRInsufficient fulfilment of data subjects rightsCustomer of a local bank requested access to telephone conversation recordings as well as to CCTV recordings. The bank provided the copies of the recordings of telephone conversations and also provided the chance of reviewing the recordings at bank but rejected to provide copies of the CCTV recordings since the recordings also contained third parties personal data. The NAIH decided in this case that the bank failed to fulfil data subjects rights since it did not respond in due time and also failed to provide copies of the requested recordings. According to the NAIH, the controller could not refer the protection of third party data since the CCTV recordings affected public space open for every customer and the bank also could have anonymised certain parts of the recordings.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-06-032,850Claim management companyArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe complainants stated during the case that they concluded a credit agreement with the bank, which sold its claim against the complainants and transferred their respective data to a third-party company (controller). NAIH determined in the case that the controller can neither rely on the consent of the data subjects nor the performance of the credit contract as the legal basis of the data processing, since the data subjects concluded such contract with the bank, not with the controller. The appropriate legal basis for processing could have been the legitimate interest of the controller.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-06-262,850UnknownArt. 5 GDPR, Art. 6 GDPR, Art. 17 GDPRInsufficient legal basis for data processingThe individual requested the deletion of his contact data (including his telephone number), however the controller further processed his contact data for claim enforcement purposes on the basis of its legitimate interest. NAIH determined that the controller had no compelling legitimate grounds for processing the telephone number of the data subject, since his address was also at hand, which is sufficient for claim enforcement purposes and for concerning communication with the data subject.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-06-262,850Financial EnterpriseArt. 5 GDPR, Art. 6 GDPR, Art. 21 GDPRInsufficient legal basis for data processingA client of a financial enterprise complained that the financial enterprise transferred his data after he objected against the processing and did not provide information on the processing of his data at his request. According to the financial enterprise, it sold its claim stemming from the contract concluded with its client to a third party, therefore such transaction necessitated the transfer of the relevant client data. NAIH highlighted that the financial enterprise sold the concerning claim and transferred the respective data after the non-fulfilment of the concerning contract by the client; this also means that the financial enterprise cannot rely on the performance of the contract concluded with the client. The relevant legal basis would have been the legitimate interest of the controller, where a balancing test is also necessary, describing its interest in transferring the claim and the relevant data to a third party.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-07-178,575Budapest Environs Regional CourtArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe chairman of the Budapest Environs Regional Court organised a meeting for court officials, during which he stated that he quit from the Hungarian Association of Judges and requested the present court officials to persuade their colleagues to do so as well. The chairman also presented a list on the members of the Association in Pest county, which also included information on the amount of membership fees deducted from the salary of judges. The list consisted of data collected from the judges’ payroll records. NAIH determined that the Budapest Environs Regional Court may only process such data for the purpose of deduction and payroll management. NAIH also determined that the Budapest Environs Regional Court lacked a legal basis for data processing, when it provided access to data of employees regarding their membership in an association, to other persons.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-08-024,290Public area maintenance companyArt. 5 GDPR, Art. 6 GDPR, Art. 13 GDPRNon-compliance with general data processing principlesAn ex-employee complained that his employer unlawfully monitored his work by its CCTV. The employer argued that CCTV monitoring was necessary to assess, whether the employee fulfilled his employment related duties (i.e. monitoring certain public areas and signalling any unusual event to his colleagues) and that the monitoring also served the protection of its surveillance system from unlawful access or usage. NAIH found that monitoring of the employee by CCTV is not an appropriate way of assessing his work performance and the employer relied on an inappropriate legal basis (public interest, official authority) regarding the CCTV operations. The employer could have protected its public area surveillance system by other methods (e.g. by installing firewalls or other security upgrades to its systems). The employer also placed only a brief notice sheet at the entrance of the workstation of the employee regarding the CCTV monitoring, which NAIH deemed insufficient.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-08-081,715Government Office Managing the Real Estate RegisterArt. 5 GDPR, Art. 14 GDPRNon-compliance with general data processing principlesThe owners of a real estate complained that the government office posted its decision on the change in the person of the lessee (which concluded a lease agreement with real estate owners) to other owners of 40 real estates contracted by the same lessee. The decision contained personal data of all the owners, who had a lease agreement with the same lessee.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2019-10-152,860Unknown CompanyArt. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 24 GDPR, Art. 25 GDPRNon-compliance with general data processing principlesAn employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee did not receive pre-notification and did not have the chance to copy / delete his private information (telephone numbers, messages). According to NAIH, employers must record the access with minutes and photos. Employment agreements must regulate whether employees can use work equipment for private purposes. Privacy notices must contain the reasons for employee monitoring (e.g. business continuity, internal investigation, disciplinary purposes, and the specific retention period of employee data - including the length and recurrence of backup copies. Employers must also prepare ”balancing tests” to prove their legitimate interests for general employee monitoring and specific cases.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-03-04290Representative of a local governmentArt. