Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€175,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 175,000 on Arnhem and Nijmegen University of Applied Sciences. The controller suffered a data breach due to insufficient technical and organisational measures.

175.000 euro boete - Nederlandse Autoriteit Persoonsgegevens (AP).

De Nederlandse Autoriteit Persoonsgegevens heeft een boete van 175.000 euro opgelegd aan de Hogeschool Arnhem en Nijmegen. De verantwoordelijke partij heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen.

€40,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 40,000 on Infobel. The controller, a data broker, sold personal data for direct marketing purposes. However, it processed the data it had sold without a sufficient legal basis.

Een boete van 40.000 euro - De Belgische Autoriteit voor gegevensbescherming (APD).

De Belgische beschermingsautoriteit heeft Infobel een boete van 40.000 euro opgelegd. De verantwoordelijke, een bedrijf dat gegevens verzamelt en doorverkoopt, heeft persoonlijke gegevens verkocht voor direct marketingdoeleinden. Echter, het bedrijf heeft deze gegevens verwerkt zonder een voldoende juridische basis.

€2,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 2,700,000 on Experian Nederland B.V. The controller, a company that determines individuals' creditworthiness and sells this information, processed personal data without a sufficient legal basis. The controller also failed to inform data subjects about the processing of their data. Following the decision, the company decided to stop its activities in the Netherlands and will delete its database by the end of the year.

2.700.000 euro boete - Nederlandse Autoriteit Persoonsgegevens (AP).

De Nederlandse Autoriteit Persoonsgegevens heeft Experian Nederland B.V. een boete van 2.700.000 euro opgelegd. De verantwoordelijke, een bedrijf dat de kredietwaardigheid van individuen bepaalt en deze informatie verkoopt, heeft persoonsgegevens verwerkt zonder een voldoende wettelijke basis. Bovendien heeft de verantwoordelijke de betrokkenen niet geïnformeerd over de verwerking van hun gegevens. Na deze beslissing heeft het bedrijf besloten om zijn activiteiten in Nederland te beëindigen en zal het zijn database aan het einde van het jaar verwijderen.

€9,700 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 9,700 on a Landlord. The controller installed video surveillance in and around a student residence. However, the surveillance was too invasive, resulting in it not being lawful.

9.700 euro boete - Belgische Autoriteit voor gegevensbescherming (APD).

De Belgische beschermingsautoriteit heeft een boete van 9.700 euro opgelegd aan een verhuurder. De verantwoordelijke partij had videobewaking geïnstalleerd in en rond een studentenhuis. Deze bewaking was echter te ingrijpend, waardoor deze niet legaal was.

€6,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 6,000 on a real estate agency. The Belgian DPA had previously issued a remedy to the controller in an earlier case due to the controller processing data without a sufficient legal basis and failing to comply with the data subject's right to erasure. The Belgian DPA determined that the controller had failed to comply with the issued remedy, resulting in the fine being issued.

6.000 euro boete - Belgische Autoriteit voor gegevensbescherming (APD).

De Belgische beschermingsinstantie heeft een vastgoedmakelaardij een boete van 6.000 euro opgelegd. De Belgische beschermingsinstantie had eerder al een aanwijzing gegeven aan de verantwoordelijke in een eerdere zaak, omdat deze persoonsgegevens verwerkte zonder voldoende juridische basis en niet had voldaan aan het recht van de betrokkene op verwijdering van die gegevens. De Belgische beschermingsinstantie heeft vastgesteld dat de verantwoordelijke niet had voldaan aan de gegeven aanwijzing, wat heeft geleid tot de oplegging van de boete.

€20,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 20,000 on a company. The controller is a company engaging in direct marketing activities. During those activies the company failed to comply with multiple data processing principle. In particular the company had no sufficient legal basis for the data processing, failed to inform the data subjects and failed to provide data subjects with lawfully requested informations.

€6,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 6,000 on the recruitment company Ambitious People Group B.V. . The controller had not deleted the data of data subjects after they had requested it.

