Enforcement

€10,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 10,000 on GENPACT ROMANIA SRL. The controller suffered a successful cyber attack due to insufficient technical and organisational measures. The attacker was able to exploit vulnerabilities in some passwords and in the way user accounts' authentication could be reset.

€27,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 27,000,000 on FREE MOBILE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email. Lastly, the controller failed to adequately sort data and retain persona

€15,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 15,000,000 on FREE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email.

De Franse autoriteit voor gegevensbescherming (CNIL) heeft FREE een boete van 15.000.000 euro opgelegd. Het bedrijf heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen. Dit werd veroorzaakt door het gebruik van een ontoereikende authenticatiemethode om verbinding te maken met hun VPN voor thuiswerken. Bovendien heeft het bedrijf de betrokken personen niet voldoende geïnformeerd, omdat essentiële informatie ontbrak in de e-mail waarin de datalek werd gemeld.

27 miljoen euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

€865,000 fine - Deputy Data Protection Ombudsman

The Finish DPA has imposed a fine of EUR 865,000 on Aktia Pankki Oyj. The controller changed its strong authentication process in such a way that it no longer guaranteed adequate data security, resulting in a data breach.

865.000 euro boete - Waarnemend ombudsman gegevensbescherming.

De Finse toezichthouder DPA heeft Aktia Pankki Oyj een boete van 865.000 euro opgelegd. Het bedrijf heeft een wijziging doorgevoerd in zijn proces voor sterke authenticatie, waardoor de adequate gegevensbeveiliging niet langer werd gegarandeerd, wat resulteerde in een datalek.

Een boete van 80.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit (DPA) heeft een boete van 80.000 euro opgelegd aan SENDING TRANSPORTE Y COMUNICACIÓN, S.A. Het bedrijf dat beboet is, is een verwerker voor de verantwoordelijke partij. Het heeft een andere onderaannemer ingehuurd zonder daarvoor toestemming te hebben, en daarbij een ongeschikte DPA (gegevensbeschermingsautoriteit) gebruikt.

Een boete van 4.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete opgelegd aan CREMA GAMES, S.L. De verantwoordelijke partij heeft een verzoek om informatie van een online klant niet inwilligend gemaakt. De verantwoordelijke partij had de betrokkene om een identiteitsbewijs gevraagd, maar de betrokkene had dit niet verstrekt. Hierdoor weigerde de verantwoordelijke partij het verzoek om informatie te behandelen. Volgens de DPA had de verantwoordelijke partij een digitale authenticatiemethode moeten gebruiken. De oorspronkelijke boete van 5.000 euro is verlaagd naar 4.000 euro vanwege een onmiddellijke betaling zonder erkenning van schuld.

€4,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on CREMA GAMES, S.L. The controller failed to fulfill an information request from an online customer. The controller asked the data subject for an identity document, but the data subject did not provide one. As a result, the controller refused to fulfill the information request. According to the DPA, the controller should have used a digital authentication method. The original fine of EUR 5,000 was reduced to EUR 4,000 due to immediate payment without admission of

Een boete van 3.500.000 euro - Informatiecommissaris (ICO).

De Britse gegevensbeschermingsautoriteit (ICO) heeft Advanced Computer Software Group Ltd een boete van 3,07 miljoen pond (3,5 miljoen euro) opgelegd vanwege ontoereikende IT-beveiliging (schending van artikel 32(1) van de Britse AVG). De verantwoordelijke partij heeft nagelaten om passende technische en organisatorische maatregelen te implementeren ter bescherming van persoonsgegevens. Een ransomware-aanval in augustus 2022 stelde hackers in staat om toegang te krijgen tot de systemen van een dochteronderneming in de gezondheidszorg via een klantaccount dat geen multi-factor authenticatie had. Hierdoor waren de persoonsgegevens van 79.404 personen in gevaar.

€3,500,000 fine - Information Commissioner (ICO)

The UK DPA (ICO) has fined Advanced Computer Software Group Ltd £3.07 million (EUR 3.5 million) for insufficient IT security (infringiment of Art. 32 (1) UK GDPR). The controller failed to implement appropriate technical and organisational measures to protect personal data. A ransomware attack in August 2022 allowed hackers to access systems of a health subsidiary via a customer account that lacked multi-factor authentication. As a result, the personal data of 79,404 individuals was put at risk.

€45,000,000 fine - The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of EUR 45,000,000 on Vodafone GmbH. The controller failed to properly supervise a third agency, which the controller used as a data processor. This resulted in employees of the third agency defrauding the controller's customers. The controller also failed to implement sufficient technical and organizational measures during an authentication process, which created the risk of third parties gaining ac

€1,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1 million on LIGA NACIONAL DE FÚTBOL PROFESIONAL. The controller had introduced access controls for visitors to football stadiums using biometric systems without first carrying out the necessary data protection impact assessment.