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPRInsufficient legal basis for data processingA local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-03-252,000SOS Infertility AssociationArt. 58 GDPRInsufficient cooperation with supervisory authorityThe Association did not provide the data protection authority with the information requested by the latter after the Association had processed personal data without a sufficient legal basis.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-03-253,000Enel EnergieArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company has sent an email to a client which contained personal data of another client since the company failed to implement adequate technical and organisational measures to ensure an adequate level of information security.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-03-254,150Vodafone RomaniaArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company has sent an email to a customer which contained personal data of another customer due to inadequate technical and organisational measures to ensure information security.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-03-253,000Dante InternationalArt. 6 GDPR, Art. 21 GDPRInsufficient legal basis for data processingThe company has sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-02-134,000Comune di UragoArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe local council has published on its website information containing a person's personal data, including health information.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-03-255,000Xfera Moviles S.A.Art. 58 GDPRInsufficient cooperation with supervisory authorityThe company did not provide the data protection authority with the requested information in a timely manner. The AEPD's request was preceded by a request from a data subject for access to its personal data.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2020-03-094,400Vis Consulting Sp. z o.o.Art. 31 GDPR, Art. 58 GDPRInsufficient cooperation with supervisory authorityThe company prevented an inspection by the data protection authority. As a result, the company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of the GDPR.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2020-02-202,560T.K. EOODArt. 25 (1) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2020-02-202,560L.E. EOODArt. 25 (1) GDPR, Art. 32 GDPR, Art. 6 GDPRInsufficient technical and organisational measures to ensure information securityThe fine of ca EUR 2,557 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S. The enterprise processed the personal data of I.S. unlawfully seven times in duration of 3 months by failure to adopt technical and organizational measures to ensure the information security. In addition to the fine, the Commission for Personal Data Protection (“KZLD”) instructed L.E. EOOD to do regular inspections of its data processing activities, to do risk analysis regarding customers and employees and to conduct periodic trainings of the employees. The KZLD also ordered L.E. EOOD to archive and keep the documents containing the personal data only for limited purposes and the timeframe as required by law.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2020-01-065,110Utility CompanyArt. 6 (1) GDPRInsufficient legal basis for data processingThe fine of EUR ca. 5,113 was imposed on a Bulgarian utility company for unlawful processing of the personal data of the data subject V.V. The personal data of V.V. was unlawfully processed and subsequently used for initiating an enforcement case against him for outstanding payment obligations. During the enforcement case, the bailiff seized the data subject’s salary, and the latter suffered damages as a result of the unlawful processing.link
GERMANY
GERMANY
Data Protection Authority of Brandenburg201950,000Unknown CompanyArt. 15 GDPR, Art. 28 GDPRInsufficient fulfilment of data subjects rightsThe data controller had engaged an external company to carry out the duties of access to data according to Art. 15 GDPR. However, the engaged company conducted the correspondence with the data subjects under its own logo and in English language, so that it was not apparent to the data subjects who was responsible for the data processing. As a result, the data controller infringed the principle of transparency laid down in Art. 12 GDPR and did not sufficiently fulfil its obligations to provide information in accordance with Art. 15 GDPR. In addition, the data protection supervisory authority found that no written contract for data processing had been concluded between the data controller and the external company, thus constituting a further breach of Art. 28 (9) GDPR.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-04-2850,000Proximus SAArt. 31 GDPR, Art. 58 GDPR, Art. 37 GDPRLack of appointment of data protection officerAccording to the data protection authority, the company's data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.link
SWEDEN
SWEDEN
Data Protection Authority of Sweden2020-04-2918,700National Government Service Centre (NGSC)Art. 33 GDPR, Art. 34 GDPRInsufficient fulfilment of data breach notification obligationsThe DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2020-04-30725,000Unknown OrganisationArt. 5 GDPR, Art. 9 GDPRInsufficient legal basis for data processingThe organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-05-055,000Banca Comercială Română SAArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.link
SWEDEN
SWEDEN
Data Protection Authority of Sweden2020-05-1211,200Health and Medical Board of the Region of Örebro CountyArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingPublication of personal data of a patient without sufficient legal basis.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2020-05-156,700JobTeam A/S DKKArt. 15 GDPRInsufficient fulfilment of data subjects rightsThe company has deleted personal data affected by a request for access without legal reason.link
IRELAND
IRELAND
Data Protection Authority of Ireland2020-05-1775,000Tusla Child and Family AgencyArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company has erroneously disclosed personal data, including information about children, to unauthorized persons. In one case, the contact and location data of a mother and a child were disclosed to an alleged offender, and in two other cases, data about children in foster care were improperly disclosed to blood relatives, including in one case to a father in prison.link
FINLAND
FINLAND
Deputy Data Protection Ombudsman2020-05-22100,000Posti Group OyjArt. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsThe decision relates to complaints alleging that data subjects received direct marketing from the company although they had requested that their postal data be deleted. Investigations also revealed that the data protection information provided by the company was not transparent enough.link
FINLAND
FINLAND
Deputy Data Protection Ombudsman2020-05-2216,000Kymen Vesi OyArt. 35 GDPRNon-compliance with general data processing principlesFine for failure to carry out a data protection impact assessment ("DPIA") for the processing of location data of employees with a vehicle information systemlink
FINLAND
FINLAND
