Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€2,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 2,700,000 on Experian Nederland B.V. The controller, a company that determines individuals' creditworthiness and sells this information, processed personal data without a sufficient legal basis. The controller also failed to inform data subjects about the processing of their data. Following the decision, the company decided to stop its activities in the Netherlands and will delete its database by the end of the year.

€6,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 6,000 on a real estate agency. The Belgian DPA had previously issued a remedy to the controller in an earlier case due to the controller processing data without a sufficient legal basis and failing to comply with the data subject's right to erasure. The Belgian DPA determined that the controller had failed to comply with the issued remedy, resulting in the fine being issued.

€20,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 20,000 on a company. The controller is a company engaging in direct marketing activities. During those activies the company failed to comply with multiple data processing principle. In particular the company had no sufficient legal basis for the data processing, failed to inform the data subjects and failed to provide data subjects with lawfully requested informations.

€200,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational

€4,750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 4.75 million on Netflix. This fine is based on a complaint filed by the Austrian organization 'noyb'. During its investigation, the DPA found that between 2018 and 2020, Netflix did not sufficiently inform customers about the processing of their personal data. The privacy policy was partly unclear and, did not provide sufficient information on the purpose and legal basis of the data collection and use, for example. In addition, requests from data subjects

€290,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 290 million on Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards. The DPA launched an investigation after 170 French drivers filed complaints with the 'Ligue des droits de l'Homme'. The DPA's investigation revealed that Uber had stored sensitive personal data—such as location information, payment details, identity documents, and health data—on US servers without adequate safeguards for over two years.

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

€174,640 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on International Card Services B.V. (ICS). ICS failed to carry out a data protection impact assessment before starting the digital identification of customers in the Netherlands in 2019. The identity check covered around 1.5 million people and involved sensitive personal data such as pictures of the data subjects.

€10,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Uber Technologies Inc. and Uber B.V. EUR 10 million for failing to provide sufficient information about the storage period of European drivers' data and the countries outside of the EU to which the data was transferred. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data. Although there was a digital form in the app that drivers could use to request access, it was not placed in an easily accessible position. In addition

€30,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 30,000 on Voorschoten municipality. The municipality had kept information about household waste for longer than necessary and had not sufficiently informed residents. In 2018 and 2019, the municipality of Voorschoten had replaced the waste garbage cans for houses and the underground containers for apartments. These bins were fitted with chips with numbers that were linked to a house address. The aim was to increase the collection of separate waste by limit

€30,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 30,000 on the Belgian Order of Pharmacists. The controller had conducted disciplinary proceedings against the data subject (pharmacist). As part of the disciplinary proceedings, the controller had collected personal data from the data subject in their personnel file. During its investigation, the DPA found that the controller had violated principles of data processing according to the GDPR in this context. For example, the DPA found that storing informat

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on the Dutch Social Insurance Institution (SVB). The controller had suffered a data breach in which a client's data had been leaked to unauthorized third parties. An unknown third party had succeeded in requesting benefit information via the controller's telephone helpdesk. In the course of its investigation, the DPA found that the controller had failed to implement sufficient technical and organizational measures to protect personal data. For exam

€2,500 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 2,500 on a company. The company operates a digital management platform where suppliers and customers can communicate and upload administrative documents. An individual, who is not themselves a member of the platform, had filed a complaint with the DPA. Since the complainant's roommate is a member of the platform, the complainant asked them to upload the joint water bill, which was in the complainant's name. The platform recognized the complainant's name

€20,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory. During its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. In addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients' personal data on the website without encryption. Finally, the DPA found that the laboratory had not published a privacy statement on its website, in

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 50,000 on Roularta Media Group. As part of its investigation, the DPA found that the cookie management on two websites operated by Roularta did not comply with the GDPR. In order to use cookies, controllers must obtain prior consent from the user, except in cases where the cookies are strictly necessary for website operation. The DPA found that consent to the processing of personal data through cookies on websites operated by Roularta was not valid, as n

€10,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 10,000 on the Belgian national railroad company (Nationale Maatschappij der Belgische Spoorwegen). A Twitter user who had received an e-mail newsletter from the railroad company had filed a complaint with the DPA. According to the Twitter user, the newsletter did not include an option to unsubscribe. During its investigation, the DPA found, first, that that there was no valid legal basis for the processing of personal data through the newsletter. Contrar

€3,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, an

€20,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Ambuce Rescue Team EUR 20,000. The fine is related to the fines against Brussels Airport Charleroi and Brussels Airport Zaventem. Due to the Covid 19 pandemic, the airports used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then asked to answer questions about possible coronavirus symptoms. In this process, Ambuce Rescue Team provided the questionnaires. Specifically, the DPA found that there was no valid l