€75,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 75,000 on Azienda ospedale università di Padova. During its investigation, the DPA found that employees had accessed patient files without authorization and that the controller did not have appropriate access restrictions in place. This allowed employees to access patient files that were not necessary for their work, e.g. because they were not treating the patients in question.

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 5,000 on CENTRUL MEDICAL UNIREA SRL. The controller had suffered a data breach in which personal data of patients and employees were disclosed on the internet without authorization. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data.

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the owner of a bar EUR 2,000. The controller had operated video surveillance cameras in one of their premises without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras.

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of 5,000 euros on EURO MINI STORAGE ROMANIA SRL. The controller had suffered a data breach in which customer data was accessed without authorization. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to prevent such an incident.

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 3,000 on VESTA CEU ROMÂNIA SRL. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had disclosed personal data such as name, place of residence, salary, CV and copies of passports to employees without authorization, who then accessed the data internally and illegally passed it on to third parties. According to the DPA, the controller had failed to implement adequate technical and organizational measures to prot

€800,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the

€20,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 20,000 on a pharmaceutical wholesaler due to violations of several regulations, including a lack of data security and insufficient cooperation with the DPA. Additionally, deficiencies were found regarding the maintenance of the record of processing activities, and the obligation to use only processors providing sufficient guarantees and assigned after authorization by the controller was not met.

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 40,000 on Azienda socio sanitaria territoriale nord Milano, C.F.. During its investigation, the DPA found that a patient's spouse had received their husband's COVID test report from an employee of the health authority without authorization.

€3,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined A R.L Spartan Gym EUR 3,000. The controller had operated video surveillance cameras in one of their premises without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras.

€20,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 20,000 on FORO ASTURIAS. An individual had filed a complaint with the DPA due to the fact that personal data stored by the controller had been disclosed to a media company without authorization and which then published the data in a newspaper.

€110,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 110,000 on Rompetrol Downstream SRL. The controller had suffered a data breach in which customer data was repeatedly accessed and used internally without authorization. This resulted in the unauthorized disclosure of personal data such as identity card number, name, address, place of birth, etc. The DPA found that the controller had not taken measures to ensure that any person who has access to personal data only processes it at the controller's instruc

€3,000,000 fine - Data Protection Authority of Sweden

The Swedish DPA has fined Trygg-Hansa EUR 3 million for serious data security breaches. The security breach was discovered when a recipient of an email from Trygg-Hansa realized that by changing a web link, they could access other customers' documents without authentication. Due to these security breaches, it was possible to access sensitive data of about 650,000 customers, including health, financial and contact information, over a span of more than two years, from October 2018 to February 2021

€1,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Prodav srl EUR 1,000. The controller had operated video surveillance cameras in one of their shops without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras.

€5,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Ristorante Francesco srl EUR 5,000. The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that the controller failed to properly inform about the CCTV and the processing of personal data by the cameras.

€13,400 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 13,400 on Sjúkratyringur Íslands. During its investigation, the DPA found that the controller had failed to implement adequate technical and organizational measures to protect personal data. This included the lack of multi-factor authentication for access to health information and the controller's use of real data in the development of a system. In assessing the fine, it was considered aggravating that a large number of individuals were affected by the

€2,265,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors' personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors. During its investigation, AZOP found that cont

€20,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined a company EUR 20,000. The company had suffered a data breach in which personal data of 50,000 data subjects were compromised. During its investigation, the DPA found that the company had failed to implement appropriate technical and organizational measures to protect personal data. These included the lack of adequate access controls and authentication of IT system administrators in the controller's information systems. Also, the DPA found that the company failed to s

€3,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined a store owner EUR 3,000. The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.

€50,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined H&M Hennes & Mauritz s.r.l. EUR 50,000. H&M had installed numerous video surveillance systems in its Italian stores for the purpose of preventing theft and ensuring the safety of its employees. Each store was equipped with at least three video surveillance cameras that were active 24/7 and also covered employee areas. During its investigation, the DPA found that the video surveillance systems were being operated without the required authorization and therefore unlawfull

€460,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 460,000 on Centric Health Ltd.. The controller suffered a ransomware attack in which personal data such as name, date of birth and contact details were accessed, altered and destroyed without authorization. Data records of approximately 70,000 people were affected, of which 2,500 were permanently affected. The DPA's investigation found that the healthcare facility had failed to implement adequate technical and organizational measures to protect personal da

Data Protection Authority of Bremen

The DPA of Bremen has imposed a fine on a company. The controller had installed video cameras in the offices and monitored employees before, during and after their working hours as well as customers without authorization over a period of two years.

€3,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the owner of the store 'Woolen' EUR 3,000 . The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the owner of the store 'Joy Unique Collection' EUR 6,000 . The controller had operated video surveillance cameras in its premises without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing.

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 1,000 on Medicover S.R.L.. The controller had reported a data breach to the DPA pursuant to Art. 33 GDPR. The controller had inadvertently sent documents containing personal data to the wrong recipient. As a result, personal data such as the data subject's name, correspondence address, e-mail and health data were disclosed without authorization. The DPA determined that the incidents were due to the controller's failure to implement appropriate technical

€20,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 20,000 on ING Bank NV Amsterdam Sucursala București. The bank had reported a data breach to the DPA pursuant to Art. 33 GDPR. Several personal data of customers, such as ID card data, bank data, bank card data, etc., were accessed and disclosed without authorization. This resulted in payment transactions being carried out by unauthorized third parties. During its investigation, the DPA found that the bank had failed to implement adequate technical and o

€800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 800 on a company. The controller had installed video surveillance cameras without obtaining authorization for the installation. In addition, the controller failed to provide signs regarding the CCTV with the contact details of the data controller.

€5,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 5,000 on EDYTE SA. EDYTE, as a processor, had unlawfully disclosed personal data to third parties without the authorization of the data controller.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Intesa Sanpaolo Vita S.p.a. EUR 20,000. The data subject, who had taken out a life insurance policy with the controller, had filed a complaint with the DPA against the controller for the unauthorized disclosure of their personal data. In the course of its investigation, the DPA found that the controller had disclosed personal data, such as first name, last name and information about the policy, to third parties without authorization. The unauthorized disclosure had occu

€1,500 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 1,500 on Wens Experience SRL. In the course of its investigation, the DPA found that Wens Experience, in the course of acting as a processor on behalf of the controller, had engaged another processor to process employee data without having obtained prior authorization from the controller. This constitutes a violation of Art. 28 (2) GDPR.

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Intesa Sanpaolo S.p.A.. The bank had unlawfully disclosed data of the data subject to unauthorized third parties (the father of the data subject ). The data subject's father, a former employee of the bank, had been authorized to access his daughter's bank data until she reached the age of majority. However, the father had demanded access to his daughter's data, who in the meantime had already reached the age of majority. An employee of the ban

€10,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 10 million on GOOGLE LLC. Two data subjects had complained to the DPA that Google had disclosed their personal data to third parties without authorization. In the course of the lengthy investigation, the DPA found that Google had passed on personal data of data subjects to the so-called Lumen project. Lumen is a project run by the Berkman Klein Center for Internet & Society at Harvard University. The project began in 2002 for the purpose of collec

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has fined Kredyt Inkaso Investments RO S.A. EUR 5,000. A data subject had filed a complaint with the DPA against the controller for having disclosed their personal data and that of their minor child to medical institutions without authorization and without the data subject having any relationship with the institutions. During its investigation, the DPA found that the controller had disclosed data such as home address, professional status, as well as data from the employment cont

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on the Italian Ministry of Defense. An employee of the ministry had filed a complaint with the DPA. During its investigation, the DPA found that two emails had been forwarded without authorization. These e-mails contained, among other things, sensitive information on the health status of the data subject as well as information on legal proceedings.

€1,500,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has imposed a fine of EUR 1.5 million on DEDALUS BIOLOGIE. DEDALUS distributes software solutions for medical analysis laboratories. In February, the press revealed a data leak at DEDALUS that resulted in the leak of nearly 500,000 individuals' data. The leaked data included information on the surnames, first names, social security number, name of the treating physician, data on medical examinations and illnesses of the data subjects. During its investigation, the CNIL foun

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Tecnomed Trento s.r.l. EUR 10,000. The controller had operated several video surveillance cameras in its premises, some of them without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. The DPA also found that three individuals with shared credentials had authorized access to the recorded images. The DPA concluded that this circumstance was not appropriate to guarantee the

€195,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined the Norwegian Parliament EUR195,000. The parliament had suffered a data breach in which unauthorized persons gained access to the email accounts of members of parliament and parliamentary administrative staff. The attackers had succeeded in siphoning off the data, including personal data on bank accounts, dates of birth and health-related data. During its investigation, the DPA found that the parliament did not incorporate sufficient security mechanisms, such as two-f