€50,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 600,000 on A.S. Watson Health & Beauty Continental Europe B.V.. The controller had tracked visitors to their drugstore website “Kruidvat.nl” with tracking cookies without their consent. The cookie banner on the website had the boxes for consenting to the placement of tracking software pre-ticked by default. Visitors who nevertheless wanted to reject the cookies could only do so with greater difficulty. This allowed the controller to collect sensitive perso

€174,640 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin

€30,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 30,000 on the Belgian Order of Pharmacists. The controller had conducted disciplinary proceedings against the data subject (pharmacist). As part of the disciplinary proceedings, the controller had collected personal data from the data subject in their personnel file. During its investigation, the DPA found that the controller had violated principles of data processing according to the GDPR in this context. For example, the DPA found that storing informat

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on the Dutch Social Insurance Institution (SVB). The controller had suffered a data breach in which a client's data had been leaked to unauthorized third parties. An unknown third party had succeeded in requesting benefit information via the controller's telephone helpdesk. In the course of its investigation, the DPA found that the controller had failed to implement sufficient technical and organizational measures to protect personal data. For exam

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 50,000 on Roularta Media Group. As part of its investigation, the DPA found that the cookie management on two websites operated by Roularta did not comply with the GDPR. In order to use cookies, controllers must obtain prior consent from the user, except in cases where the cookies are strictly necessary for website operation. The DPA found that consent to the processing of personal data through cookies on websites operated by Roularta was not valid, as n

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 525,000 on DPG Media Magazines B.V. The DPA had received several complaints regarding the way the controller handled requests from customers. Customers who wanted to know what kind of personal data the controller stored, or wanted to have their data deleted, first had to upload or send in proof of identity. The DPA determined that sending in proof of identity would not have been necessary for the purpose of processing the request. In addition, the mailing

€100,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) has imposed a fine of EUR 100,000 on a financial company. A data subject had filed two complaints with the APD against the company. They were based on 20 queries of her personal data from the credit register of the National Bank of Belgium. The controller employs the data subject's ex-husband, who allegedly used his role to unlawfully gain access to the register in order to obtain financial information about the data subject and thus gain an advantage in their divorce proce

€1,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) fined a school EUR 1,000. The controller had conducted a survey on student well-being via a smartschooling system. The DPA states that the controller did not obtain the consent of the parents of the minor students and violated the principle of data minimization. The original fine of EUR 2,000 was reduced to EUR 1,000 after the controller appealed the APD's decision.

€440,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessar

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 50,000 on Family Service / N.D.P.K. nv. The controller is an advertising agency that, among other things, sends expectant mothers gift boxes containing various discount vouchers, product samples and information about pregnancy and birth. The box items are provided by third parties, to whom the controller subsequently transfers the recipients' contact data for marketing purposes. The consent of the recipients to this transfer and to subsequent advertising mea

€25,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA fined a mobile operator EUR 25,000. The controller had assigned the data subject's phone number to an unauthorized third party, causing the data subject to lose access to his/her phone number. As the SIM card of the data subject had been deactivated, that would have allowed the third party to access various personal data of the data subject in the period between September 16 and September 19, 2019, such as call history and accounts of various services (e.g. Paypal, WhatsApp and F

€15,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) imposed a fine of EUR 15,000 on a company due to insufficient fulfilment of data subject rights. The controller is a debt collection agency which was commissioned by another company to collect debts owed to it. The data subject was issued a fine for illegal parking by the last-mentioned company. However, the data subject states that he/she did not receive the fine notice. Instead, the data subject only learned about it when he/she received an official reminder letter from t

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) imposed a fine of EUR 50,000 on a company for several violations of the GDPR. The controller is a company that carries out parking ticket controls. The controller controller had issued the data subject a fine for illegal parking. However, the data subject states that he or she did not receive the fine ticket. Instead, the data subject only found out about it when he or she received an official reminder letter from a law firm commissioned with debt collection, which then dem

€475,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermo

€1,500 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD) imposed a fine against private individuals. The controllers installed video cameras on their private property, two of which were positioned in a way that they could capture images of the public space and the neighbor's private property. Also the controllers forwarded the images to a third party.

€5,000 fine - Belgian Data Protection Authority (APD)

The operator of video cameras on a residential property had installed cameras there to monitor the shared area of two blocks of flats. The data controller argued that the owners had given their consent to this by signing the notarised purchase contracts. However, the data protection authority had denied this after checking the contracts.

€5,000 fine - Belgian Data Protection Authority (APD)

In the context of a municipal election in 2018, the data controller had sent election advertisements to a group of employees of the same municipal administration, unlawfully using a list of contact data to which he had no access.

€15,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has imposed a fine of EUR 15,000 on CP&A. The controller had documented both the causes of illness and specific complaints of the data subjects as part of the recording of employee absences due to illness. The DPA found that this was unlawful since health data is granted special protection. Employers are not permitted to record either the reasons or causes of sick leave. Furthermore, the DPA found that the controller had not implemented adequate technical and organizational me

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ('KNLTB') with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate