Enforcement

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (azop) has imposed a fine of EUR 20,000 on a telecommunications company. A data subject had filed a complaint with the DPA claiming that the company was still processing their personal data even though they had not been a customer of the company for more than ten years. During its investigation, the DPA found that the company had still been storing the data due to an alleged debt. The debt was no longer outstanding, however, the company had failed to delete the data of the data

Een boete van 5.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse telecommunicatie- en informatiestructuur (SETSI) heeft besloten dat Vodafone een klant moest vergoeden voor kosten die ten onrechte aan hem waren doorbelast. Desondanks heeft Vodafone persoonlijke gegevens van deze betreffende klant doorgegeven aan een kredietregistratiebureau (BADEXCUG). De AEPD (Spaanse Autoriteit voor Gegevensbescherming) heeft geconstateerd dat dit gedrag in strijd is met het beginsel van juistheid.

De Kroatische gegevensbeschermingsautoriteit (DPA) heeft een telecombedrijf een boete van 20.000 euro opgelegd. Een betrokkene had een klacht ingediend bij de DPA, waarin hij beweerde dat het bedrijf nog steeds zijn persoonlijke gegevens verwerkte, terwijl hij al meer dan tien jaar geen klant van het bedrijf was. Tijdens het onderzoek stelde de DPA vast dat het bedrijf de gegevens nog steeds bewaarde vanwege een vermeende schuld. Hoewel die schuld niet meer bestond, had het bedrijf de gegevens van de betrokkene niet verwijderd.

€5,000 fine - Spanish Data Protection Authority (aepd)

The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.

1.200 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming heeft een boete opgelegd aan de organisatie FUNDACIÓ PRIVADA DE SERVEIS PER ALS USUARIS DEL HABITATGE SOCIAL DE CATALUNYA. De verantwoordelijke partij heeft persoonsgegevens verwerkt zonder een voldoende wettelijke basis, wat heeft geleid tot een onjuiste banktransactie ten nadele van de betrokkene. De oorspronkelijke boete van 2.000 euro is verlaagd tot 1.200 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€892,783 fine - Italian Data Protection Authority (Garante)

he Italian DPA has imposed a fine of EUR 892,738 on E.ON Energia spa for unlawfully processing personal data for telemarketing. The investigation was triggered by complaints from two individuals who received unsolicited calls and did not receive responses to their requests to exercise their rights under the GDPR. It was found that when the electricity and gas supplies were activated, consents of data subjects were recorded incorrectly. E.ON failed to take appropriate measures to verify the accur

€12,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 12,000 on a company providing vehicle history check services. The controller refused a data subject's request to rectify personal data and failed to provide requested information. Additionally, the controller failed to prove that the processed data was accurate or that accuracy tests had been carried out.

€10,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10 million on electricity and gas supplier Axpo Italia Spa. The DPA had received numerous complaints from data subjects who complained that, without their knowledge, electricity and gas contracts had been activated in their own names, of which they had only learned after receiving termination letters from the previous supplier or reminders to pay outstanding bills. They also discovered that their personal data provided in the contract (e.g., email addres

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on Azienda Sanitaria dell'Alto Adige - Suedtiroler Sanitaetsbetrieb for failing to adequately comply with its obligation to comply with a data subject's request for information on the lawfulness and accuracy of the processing of their personal data.

€8,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 8,000 on Bank of Cyprus Public Company Ltd.. The controller had stored inaccurate data about a data subject in its system.

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Lazio Region. An individual had filed a complaint with the DPA because she had received an invitation from the regional health authority to participate in the cervical cancer screening program that was addressed to her daughter, who died in 1995. During its investigation, the DPA discovered that the daughter's data was still in the region's database even though she had already died. For this reason, the DPA found that the Region had violated t

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 10,000 on Piraeus Bank. The bank had mistakenly sent a document containing data of the data subject to a third party. This error was based on a wrongly provided e-mail address by a co-owner of the account. Although the bank became aware of this error, they did not stop sending the communications to the third party, but instead instructed the data subject to exercise their right to correct the inaccurate data. As a result of its investigation, the DPA fo

€124,245 fine - Croatian Data Protection Authority (azop)

The fined energy company owns petrol stations and sells fuel to customers. The data subject is a customer who filed a consumer complaint relating to inaccurate measuring and consequently charging of fuelled petrol at one of the petrol stations. The data subject requested a copy of its personal data, i.e. a copy of the video surveillance footage relating to a specific time and area. The energy company justified rejecting the request by: (i) lack of written request by competent authorities to deli

€2,500,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has fined food delivery service Deliveroo Italy s.r.l. EUR 2,500,000 for unlawfully processing the personal data of approximately 8000 drivers. Garante's investigation revealed numerous and serious data protection violations. The violations included a lack of transparency in the algorithms used to manage drivers, both when assigning jobs and when booking work shifts. Deliveroo had used a centralized system for driver management through which it then processed and manage

€2,600,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has fined Foodinho s.r.l. EUR 2,600,000. Foodinho is an Italian food delivery service. The investigation against Foodinho mainly focused on the drivers of Foodinho. In the process, the DPA found some serious violations of applicable data protection regulations. Thus, the DPA identified some irregularities concerning the algorithms of the Foodinho system. In particular, the DPA found that the controller had not adequately informed employees about how the system worked an

€1,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Ibérica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ('FIJ') without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several

€90,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 90,000 on Irish Credit Bureau (ICB). The fine follows a data breach reported by the controller to the DPA on August 31, 2018. The controller is a credit reporting agency that maintains a database of credit contract performance between financial institutions and borrowers. The data breach occurred when the controller made a code change to its database that contained a technical error. As a result, between June 28, 2018 and August 30, 2018, the ICB dat

€5,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 5,000 on Certime S.A.. The data subject had renewed her driver's license with the controller in 2009. After her address had changed in 2018, in 2019 she received mail from the controller to her new address without having informed the controller of the adress change. In the letter, the controller informed the data subject that her driver's license would soon expire. In response to a inquiry from the data subject as to where her new contact informat

€54,000 fine - Spanish Data Protection Authority (aepd)

The data subject had concluded a contract with the controller (Vodafone España, S.A.U.). However, the products provided under this contract were not delivered in the name of the data subject, but in the name of a third party. Subsequently, the data subject contacted the company's data protection officer by e-mail in order to restore the accuracy of his/her data stored at Vodafone. However, no response was received to this request. When the data subject finally contacted the telecommunications co

€15,000 fine - Lithuanian Data Protection Authority (VDAI)

During the data synchronization of the Population Information System of the Municipal Administration with the databases of the State Centre for Business Registers, the personal data of an applicant for the fostering of an adopted child was replaced, due to an error, with the personal data of the biological parents, which were subsequently accessible in the Population Register of the Republic of Lithuania. This constituted a violation of the principles of integrity and confidentiality of personal

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

Inadequate security measures of the company had led to unlawful processing of personal data without verifying their accuracy. For this reason, a fine was imposed on Telekom Romania for violation of Article 32 of the GDPR, and the introduction of effective mechanisms to identify and protect data from unauthorised disclosure and unlawful processing is ordered to ensure compliance with the GDPR.

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects

€3,850 fine - Czech Data Protection Auhtority (UOOU)

A TV broadcaster had provided information on its website about the processing of personal data, which was however hidden and inaccurate (links to outdated legal provisions).

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The company has failed to ensure the accuracy of the processing of personal data which resulted in a disclosure of a clients personal data to another client.

€14,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient secur

€30,000 fine - Spanish Data Protection Authority (aepd)

Telefónica had charged the complainant various fees in connection with the operation of a telephone line which the complainant had never owned. The reason for this was that the complainant's bank account was linked to another Telefónica customer, which led to the charges being debited from the complainant's account. According to the AEPD, this is contrary to the principle of accuracy as required by Article 5(1)(d) GDPR.