Deputy Data Protection Ombudsman2020-05-2212,500Unknown CompanyArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingProcessing of employee data without sufficient legal basis.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-05-291,000Non-profit organisationArt. 6 GDPR, Art. 21 GDPRInsufficient fulfilment of data subjects rightsThe Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.link
FINLAND
FINLAND
Deputy Data Protection Ombudsman2020-05-2972,000Taksi HelsinkiArt. 5 GDPR, Art. 6 GDPR, Art. 35 GDPRNon-compliance with general data processing principlesAmong other things, the company had not assessed the risks and consequences of processing personal data before introducing a camera surveillance system that records audio and video in its taxis and had also failed to conduct data protection impact assessments of its processing activities, including the surveillance of security cameras, the processing of location data, automated decision making and profiling as part of its loyalty program. Furthermore, the processing of audio data was not in line with the GDPR principle of data minimization.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-03-09870CreditorArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingSending of SMS to a data subject as a reminder for a debt, even when the debt has already been paid.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-095,000Consulting de Seguridad e Investigacion Mira Dp Madrid S.L.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingA data subject has received marketing messages without having consented.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-09540Chenming Ye (Bazar Real)Art. 13 GDPR, Art. 14 GDPRInsufficient fulfilment of information obligationsUsage of CCTV camera in a shop without proper information.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-091,000Property OwnerArt. 5 (1) c) GDPRNon-compliance with general data processing principlesUsage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-0975,000Equifax Iberica, S.L.Art. 15 GDPRInsufficient fulfilment of data subjects rightsThe Data Subject has requested by e-mail the deletion of his data from the file of the National Association of Financial Credit Institutions ("ASNEF"). Equifax Iberica had replied that the exercise of the complainant's right was excessive due to an earlier request and that therefore the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-0939,000Xfera Moviles S.A.Art. 5 (1) f) GDPRInsufficient legal basis for data processingA customer claimed to have received an SMS from Xfera Móviles informing about the non-payment and the resulting suspension of the service in relation to the account of another data subject.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-0925,000Glovoapp23Art. 37 GDPRLack of appointment of data protection officerThe company had not appointed a Data Protection Officer ('DPO') to whom requests from data subjects could be addressed, and the company's website did not contain information about an appointed DPO.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-044,000Iberdrola ClientesArt. 58 GDPRInsufficient cooperation with supervisory authorityThe company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request for information within a certain time frame, in breach of Art. 58 of the GDPR.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-05-19283,000Bergen MunicipalityArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityFine due to several security shortcomings and non-compliance with general data processing principles in a module for communication between schools and parents.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-0940,000TELEFONICA MOVILES ESPAÑA, S.A.U.Art. 6 GDPRInsufficient legal basis for data processingA sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-05-03134,000Telenor Norge ASArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityFines for security breaches in a voice mailbox function.link
BULGARIA
BULGARIA
Data Protection Commision of Bulgaria (KZLD)2020-04-142,000Political PartyArt. 6 GDPRInsufficient legal basis for data processingForging signatures on a voters' list.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-05-1450,000Social Media ProviderArt. 6 GDPRInsufficient legal basis for data processingThe company has sent invitations to contacts uploaded by its users without their consent or any other legal basis.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-04-233,000Estee Lauder RomaniaArt. 6 GDPR, Art. 7 GDPR, Art. 9 GDPRInsufficient legal basis for data processingProcessing of personal data without sufficient legal basis including health data.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-093,000Salad Market S.L. (Catering Company)Art. 13 GDPR, Art. 14 GDPRInsufficient fulfilment of information obligationsFines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-092,000AttorneyArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityIn the course of proceedings, an attorney submitted documents whose backs contained personal data of other parties.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-092,000Property OwnerArt. 5 (1) c) GDPRNon-compliance with general data processing principlesUsage of CCTV camera which also captured the public roads outside in a violation of the so called principle of data minimisation.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-04-233,000Telekom Romania Communications SAArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjectslink
ESTONIA
ESTONIA
Estonian Data Protection Authority (aepd)2020-04-30500Housing AssociationArt. 6 GDPRInsufficient legal basis for data processingFine of EUR 500 against a housing association for publishing photos showing members of the association without their consent.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-03-262,890BankArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingDue to an administrative error, the personal data of the data subject were registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-03-195,800Unknown CompanyArt. 6 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsThe data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-01-241,450Accounting firmArt. 24 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityA printed customer list of an accounting firm, which also contained personal data, could be accessed by unauthorized persons.link
GERMANY
GERMANY
