Enforcement

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other t

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Reykjanesbær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes oth

€20,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city

€13,300 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 13,300 on the city of Reykjavik. The city had used the Google Education system in schools without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified

€18,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 18,600 on the city of Hafnarfjörður. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the

€9,600 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 9,600 on the law firm PIONIER. The law firm mainly represents victims of traffic accidents in proceedings against insurance companies and other entities. In this context, it supports its clients in claims for damages as well as claims for reimbursement of medical treatment costs. During its investigation, the DPA found that the law firm processed personal data, including health data, of potential clients without a valid legal basis. The law firm obtained

€170,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 170,000 on the supermarket chain Mercadona S.A.. An individual had filed a complaint with the DPA. The individual had suffered an accident in one of the supermarkets and had asked Mercadona to provide the recordings of the accident from the video surveillance system in order to claim damages. However, Mercadona did not comply with this request. After the lawyer of the data subject asked Mercadona again to provide the recordings, Mercadona replied

€36,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of th

€70,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 70,000 on the healthcare facility Ospedale San Raffaele s.r.l.. The hospital had reported two data breaches to the DPA under Art. 33 GDPR. In the first case, the neurology department of the hospital had sent a newsletter in an open distribution list, which resulted in the email addresses of the recipients being visible to all recipients. Of the 499 email addresses affected, 321 email addresses related to patients and 46 related to family members/caregive

€124,245 fine - Croatian Data Protection Authority (azop)

The fined energy company owns petrol stations and sells fuel to customers. The data subject is a customer who filed a consumer complaint relating to inaccurate measuring and consequently charging of fuelled petrol at one of the petrol stations. The data subject requested a copy of its personal data, i.e. a copy of the video surveillance footage relating to a specific time and area. The energy company justified rejecting the request by: (i) lack of written request by competent authorities to deli

€1,900,000 fine - Data Protection Authority of Bremen

The DPA of Bremen has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH. BREBAU GmbH had processed upwards of 9,500 datasets about potential tenants without a valid legal basis. In particular, the DPA found that the controller had processed particularly sensitive data as defined by Art. 9 GDPR. For example, the controller unlawfully processed information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects. B

€608,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker cou

€496,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Ferde AS, a Norwegian toll company, EUR 496,000. Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China. As part of its operations, Ferde is respon

€13,450 fine - Danish Data Protection Authority (Datatilsynet)

Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) imposed a fine of EUR 5,000 on Patio Ancestral S.L.. The complainant worked for a construction company and had carried out some renovation work for the controller. During these works, damage had been caused to the controller's properties. The controller had then sent a letter with claims for damages not only to the complainant but also to the complainant's father, who had previously been employed by the same construction company. However, the father was an uninvolved third

Data Protection Authority of Berlin

The DPA from Berlin has imposed a fine on a medical clinic. The clinic had installed 21 cameras in its premises for the purpose of protection against crime and property damage. This made it possible to monitor employees and patients around the clock. The clinic relied on consent given by employees and information signs as the legal basis for the video surveillance. However, the DPA concluded that the clinic could not base the video surveillance on consent, as voluntary consent in the employee-em

€30,000 fine - Italian Data Protection Authority (Garante)

Publication of personal data (including first and last name, address, tax ID) on the website of the authority about persons who have claims for damages against the authority, without sufficient legal basis

€2,560 fine - Data Protection Commision of Bulgaria (KZLD)

The fine of ca. EUR 2,557 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security. T.K. EOOD processed the personal data of I.S. unlawfully nine times in duration of five months. The breaches caused damages to the data subject.

€5,110 fine - Data Protection Commision of Bulgaria (KZLD)

The fine of EUR ca. 5,113 was imposed on a Bulgarian utility company for unlawful processing of the personal data of the data subject V.V. The personal data of V.V. was unlawfully processed and subsequently used for initiating an enforcement case against him for outstanding payment obligations. During the enforcement case, the bailiff seized the data subject’s salary, and the latter suffered damages as a result of the unlawful processing.

€320,000 fine - Information Commissioner (ICO)

The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.

€12,950 fine - Polish National Personal Data Protection Office (UODO)

One sports association published personal data referring to judges who were granted judicial licenses online. However, not only their names were provided, but also their exact addresses and PESEL numbers. Meanwhile, there is no legal basis for such a wide range of data on judges to be available on the Internet. By making them public, the administrator posed a potential risk of their unauthorized use, e.g. to impersonate them for the purpose of borrowing or other obligations. Although the associa

€582 fine - Czech Data Protection Auhtority (UOOU)

Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

€1,165 fine - Czech Data Protection Auhtority (UOOU)

Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').