Enforcement

€1,100,000 fine - Deputy Data Protection Ombudsman

The Finish DPA has imposed a fine of EUR 1,100,000 on Yliopiston Apteekin. The controller, who runs an online pharmacy, used various web analytics and monitoring tools. These tools were implemented in a way that allowed the providers, who are based outside the EU, to access personal data. The controller also failed to ensure that the tools complied with the principle of data minimization.

1.100.000 euro boete - Waarnemend ombudsman gegevensbescherming.

De Finse beschermingsautoriteit (DPA) heeft Yliopiston Apteekin een boete van 1.100.000 euro opgelegd. De verantwoordelijke, die een online apotheek runt, gebruikte verschillende webanalyse- en monitoringtools. Deze tools werden op een manier geïmplementeerd waardoor aanbieders, die gevestigd zijn buiten de EU, toegang kregen tot persoonlijke gegevens. De verantwoordelijke heeft er ook niet voor gezorgd dat de tools voldeden aan het principe van dataminimalisatie.

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system,

€80,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior's (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, t

€40,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 40,000 on a real estate company for inappropriately monitoring its employees. A software program recorded “periods of inactivity” and regularly took screenshots of the computers of employees working from home. The program automatically detected when an employee made no keyboard or mouse movements for a period of 3 to 15 minutes. In addition, the employees in the offices were continuously filmed. These measures were deemed disproportionate and were considered

€70,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has fined the Stockholm School Board EUR 70,000 for excessive video surveillance in a school. A school had installed extensive video surveillance due to past problems with incendiary crimes. During its investigation, the DPA found that there were about 50 fixed cameras in the school monitoring hallways, stairwells and corridors in conjunction with doors, toilets and student lockers. Surveillance was taking place 24/7 with image recording. The DPA concluded that video surveillance

€45,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 45,000 on the municipality of Modica for monitoring waste disposal sites with CCTV without providing sufficient information to citizens. During its investigation, the DPA also found that the municipality had not properly regulated the processing with the companies responsible for the CCTV management. The municipality also failed to appoint a data protection officer and stored the recorded images excessively.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 20,000 on Ew Business Machines S.p.A.. The controller had installed a video surveillance system that not only recorded images in real time, but also made audio recordings, capturing employees. Both the company's legal representative and their family had access to these recordings via a smartphone. During its investigation, the DPA found that the employees were not adequately informed about the additional audio monitoring. In addition, the company used an

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 3,000 on REGENCY COMPANY SRL. The controller had installed video surveillance cameras in its premises for the purpose of monitoring access of people and security of premises and property. However, this allowed it to monitor its employees extensively. In the course of its investigation, the DPA found that the video surveillance was partly carried out without the consent of the employees and that the purposes underlying the surveillance could also be achi

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 5,000 on Tehnoplus Industry SRL. An employee of the company had filed a complaint with the DPA because the controller had installed a GPS system in their company vehicle for the purpose of monitoring the vehicle without providing them with sufficient information about such installation. During its investigation, the DPA also found that the controller was processing the GPS data outside working hours and for purposes other than originally intended. The D

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Lazio Region EUR 100,000. A trade union had filed a complaint with the DPA alleging that the Region had monitored the e-mail accounts of employees of the Region's legal department. The Region had initiated such monitoring on suspicion of possible disclosure of information protected by official secrecy to third parties. The Region stored and analyzed the employees' data for 180 days. The data included not only information related to work, but also personal data of the da

€45,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients. The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of th

€200,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 200,000 on Amiu S.p.A.. The company operates the waste collection service for the city of Taranto and acted as a processor for this service. The company had installed several video surveillance cameras for the purpose of monitoring illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DPA found that Am

€100,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid lega

€200,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal

€2,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 2,000 on an employer. An employee had filed a complaint due to the employer's failure to comply with the employee's right to object. The employee had objected to continuous monitoring of his online courses offered via zoom. However, the employer had continued the monitoring. In addition, the DPA found that the employer could not provide a sufficient legal basis for processing the data.

Data Protection Authority of Bremen

The DPA of Bremen has imposed a five-digit fine on a company. The controller had unlawfully used GPS software in its company vehicles, allowing unrestricted monitoring of its employees over a long period oftime. The DPA found that such extensive monitoring was not necessary and therefor unlawful.