Data Protection Authority of Baden-Wuerttemberg2020-06-301,240,000Allgemeine Ortskrankenkasse ("AOK") (health insurance company)Art. 5 GDPR, Art. 6 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityFrom 2015 to 2019, AOK Baden-Württemberg (insurance organization) organized competitions on various occasions and collected personal data of the participants, including their contact details and health insurance affiliation. The AOK also wanted to use this data for advertising purposes, provided the participants had given their consent. With the help of technical and organizational measures, including internal guidelines and data protection training, the AOK wanted to ensure that only data of those contest participants who had previously given their effective consent would be used for advertising purposes. However, the measures defined by the AOK did not meet the legal requirements. As a result, the personal data of more than 500 lottery participants were used for advertising purposes without their consent. Immediately after this became known, the AOK Baden-Württemberg stopped all marketing measures in order to thoroughly examine all processes.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-237,500Miraclia (telecommunications company)Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe recording of telephone jokes via an app constitutes processing of personal data in accordance with the applicable data protection law, as the voices of individuals may constitute personal data if they are associated with other information, such as the telephone number. The consent of the users at the end of the conversation was not sufficient in this case.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-222,000UnknownArt. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPRNon-compliance with general data processing principlesIllegal use of CCTV cameras due to coverage of public space and recording of passing pedestrians. Furthermore, insufficient fulfilment of information obligations.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-162,000Café BarArt. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPRNon-compliance with general data processing principlesIllegal use of CCTV cameras (recording of third parties) and insufficient fulfilment of information obligations.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-06-184,000Enel EnergieArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityFailure to take adequate measures to prevent unauthorised disclosure of personal data. The fine was preceded by a complaint about the disclosure of personal data of the data subject to another customer by e-mail.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-1575,000Xfera Moviles S.A.Art. 6 GDPRInsufficient legal basis for data processingThe data subject received a notice from a debt collection company demanding payments in connection with Xfera Móviles' services, even though the claimant had not been a customer of Xfera Móviles since September 2017. Furthermore, the resolution states that Xfera Móviles carried out the processing of the personal data of the plaintiff without his consent, which constitutes a violation of Article 6 of the GDPR.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-06-113,000Telekom RomaniaArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityInadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-06-12288,000Digi Távközlési Szolgáltató Kft. ("Digi") (electronic communication service provider)Art. 5 (1) b), (e) GDPR, Art. 32 (1), (2) GDPRInsufficient technical and organisational measures to ensure information securityThe company had infringed the principles of purpose limitation and storage restriction because its database contained a large amount of customer data which were no longer relevant for the actual purpose of collection and for which no retention period had been set. Furthermore, the NAIH pointed out that the defendant had not taken proportionate measures to reduce the risks in the area of data management and data security, arguing, inter alia, that it had not used encryption mechanisms.link
SWEDEN
SWEDEN
Data Protection Authority of Sweden2020-06-161,900Housing AssociationArt. 5 GDPR, Art. 6 GDPRNon-compliance with general data processing principlesUnlawful usage of surveillance cameras. In the decision, the data protection authority stressed that sound recordings have additional privacy implications, especially in a residential building, and that in this case there is nothing to justify sound recording. In addition, the decision orders the housing association to stop the cameras recording staircases and entrances, to stop sound recording and to improve the information on camera surveillance.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-06-1910,000UnknownArt. 5 GDPR, Art. 6 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsThe company sent an e-mail to the person concerned without his consent. Thereupon the person concerned requested timely information about the entries in the database concerning his person, which remained unanswered.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-06-161,000UnknownArt. 17 GDPR, Art. 21 GDPR, Art. 31 GDPRInsufficient fulfilment of data subjects rightsThe data subject repeatedly received e-mails with advertising content from a company, although the data subject had objected to the processing of his personal data and requested the deletion of his data. In addition, the company did not respond to any inquiries from the data protection authority in this regard.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-06-085,000Municipal employeeArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingIn the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.link
ISLE OF MAN
ISLE OF MAN
Information Commissioner of Isle of Man2020-06-2513,500Department of Home AffairsArt. 12 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsFines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2020-06-306,700Lejre MunicipalityArt. 5 GDPR, Art. 6 GDPR, Art. 33 GDPR, Art. 34 GDPRNon-compliance with general data processing principlesThe data protection authority had found that the Lejre Municipal Child and Youth Centre had regularly uploaded minutes of meetings with particularly sensitive and sensitive personal data, including on citizens under 18 years of age, to the Lejre Municipal Personnel Portal, which was accessible to employees of the Lejre Municipality, regardless of whether the employees in question were working with these cases. In addition, the data protection authority denied the failure to comply with the obligation to inform the persons concerned of the data breach.link
IRELAND
IRELAND
Data Protection Authority of Ireland2020-06-3040,000Tusla Child and Family AgencyArt. 33 GDPRInsufficient fulfilment of data breach notification obligationsThe organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-06-22112,000Østfold HF HospitalArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityIt was found that Østfold HF Hospital had stored patient data, including sensitive data such as the reason for hospitalisation, during the period 2013-2019 without controlling access to the folders where the data was stored. Datatilsynet therefore decided that the hospital had not taken sufficient technical and organisational measures to protect personal data and was therefore in breach of the GDPR and the Patient Records Act.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-06-1928,000Aquateknikk ASArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingRequest for data from a credit agency without legal basis.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-06-196,000National Police BrigadeArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingMaking copies of a company's business records in the context of investigations which contained data from third parties and for which there was no legal basis for processing.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-01-304,000Comune di ColledaraArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingPublication of documents relating to a public tender with personal data on a websitelink
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-03-053,000San Giorgio JonicoArt. 5 GDPR, Art. 6 GDPR, Art. 17 GDPRInsufficient legal basis for data processingPublication of a citizen's personal data on a website and failure to comply with requests for deletion.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-0224,000Iberdrola ClientesArt. 5 GDPRNon-compliance with general data processing principlesA third person had received an electricity bill with personal details such as name, address and bank account of another customer. The reason for this was that Iberdola Clientes was not able to guarantee adequate security measures in the processing of the personal data of the data subject, in violation of the principles of data integrity and confidentiality. The fine of €40,000 has been reduced to €24,000 due to voluntary payment.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-024,000De Vere Spain S.L.Art. 21 GDPRInsufficient fulfilment of data subjects rightsThe company did not respond to the data subject's request to stop processing his or her data, and therefore data subject continued to receive commercial calls.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-07-0228,000Odin Flissenter ASArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company assessed the credibility of another company and thereby, according to Datatilsynet, processed personal data relating to a natural person (the owner of the company assessed) without there being a sufficient legal basis for doing so.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-023,600Saunier-Tec Mantenimientos de Calor y Frio, SL.Art. 33 GDPRInsufficient fulfilment of data breach notification obligationsAlthough the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-025,000Xfera Moviles S.A.Art. 31 GDPR, Art. 58 GDPRInsufficient cooperation with supervisory authorityThe company had not cooperated sufficiently with the data protection authority.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-07-0915,000Proleasing Motors SRLArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company had failed to take adequate technical and organisational measures to ensure data security, which led to the publication on Facebook of a document containing a password for access to personal data of 436 customers.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2020-07-103,400East Power Sp. z o.o.Art. 31 GDPR, Art. 58 GDPRInsufficient cooperation with supervisory authorityAfter three subpoenas to East Power, in which the latter failed to provide sufficient explanations on a direct marketing complaint, the data protection authority found that East Power had deliberately obstructed the course of the procedure or at least failed to comply with its obligations to cooperate with the supervisory authority.link
NORWAY
NORWAY
Norwegian Supervisory Authority (Datatilsynet)2020-07-1046,660Municipality of RælingenArt. 32 GDPR, Art. 35 GDPRInsufficient technical and organisational measures to ensure information securityFine for the processing of children's health data in connection with disability through the digital learning platform "Showbie". The Municipality had failed to carry out a Data Protection Impact Assessment ("DPIA") in accordance with Article 35 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") prior to the start of the processing and had not taken adequate technical and organisational measures in accordance with Article 32 of the GDPR, resulting in an increased risk of unauthorised access to the personal data of the pupils.link
THE NETHERLANDS
THE NETHERLANDS
Dutch Supervisory Authority for Data Protection (AP)2020-07-06830,000Bureau Krediet Registration ('BKR')Art. 12 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsBKR had required the payment of a fee when individuals requested access to their personal data and only provided access to their data once a year free of charge by post.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-13200,000Merlini s.r.l.Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 28 GDPR, Art. 29 GDPRInsufficient legal basis for data processingThe company had carried out telemarketing activities on behalf of Wind Tre S.p.A. through a third party provider as data processor without sufficient legal basis fpr data processing (Art. 5-7 GDPR) and without sufficient contractual agreements (Art. 28, 29 GDPR) with the third party provider.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-1316,700,000Wind Tre S.p.A.Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 24 GDPR, Art. 25 GDPRInsufficient legal basis for data processingFines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details. Furthermore, the data protection authority stated that the data of the data subjects were published on public telephone lists despite their objection. In addition, several apps distributed by the company were set up in such a way that the user had to give his consent to various processing activities each time he accessed them, with the possibility of withdrawing consent given only after 24 hours.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-13800,000Iliad Italia S.p.A.Art. 5 GDPR, Art. 25 GDPRNon-compliance with general data processing principlesThe fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its website.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-101,500Auto Desguaces Iglesias S.L.Art. 5 GDPRNon-compliance with general data processing principlesThe company had installed surveillance cameras that recorded the public road and therefore violated the principle of data minimization.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-101,000Centro Internacional De Crecimiento Laboral Y Profesional S.L.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingSending commercial messages without consent and without the possibility to object.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-1012,000Vodafone España, SAUArt. 5 GDPRNon-compliance with general data processing principlesFines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-105,000Global Business Travel Spain SLUArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe fine was preceded by an employee's access to health data of a person concerned. In the course of its investigations, the Data Protection Authority found that Global Business Travel Spain, as data controller, had infringed Article 32(2) and (4) of the GDPR by failing to take adequate technical and organisational measures to protect the data from unauthorised disclosure.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-105,000School Fitness Holiday & Franchising S.L.Art. 5 GDPRNon-compliance with general data processing principlesBreach of transparency principle. No further information available at the moment.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-1055,000Xfera Moviles S.A.Art. 5 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company had changed a contract for a mobile phone connection to a new owner, whereby the personal data of a data subject such as his address and telephone numbers were freely accessible. This constituted a violation of the principles of confidentiality and integrity.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-07-14600,000Google Belgium SAArt. 5 GDPR, Art. 6 GDPR, Art. 17 (1) a) GDPR, Art. 12 GDPRInsufficient fulfilment of data subjects rightsThe Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences for the data subjects, and natural persons were therefore entitled to have articles deleted/dereferenced. This also applies to persons who hold political office, even though these offices are generally less worthy of protection due to their public status and articles relating to political persons may therefore be stored for a longer period of time. Google's rejection of the application was therefore in breach of Article 17 of the GDPR (fine for this breach: €500,000). In addition, a further €100,000 was imposed for breach of the principle of transparency, as Google's rejection of the request for deletion was not sufficiently justifiedlink
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2024,000Banco Bilbao Vizcaya Argentaria, SAArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingBBVA had no legitimate basis for processing the data of the data subject and had therefore infringed Article 6(1) of the GDPR, since the company processed solvency and credit information files without a prior contractual relationship with the data subject.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2040,000Iberia Lae SA Operadora UnipersonalArt. 58 GDPRInsufficient cooperation with supervisory authorityThe company did not grant the data subject access to telephone records. The applicant's request for access did not receive a reply, despite the prior order of the AEPD.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-201,500Comercial Vigobrandy, SLArt. 12 GDPR, Art. 13 GDPR, Art. 14 GDPRInsufficient fulfilment of information obligationsInstallation of CCTV surveillance without adequate information by using a signlink
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2020-06-295,000New York College S.A.Art. 5 GDPRNon-compliance with general data processing principlesThe College had contacted the complainant directly by telephone with regard to an educational programme and had processed personal data in a non-transparent manner.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2080,000Orange Espagne S.A.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company had unlawfully activated several telephone line contracts using the personal data of a data subject. This constituted an unlawful processing operation, since the data of the data subject was entered into the company's database and processed there without a legitimate legal basis.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2070,000Xfera Moviles S.A.Art. 5 GDPRNon-compliance with general data processing principlesA data subject had received a call from another Xfera Móviles customer who stated that the company had charged his bank account with an invoice, disclosing the personal details of the other data subject. This was due to an error on the part of Xfera Móviles and was therefore a violation of the principles of integrity and confidentiality.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2310,000El Periódico de Catalunya, S.L.U.Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingFollowing a request for erasure addressed to the company, the data subject received another newsletter from the newspaper, although El Periódico de Catalunya claimed to have granted the request. This was due to a failure of an external service provider of the company.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2355,000Telefónica Móviles España, SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingTelefónica Móviles España has processed the personal data of a data subject, such as first and last name and bank details, in order to activate three telephone lines that were never requested. This constitutes a breach of the principle of lawfulness of the processing.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2370,000Telefónica Móviles España, SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe data subject's account was debited for two telephone lines that he had never ordered or approved. This constituted unlawful processing of personal data, since the data subject's information was stored in the information systems of Telefónica Móviles España without a legal basis for invoicing.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-2375,000Telefónica Móviles España, SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe company had carried out the number porting of his telephone line from his current company without his consent. Personal data was transferred from the former telephone operator to Telefónica Móviles España in order to change the ownership of the telephone line without sufficient legal basis.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-235,000Xfera Moviles S.A.Art. 58 GDPRInsufficient cooperation with supervisory authorityFollowing a complaint, Xfera Móviles was requested by the AEPD to submit certain information and documents, but did not do so within the provided time limit.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-235,000El Real Sporting de Gijón S.A.D.Art. 6 GDPR, Art. 7 GDPRInsufficient legal basis for data processingFines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in).link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-07-145,000Operator of CCTV of a residential buildingArt. 6 GDPR, Art. 7 GDPRInsufficient legal basis for data processingThe operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-07-302,000SC Viva Credit IFN SAArt. 17 GDPRInsufficient fulfilment of data subjects rightsThe company had not informed the data subject within one month (or up to three months if a reason for the delay is given) of the measures taken following the request for deletion of data.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-07-302,000Romanian Post National CompanyArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityProcessing of personal data, namely the telephone numbers and e-mail addresses of 81 data subjects, by the Romanian Post as data controller, failing appropriate technical and organisational measures, such as pseudonymisation.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-07-275,000SC Cntar Tarom SAArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityUnauthorised disclosure of the data of five Tarom passengers due to inadequate technical and organisational measures for secure data processing. Among other things, the company was required to take corrective action, including training its employees and conducting risk assessment procedures.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2020-07-28147,800Arp Hansen Hotel Group A/SArt. 5 (1) e) GDPRNon-compliance with general data processing principlesDuring an inspection, the supervisory authority reviewed a number of IT systems to examine whether Arp-Hansen had sufficient procedures in place to ensure that personal data were not kept longer than necessary for the purposes of collection. It was found that one of the reservation systems contained a large amount of personal data that should already have been deleted in accordance with the deletion deadlines set by Arp-Hansen itself.link
FRANCE
FRANCE
French Data Protection Authority (CNIL)2020-08-05250,000SpartooArt. 5 (1) GDPR, Art. 13 GDPR, Art. 14 GDPRNon-compliance with general data processing principlesA fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.link
DENMARK
DENMARK
Danish Data Protection Authority (Datatilsynet)2020-08-0420,100PrivatBo A.M.B.A.Art. 5 GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityThe company had distributed USB sticks to tenants in the context of a sale of real estate, which contained not only non-personal information on the real estate objects in question but also personal data of other persons such as lease agreements and other documents containing confidential personal data.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-063,000GROW BEATS SLArt. 12 GDPR, Art. 13 GDPR, Art. 14 GDPRInsufficient fulfilment of information obligationsThe company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-0460,000Vodafone España, SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe data subject received confirmation from Vodafone of a number porting, which the latter had never commissioned.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-1010,000Cavauto S.R.L.Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPRInsufficient legal basis for data processingAccess to personal data of a former employee (containing his browser history) on his work computer.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-1010,000Community of BaronissiArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe community published on its website personal data of data subjects including names, birth dates, place of birth, place of residence, etc.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-063,000GTL S.R.L.Art. 12 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsFailure to graint access to personal data of a data subject according to Art. 15 GDPR.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-063,000Just Landed S.L.Art. 13 GDPRInsufficient fulfilment of information obligationsJust Landed was fined with EUR 3000 for insufficient cookie information according to national data protection laws and at the same time warned due to insufficient fulfilment of information obligations according to Art. 13 GDPR (privacy policy only in English language).link
FINLAND
FINLAND
Deputy Data Protection Ombudsman2020-08-057,000Acc Consulting Varsinais-SuomiArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingUnsolicited marketing SMS without prior consentlink
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-053,000RestaurantArt. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPRNon-compliance with general data processing principlesInstallation of CCTV surveillance cameras that were also monitoring the public space and without proper information.link
AUSTRIA
AUSTRIA
Austrian Data Protection Authority (dsb)2020-08-05100BankArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingA bank employee made a copy of the identity card of a bank client who wanted to exchange EUR 100 in foreign currency and justified this with money laundering charges. However, these only apply to a sum of EUR 1000 and above.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-052,000SchoolArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingPlacing personal data of pupils on a public notice board.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-0415,000Mapei S.p.A.Art. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPR, Art. 17 GDPRInsufficient legal basis for data processingThe company had left the e-mail account of the data subject active even after the termination of his employment and had automatically forwarded incoming e-mails. The company did not provide sufficient information about this. In addition, the company did not react to claims for access and erasure.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-045,000National Institute for Social Security - Department of the Province of BresciaArt. 15 GDPRInsufficient fulfilment of data subjects rightsFailure to graint access to personal health data of a data subject according to Art. 15 GDPR.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-08-041,000SupermarketArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe operator of a supermarket displayed the letter of dismissal to the personnel manager on the publicly visible notice board of the supermarket.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-302,000Community of ManduriaArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe community transmitted personal data of a community employee to the press without sufficient legal basis.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-293,000Community of San Giorgio JonicoArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingPublication of personal data on the municipal website with regard to legal proceedings.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-294,000Region of CampaniaArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingPublication of an enforcement order in civil proceedings on the Region's website. The document listed the names and place of residence and the amount of the claim.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-07-283,000Communal political associationArt. 5 GDPR, Art. 6 GDPR, Art. 14 GDPRInsufficient legal basis for data processingA local political association has sent out election advertisements to the residents of the municipality for the local elections in 2018. For this purpose, the association used the electoral roll from 2012 and compared it with that of 2018, without a sufficient legal basis and without appropriate information in accordance with Art. 14 GDPR.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2020-07-1522,300Office for geodesy and cartographyArt. 31 GDPR, Art. 58 GDPRInsufficient cooperation with supervisory authorityRefusal of access to the premises by the supervisory authority in the course of an audit.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-3145,000Vodafone España SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingUnlawfull processing of a telephone number for marketing purposes even after the data subject had exercised its right to erasurelink
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-175,000Party of the Socialists of CataloniaArt. 5 (1) b) GDPRNon-compliance with general data processing principlesThe Socialist Party of Catalonia has used the personal data provided by a professional doctor to send a letter to the complainant's relative asking for political support. This constitutes a different purpose from the original purpose of the collection and therefore violates the principle of purpose limitation.link
ESTONIA
ESTONIA
Estonian Data Protection Authority (aepd)2020-08-1748Police OfficerArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAcess to personal data in a police database for private research activities.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-2850,000Bankia S.A.Art. 5 (1) b) GDPRNon-compliance with general data processing principlesThe bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-08-285,000Basketball Federation of Castilla and LeonArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingThe Basketball Association transmitted personal data to third parties, which were subsequently published on the Internet without consent of the data subjects. In addition, the data protection authority found that the Basketball Federation also disclosed personal data to a newspaper, violating - in addition - the principle of integrity and confidentiality (Art. 5 (1) f) GDPR).link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2020-08-3122,700Surveyor General of Poland ('GKK')Art. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingProcessing of personal data on the GEOPORTAL2 platform in the form of land and mortgage registers (including names, surnames and other personal data) without sufficient legal basis.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-07-311,500Tour & People Max S.L.Art. 21 GDPRInsufficient fulfilment of data subjects rightsUnsolicited marketing calls though data subjects had expressed their objection to data processing. In addition to the GDPR, this was also seen as a violation of Article 48(1)(b) of General Law 9/2014 (Spanish national law).link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-09-0175,000Telefónica Móviles España, SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingAccording to the supervisory authority, the company processed personal data without sufficient legal basis, with the result that the data subject received several hundred unsolicited calls and SMS messages.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-09-073,000Barcelona Airport Security Guard Association ('AVSAB')Art. 5 (1) f) GDPRNon-compliance with general data processing principlesA member of the AVSAB security committee used WhatsApp to send messages to private phone numbers containing personal information about employees. This was a violation of the confidentiality principle that, according to the AEPD, must be respected not only by the data controller, but also by any other subject involved in any phase of the processing.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-07-0215,000Mapei S.p.A.Art. 5 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 15 GDPRInsufficient fulfilment of data subjects rightsMapei failed to respond to the request for access to personal data of the data subject. In addition, Mapei had left the e-mail account of the person concerned active even after the termination of the contract.link
POLAND
POLAND
Polish National Personal Data Protection Office (UODO)2020-09-0811,200Warsaw University of Life SciencesArt. 32 GDPRInsufficient technical and organisational measures to ensure information securityTheft of a private notebook belonging to a university employee who also used this device for business purposes and on which personal data of candidates for study at SGGW was contained for recruitment activities.link
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2020-08-033,000Candidate for parliamentary electionsArt. 15 GDPRInsufficient fulfilment of data subjects rightsThe data subject received telephone calls regarding a candidacy for parliamentary elections. When the data subject made use of its right to access according to Art. 15 GDPR, it did not receive any such information.link
HUNGARY
HUNGARY
Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)2020-07-23560Forbes HungaryArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingFine imposed on Forbes Hungary for publishing a list of the 50 wealthiest Hungarians and a list of the largest family businesses without a sufficient balance of interests (Art. 6 (1) f) GDPR).link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-09-01500Apartment building owners associationArt. 5 GDPR, Art. 6 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 32 GDPRInsufficient legal basis for data processingExport of a still image from a video surveillance system and posting of the image on the billboard of the building without sufficient legal basis. In addition, violation of the information obligations under Art. 12, 13 GDPR and violation of Art. 25 and 32 GDPR, because no sufficient information about the CCTV was given and because no sufficient technical and organizational security measures were taken to protect the personal data collected by the video surveillance system.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-09-1760,000Vodafone España, SAUArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingA former customer had received e-mails containing electronic bills even after he had terminated his contract with the company resulting in a processing of personal data without sufficient legal basis.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-09-173,000Grupo CarolizanArt. 5 GDPRNon-compliance with general data processing principlesOperation of CCTV camera systems in an arcade area in front of a building, i.e. also covering public space. This violated the principles of data minimization, as the surveillance cameras could have been operated in a way that would not have affected the public space.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-09-1610,000Property owners communityArt. 5 GDPRNon-compliance with general data processing principlesPublication of a document containing personal data (information about identity of the data subject as well as about debts) on a community notice billboard.link
SPAIN
SPAIN
Spanish Data Protection Authority (aepd)2020-09-111,500Political PartyArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingSending of an e-mail to a former party member who had since resigned, with the request to act as an election representative without sufficient legal basis to process the personal data required for this purposelink
GREECE
GREECE
Hellenic Data Protection Authority (HDPA)2020-09-118,000Private PersonArt. 5 GDPRNon-compliance with general data processing principlesOperation of a CCTV camera that also monitored public space outside the premises of the data controller.link
ROMANIA
ROMANIA
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)2020-09-082,000Sanatatea Press Group S.R.L.Art. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securitySending the personal data collected for the registration for an online course to other participants due to a technical failure.link
ITALY
ITALY
Italian Data Protection Authority (Garante)2020-09-072,000Istituto Comprensivo Statale Crucoli TorrettaArt. 5 (1) f) GDPR, Art. 32 GDPRInsufficient technical and organisational measures to ensure information securityPublication of personal data of students on the website of the Institute with, inter alia, notes about health and progress in school due to technical failure.link
BELGIUM
BELGIUM
Belgian Data Protection Authority (APD)2020-09-075,000Former mayor of a communityArt. 5 GDPR, Art. 6 GDPRInsufficient legal basis for data processingSending election advertising to citizens without sufficient legal basis.link