Regulatory actions, fines, warnings, and enforcement decisions
€900,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 900,000 on a debt collection service provider. The company had unlawfully stored personal data (amounting to a six-digit number of data records) for up to five years after the erasure deadlines. The company admitted the violation, cooperated with the authorities and accepted the fine.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine on a company due to technical security vulnerabilities in its support ticket systems.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed two fines on members of the police for accessing police databases for private research purposes.
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
€16,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 16,000 on a hotel for processing ID card data without a legal basis.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine on a private individual for recording a video of their neighbor in the bathroom without their consent.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed five fines of private individuals for taking or storing photos of individuals without their consent.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine on a company due to technical security vulnerabilities in its support ticket systems.
€32,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 32,000 on a logistics company for incorrectly disposing of delivery lists.
€11,500 fine - Data Protection Authority of Hamburg
The DPA of Hamburg imposed a fine of EUR 11,500 on a company operating in the advertising industry for failing to comply with its deletion obligations. In addition, it was found that the company's IT system showed technical security gaps.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a four-figure fine on a daycare center that had disposed of documents containing personal data of children and their parents in a publicly accessible waste container.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a mid-four-figure fine on a private individual for improper use of the personal data of an opponent in a video game. The case occurred on the live streaming platform Twitch, where the streamer obtained the real name of their opponent during a game. With this knowledge, the streamer used their professional access to a customer database to find out the opponent's address. They then announced that they would personally seek out their opponent.
€75,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg imposed a fine of EUR 75,000 on a company. An employee had lodged a complaint with the DPA due to the fact that they had to report their sickness-related absences by e-mail in an e-mail distribution list with 25 colleagues and superiors, although the internal company guideline stipulated that the sickness report only had to be submitted to the manager of the respective department. In addition, their manager had sent an email to a e-mail distribution list with several recipient
€2,700 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 2,700 on a Covid-19 test center. The test center had send the data subjects an unencrypted e-mail containing a URL that allowed them to access the test result without taking any further security measures. In some cases, the download link was structured in a way that led to the download of a PDF file with the file name corresponding to the last name of the person tested. With knowledge of the directory path, it was therefore possible to view third-part
Data Protection Authority of Hamburg
Unlawful use of a dashcam
€1,400 fine - Data Protection Authority of Hamburg
The DPA from Hamburg has imposed a fine of EUR 1,400 on a Covid-19 test center. The controller intended to fulfill its statutory documentation obligations and scanned the front and back of ID cards of tested persons for this purpose. However, such extensive storage of personal data would not have been necessary to fulfill its documentation obligations. This could and should have been known to the controller.
€1,000 fine - Data Protection Authority of Hamburg
A physician's office had disposed of records of positive and negative Covid-19 Antigen Rapid test results from patients in a public waste disposal site.
€1,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has fined a Covid-19 test center EUR 1,000 for failing to comply with the right of data subjects to have their personal data deleted.
Data Protection Authority of Hamburg
A logistics company had disposed of delivery lists in a public waste paper container. The lists contained a large amount of detailed information, such as the first and last names of subscribers, the addresses, subscribed newspapers, and special delivery information, such as the location of mailboxes and any complaints from recipients. The DPA also noted that the company failed to inform the data subjects and the DPA of the data breach in a timely manner.
€900,000 fine - Data Protection Authority of Hamburg
The DPA from Hamburg has imposed a fine of EUR 900,000 on Vattenfall Europe Sales GmbH. The fine is related to data matching, which the controller had carried out in the period from August 2018 to December 2019 in the course of contract inquiries for special contracts. The special contracts served to attract new customers and were accompanied by bonus payments for the customers. The controller compared personal data of prospective customers who had submitted an inquiry for a special contract wit
€12,500 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 12,5000 on an energy supplier. The company had outsourced and sold its heating energy division. Customers affected by the transfer were informed about the transfer of their electricity supply contracts and given the right to object. In the event of a declared objection, no personal data of the customers should be transferred to the new company. However, despite customers having duly declared their objection, their data was transferred to the new compa
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector. The company had failed to take appropriate technical and organizational measures to ensure a level of data security protection appropriate to the risk when sending doctors' letters. As a result, doctor's letters were to a person who, although practicing a medical profession, was not the doctor providing further treatment for the affected patients. Instead, the letters were
€10,100 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 10,110 on a car trading group. The company had informed the customer base that the reasons for the restructuring there was the absence of an employee due to illness. The company informed approximately 3,000 customers, among other things, of the exact date on which the employee's inability to work occurred and that the situation would continue for an indefinite period of time. The DPA found that the company did not present a valid legal basis for such
€5,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg imposed a fine of EUR 5,000 on a private individual. The individual had filmed numerous young women in public. Some of the recorded female persons were apparently younger than 14 years. In several cases, the individual approached the filmed persons to within a few centimeters and followed them with the camera for up to 38 minutes. During a search of the backpack, the police officers found a digital camera and eight memory cards. The seized memory cards contained a total of 156
€12,500 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 12,5000 on an energy supplier. The company had outsourced and sold its heating energy division. Customers affected by the transfer were informed about the transfer of their electricity supply contracts and given the right to object. In the event of a declared objection, no personal data of the customers should be transferred to the new company. However, despite customers having duly declared their objection, their data was transferred to the new compa
€35,258,708 fine - Data Protection Authority of Hamburg
The fashion company with seat in Hamburg operates a service center in Nuremberg. Here, according to the findings of the Hamburg data protection officer, since at least 2014 private life circumstances of some of the employees have been comprehensively recorded and this information stored on a network drive. For example, the company conducted a 'Welcome Back Talk' after employees returned to work after vacation or illness. The information that became known in this context - including information o
€10,000 fine - Data Protection Authority of Hamburg
The DPA from Hamburg has fined Clearview AI Inc. EUR 10,000 for failing to provide information requested by the DPA during an investigation.
Data Protection Authority of Hamburg
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group.
€3,000 fine - Data Protection Authority of Hamburg
Excessive use of video surveillance in violation of the principle of data minimization.
Data Protection Authority of Hamburg
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data.
€300 fine - Data Protection Authority of Hamburg
A police officer has accessed data in a police database for private research purposes.
€13,000 fine - Data Protection Authority of Hamburg
The DPA from Hamburg as imposed a fine of EUR 13,000 on a company. An individual had booked and attended a course with a company, but had not paid the course fees incurred. Some time later, he registered for a course at another company of the same parent company and was rejected there. As a reason, he was told that he still had arrears with the company whose courses he had already attended. Following a complaint filed by the individual against the company, the DPA launched an investigation. It f
Data Protection Authority of Hamburg
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data.
Data Protection Authority of Hamburg
In order to combat the Covid 19 pandemic, a restaurant had put out an open list in which visitors had to enter their contact data. The fact that the list was openly displayed would have made it possible for unauthorized third parties to gain access to the data.
Data Protection Authority of Hamburg
A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group.
Data Protection Authority of Hamburg
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
The DPA from Hamburg has issued a fine against a company that operates an online marketplace, especially for worn underwear. The company advertises that it guarantees one hundred percent anonymity. On the platform, users can upload photos of underwear. In most cases, smartphones or other mobile devices were used to take the photos. The camera apps of the smartphones or GPS modules of the cameras often store additional information in the image file alongside the actual image as a standard setting
Data Protection Authority of Hamburg
A police officer has accessed data in a police database for private research purposes.
Data Protection Authority of Hamburg
A police officer took photos of an official presentation that contained personal data and shared them in a Whats App group.
€400 fine - Data Protection Authority of Hamburg
A police officer has accessed data in a police database for private research purposes.
€20,000 fine - Data Protection Authority of Hamburg
On July 6, 2018, HVV GmbH was informed by a customer about a security gap on the website www.hvv.de, which was caused by an update on February 5, 2018 and concerned the so-called Customer E-Service (CES). The security gap consisted in the fact that customers logged in to the CES who had an HVV Card and linked their CES customer account to at least one active contractual relationship in background systems could, by changing the URL, display data of other customers who had an HVV Card. This data b
€51,000 fine - Data Protection Authority of Hamburg
Whereas Facebook Ireland had appointed a data proteciton officer for all group companies located in the EU, this appontment was not notfied to the DPA Hamburg, competent for Facebook Germany GmbH. The fine was calculated on the basis of the turnover of the German branch (EUR 35 million). Relevant factors for the calculation were i.a. that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the
Data Protection Authority of Hamburg
The company had sent a customer a newsletter with advertising content by e-mail, although this customer had previously expressly objected to the sending of further advertising letters.
€5,000 fine - Data Protection Authority of Hamburg
Please note: According to our information this fine has been withdrawn in the meantime. Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Authority then fined Kolibri Image as controller for not having a processing agreement with the serv
€20,000 fine - Data Protection Authority of Hamburg
Late notification of a data breach and failure to notify the data subjects.