€608,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker cou

€412,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web. Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health statu

€200,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible t

€20,100 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 20,100 on the Danish Immigration Agency. Media reports brought the DPA's attention to possible logging errors in one of the agency's IT systems, which could have an impact on the rights and freedoms of residents. The DPA consequently started an investigation at the agency. In spring and summer 2020, several security incidents occurred in the agency's systems, resulting in the loss of data records. The loss of data led to proceedings being initiated agains

€34,800 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 34,800 on the directorate of the Östra Skaraborg Rescue Service. The DPA had received information that several fire stations in Östra Skaraborg operated surveillance cameras that filmed areas where firefighters were changing during an emergency, whereupon it initiated a review of the camera surveillance. The video surveillance was taking place around the clock, although the controller itself stated that video surveillance was only required in case of eme

€19,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 26,000 on Radiotelevisión del principado de Asturias. The fine consists of EUR 20,000 due to a violation of Art. 5 (1) c) GDPR and EUR 6,000 due to a violation of Art. 12 GDPR. The fine was based on the fact that the controller installed a video surveillance system totaling 14 video cameras and monitoring the business premises. The controller states that the cameras were installed for the purpose of security of the premises. However, the cameras c

€1,500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500 on a private individual. The controller had installed a surveillance camera on his property, which recorded, among other things, the public space and neighboring properties. According to the controller, he had installed the camera for security purposes regarding his property. The AEPD considered this to be a violation of the principle of data minimization, as such extensive monitoring was not necessary to protect the controller's property

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on a private individual. The controller resides on the 1st floor of an apartment building, where he is the owner of apartments on the 2nd and 3rd floors. He regularly rents out these apartments to tourists. The controller had installed four video cameras on the three floors and in the entrance area of the building. He justified their operation with security concerns related to the rental to tourists. The owners' association had not granted p

€1,000 fine - Spanish Data Protection Authority (aepd)

Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization).

€14,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) imposed a fine of EUR 14,900 on the energy company Dragefossen AS. The latter had installed a webcam on the roof of its office building in the center of Rognan which was in operation 24/7 and recorded the city center. These recordings could be viewed via a live video stream on Youtube and on the controller's homepage. In addition, the recordings could be rewound for up to twelve hours. The area covered by the camera surveillance included a public street, the park

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA (ANSPDCP) imposed a fine of EUR 1,000 on ING Bank N.V. Amsterdam - Bucharest Branch. It was found that the controller had sent files to a contractual partner in order to issue insurance policies. The sent files contained outdated information, as employees of the insurance policy monitoring department had not checked and processed the insurance policies according to the work process, which affected 270 people. Considering these aspects, it was found that the technical and organiz

€394,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA imposed a fine on the City of Stockholm for data breaches on a school education platform. The platform consists of different subsystems, including a system for monitoring school attendance, a student administration system, an interface for parents and an administration interface for teachers. In one of the subsystems, a lack of ability to restrict user access to the data has allowed a significant number of staff to access information about students using a protected identity. In

€1,600 fine - Spanish Data Protection Authority (aepd)

Usage of CCTV camera systems that were also monitoring public space (breach of principle of data minimization).

€3,000 fine - Spanish Data Protection Authority (aepd)

Installation of CCTV surveillance cameras that were also monitoring the public space and without proper information.

€10,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€70,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€2,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€2,860 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

An employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee did not receive pre-notification and did not have the chance to copy / delete his private information (telephone numbers, messages). According to NAIH, employers must record the access with minutes and photos. Employment agreements must regulate whether employees can use work equipmen

€18,630 fine - Data Protection Authority of Sweden

A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is app

€4,290 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

An ex-employee complained that his employer unlawfully monitored his work by its CCTV. The employer argued that CCTV monitoring was necessary to assess, whether the employee fulfilled his employment related duties (i.e. monitoring certain public areas and signalling any unusual event to his colleagues) and that the monitoring also served the protection of its surveillance system from unlawful access or usage. NAIH found that monitoring of the employee by CCTV is not an appropriate way of assessi

€2,000 fine - Data Protection Authority of Saarland

Video surveillance cameras have been used in violation of principle of data minimisation (monitoring also of customer areas in restaurants).