Regulatory actions, fines, warnings, and enforcement decisions
€3,300 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed a fine of EUR 3,300 on a doctor´s office. While responding to negative Google reviews, the controller revealed health data about the reviewers.
€3,700 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed a fine of EUR 3,700 on a doctor´s office. While responding to negative Google reviews, the controller revealed health data about the reviewers.
€10,000 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company obtained the data through internet research.
€41 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed fines totaling EUR 13,486 on 41 data controllers. In its 2024 activity report, the DPA of Hesse reported a total of 47 fines that year. Six of these fines were presented in more detail and can be found in the Enforcement Tracker under ETiD numbers 2636–2641. The remaining 41 fines amount to a total sum of EUR 13,486. According to the report, the issued fines cover a broad range of sectors and types, with a focus on healthcare, marketing activities, and violations of
€2,500 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed a fine of EUR 2,500 on a doctor´s office. The controller hired an office manager who worked partly from home. The manager worked with patient files, which he stored at home. However, he did not lock or otherwise secure the files, which resulted in guests and family members having access to them. On one occasion, the manager asked his wife to send him photos of some files via a private messaging service because he had left them in his car, which his wife was using fo
€16,000 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed a fine of EUR 16,000 on a freelancer. The controller operates a website without a privacy policy. The DPA contacted the controller, ordering him to include a privacy policy on his website, and announced that he would be fined EUR 2,000 if he did not comply. The controller ignored the order, resulting in the DPA ordering him a second and third time to include a privacy policy on his website. The controller continued to ignore the DPA's orders. Therefore, the DPA impo
€496,000 fine - Data Protection Authority of Hessen
The DPA of Hessen has imposed a fine of EUR 496,000 on a company. The DPA identified several GDPR violations, including transmitting customer data to the incorrect recipient and making marketing phone calls without a legal basis. The company was cooperative, a factor that the DPA considered when determining the total fine amount.
€5,000 fine - Data Protection Authority of Hessen
Fine of EUR 5,000 for failing to sufficiently cooperate with the DPA.
€3,600 fine - Data Protection Authority of Hessen
A physician's office had disposed of records containing patient data in a public waste disposal site.
€25,000 fine - Data Protection Authority of Hessen
The DPA of Hessen has fined a company EUR 25,000. A person had filed a complaint for receiving advertising messages, although they had objected to receiving advertising messages
€7,380 fine - Data Protection Authority of Hessen
A police officer had accessed data in police databases for private research purposes over a period of three years.
€800 fine - Data Protection Authority of Hessen
A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague.
€16,400 fine - Data Protection Authority of Hessen
The DPA of Hessen has fined a Covid-19 test center EUR 16,400. The controller had sent an e-mail containing personal data to several recipients in an open distribution list. The DPA also found that the controller had failed to adequately document the data breach.
€1,800 fine - Data Protection Authority of Hessen
The DPA of Hessen imposed a fine of EUR 1,800 on a Covid-19 test center. An employee had taken an adhesive label from the trash, written the test center's e-mail address on it and attached it to the center's window. However, due to a lack of care, the employee did not notice that the label still contained personal data of an individual. The data was therefore visible to third parties for about 24 hours until the label was removed.
€300 fine - Data Protection Authority of Hessen
A police officer had accessed data in police databases for private research purposes in order to obtain information about their ex-partner's new partner.
€170 fine - Data Protection Authority of Hessen
In order to identify a guest who had not paid, several visitors were contacted by employees of a restaurant. For this purpose, the telephone numbers provided by the guests as part of the Covid contact tracing tracing were used. Since the guests had provided their data solely for infection control purposes, the DPA considered the contacting for the purpose of identifying the guest to be a violation of the principle of purpose limitation (Art. 5 (1) b) GDPR).
€600 fine - Data Protection Authority of Hessen
A police officer had accessed data in police databases for private research purposes in order to obtain information about his ex-wife's new address. He discovered where his ex-wife had moved to in the meantime. The officer then actually went to his ex-girlfriend's new apartment and met her in front of the entrance to the new house. This frightened his ex-wife so much that she reported the incident to the police.
€400 fine - Data Protection Authority of Hessen
A police officer had accessed data in police databases for private research purposes. The officer had purchased a notebook for private use on an Internet platform. Since the seller did not agree to negotiations about the method of payment, the officer used a police information system to obtain information about the seller. The police officer then sent several messages to the seller in which he provided him with certain personal data, that he had obtained through his research in the police databa
€1,800 fine - Data Protection Authority of Hessen
A police officer repeatedly had accessed data in a police database for private research purposes.
€500 fine - Data Protection Authority of Hessen
A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague.
€300 fine - Data Protection Authority of Hessen
An employee at a Covid 19 testing center used the data of a tested person to contact them via WhatsApp for private purposes.
Data Protection Authority of Hessen
Failure to respond to the data subject's request for access to their data in a timely manner.