€200,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal

€100,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid lega

€7,500 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 7,500 on a company. A former managing director had filed a complaint against the company with the DPA. In the context of being dismissed, the former managing director deleted all data on the work laptop before handing over the technical equipment. According to the managing director, only the private data, such as the private e-mail inbox, had been deleted. However, the company stated that the managing director had deleted both private and work-related da

Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol. The OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for t

€2,800 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined the NGO EU DisinfoLab EUR 2,700. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the

€1,200 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined a researcher EUR 1,200. The fine was issued in connection with another fine against the NGO EU DisinfoLab. The researcher was employed at the NGO. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw d

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 525,000 on DPG Media Magazines B.V. The DPA had received several complaints regarding the way the controller handled requests from customers. Customers who wanted to know what kind of personal data the controller stored, or wanted to have their data deleted, first had to upload or send in proof of identity. The DPA determined that sending in proof of identity would not have been necessary for the purpose of processing the request. In addition, the mailing

€10,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 10,000 against a company. The data subject had repeatedly received mail with advertising content from a company, although he had objected to the processing of his personal data and requested the deletion of his data. However, the company did not respond to inquiries from the data protection authority in this regard. In addition, the company had not sufficiently informed the data subject about the processing of his personal data.

€2,750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined the Minister of Finance EUR 2,75 million. In the context of childcare benefit applications, tax offices had processed data on the dual nationality of applicants for several years. However, the DPA found that the data on dual nationality of Dutch citizens would not have been necessary when assessing an application for childcare benefits. The said data had also been processed for the purpose of combating organized fraud and for automatic classification in the authority

€400,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined airline Transavia EUR 400,000. In 2019, the airline suffered a data breach, in which a hacker gained access to Transavia's systems through two accounts held by the company's IT department. This could have potentially allowed the hacker to access data such as names, dates of birth, gender, email addresses, phone numbers, flight information and booking numbers of 25 million passengers. It was found that the hacker actually downloaded the personal data of 83,000 people. In 3

€100,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proce

€750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined the video portal TikTok EUR 750,000 for violating the privacy of young children. The information that Dutch users - mostly young children - received from TikTok when installing and using the app was in English and therefore not easy to understand. By not providing the privacy policy in Dutch, TikTok did not adequately explain how the app collects, processes, and reuses personal data. The DPA considered this to be a violation of the company's duty to provide informati

€1,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) fined a school EUR 1,000. The controller had conducted a survey on student well-being via a smartschooling system. The DPA states that the controller did not obtain the consent of the parents of the minor students and violated the principle of data minimization. The original fine of EUR 2,000 was reduced to EUR 1,000 after the controller appealed the APD's decision.

€440,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessar

€12,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined an orthodontic clinic EUR 12,000. The web form that new patients used to sign up contained mandatory fields for all sorts of patient personal data. The data that the patients (mostly children) entered into the form was then sent to the orthodontic clinic via an unencrypted - and thus unsecured - connection. This presented the risk of unauthorized third parties accessing the personal data of the data subjects.

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 50,000 on Family Service / N.D.P.K. nv. The controller is an advertising agency that, among other things, sends expectant mothers gift boxes containing various discount vouchers, product samples and information about pregnancy and birth. The box items are provided by third parties, to whom the controller subsequently transfers the recipients' contact data for marketing purposes. The consent of the recipients to this transfer and to subsequent advertising mea

€10,000 fine - Belgian Data Protection Authority (APD)

Managing a fan page on Facebook without the data subject's permission and failing to comply with the data subject's request after exercising his or her right to object.

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) imposed a fine of EUR 50,000 on a company for several violations of the GDPR. The controller is a company that carries out parking ticket controls. The controller controller had issued the data subject a fine for illegal parking. However, the data subject states that he or she did not receive the fine ticket. Instead, the data subject only found out about it when he or she received an official reminder letter from a law firm commissioned with debt collection, which then dem

€15,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) imposed a fine of EUR 15,000 on a company due to insufficient fulfilment of data subject rights. The controller is a debt collection agency which was commissioned by another company to collect debts owed to it. The data subject was issued a fine for illegal parking by the last-mentioned company. However, the data subject states that he/she did not receive the fine notice. Instead, the data subject only learned about it when he/she received an official reminder letter from t

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has imposed a fine of EUR 525,000 on Locatefamily.com. Locatefamily.com is a platform where people can search for the contact information of family members they have lost contact with or other people they would like to get in touch with. The data subjects complained that their contact information (name, address, phone number) was published on the website without their knowledge. The data subjects were not able to request the deletion of their data published on the site easily,

€475,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermo