Enforcement

€400,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 400,000 on Verisure Italy s.r.l. The controller had been active in direkt marketing activities. The controller failed to ensure that the consent provided by data subjects was valid. Additionally, the controller failed to implement adequate retention periods for the processed data. Lastly, the controller failed to adequately respond to data subjects' requests to exercise their rights, and failed to adequately inform them regarding the processing of their

Een boete van 400.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft Verisure Italy s.r.l. een boete van 400.000 euro opgelegd. De verantwoordelijke partij was actief met direct marketingactiviteiten. De verantwoordelijke partij heeft nagelaten te waarborgen dat de toestemming die door de betrokkenen was verstrekt, geldig was. Bovendien heeft de verantwoordelijke partij nagelaten om adequate bewaartermijnen voor de verwerkte gegevens in te stellen. Ten slotte heeft de verantwoordelijke partij niet adequaat gereageerd op de verzoeken van de betrokkenen om hun rechten uit te oefenen, en heeft zij hen niet voldoende geïnformeerd over de verwerking van hun gegevens.

€200,900 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 200,900 on ILVA A/S. The controller failed to implement data deletion deadlines. This led to an infringement of the principle of storage limitation.

Een boete van 50.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan Magna PT S.p.A. Medewerkers van de verantwoordelijke organisatie werden na hun terugkeer van een periode van ziekte of ziekenhuisopname onderworpen aan "terugkeergesprekken". Deze gesprekken hadden onvoldoende juridische basis, met name met betrekking tot de verwerking van gezondheidsgegevens. Bovendien heeft de verantwoordelijke organisatie de betrokkenen niet voldoende geïnformeerd over de verwerking. Verder heeft de verantwoordelijke organisatie nagelaten om de hoeveelheid verwerkte gegevens te minimaliseren en de bewaartermijn te beperken.

€21,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 21,000 on Menarini Silicon Biosystems SpA. The controller is conducting oncological research and has developed a software that is able to classify human cells. The controller used pseudonymised health data from an American company which is part of the same group. The controller failed to ensure, that data subjects received adequate information and to ensure adequate data storage limitation. The controller also failed to demonstrate compliance with the ge

Een boete van 5.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 5.000 euro opgelegd aan de organisatie "Patronage and Assistance for Citizens and Agriculture Board". De verantwoordelijke partij heeft persoonsgegevens van een betrokkene opgeslagen voor een periode die de wettelijke bewaartermijn, zoals vastgesteld in de nationale wetgeving, overschrijdt.

Een boete van 21.600 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. De verantwoordelijke biedt fitnesscursussen aan die worden opgenomen en gepubliceerd. De toestemming die is verkregen voor de verwerking voldoet niet aan de wettelijke eisen. Bovendien beperkt de verantwoordelijke de bewaartermijn van de gegevens niet. De oorspronkelijke boete van 36.000 euro is verlaagd tot 21.600 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke.

€190,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR).

€180 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on the operator of a website for storing data of a data subject for an excessively long period of time and contrary to the principle of storage limitation under Art. 5 (1) e) GDPR. The original fine of EUR 300 was reduced to EUR 180 due to the voluntary payment and the acknowledgement of responsibility.

€600,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 600,000 on GROUPE CANAL+ for multiple violations of the GDPR. The DPA determined that the data controller failed to demonstrate that it had obtained valid prior consent from individuals for sending electronic promotional messages. Additionally, the DPA found that the data controller did not provide adequate information regarding the retention periods of personal data in its privacy statement. Furthermore, the DPA observed that the data controller's proces

€50,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA imposed a fine of EUR 50,000 on the Athens Urban Transport Organization. As part of its investigation, the DPA found that the controller had failed to comply with the principle of data protection by design and by default. It also failed to carry out a data protection impact assessment and to set appropriate retention periods for the storage of personal data.

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on ELECTRAWORKS - CEUTA, S.A.. The controller had failed to provide sufficient information about the retention periods of personal data. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and acknowledgement of responsibility.

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximat

€2,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2 million on Alpha Exploration. Alpha Exploration operates the social network Clubhouse. In the course of its investigation, the DPA found numerous violations of the GDPR. For example, the DPA found that there was a lack of transpanency regarding the use of users' data and their chat contacts. In addition, users of the network were able to store and share audio messages from other users without their consent. Moreover, account information was shared with

€1,400 fine - National Commission for Data Protection (CNPD)

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, optimal fleet management and optimize the workflow, among other things. Some of the location data collected by the controller was stored for a year. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violat

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

€3,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, an

€20,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory. The company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation.

€200,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible t

€800,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transp

€400,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public t

€1,750,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000. The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019. On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns. With regard to the data of prospects, the controller did not comply with the maximum retention period of th

€500,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ. CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers. The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000

€75,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data. However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not suffic

€2,800 fine - National Commission for Data Protection (CNPD)

The DPA from Luxembourg (CNPD) has imposed a fine of EUR 2,800 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, monitor the transport of goods and the drivers' working hours, among other things. Some of the location data collected by the controller was stored for two years and four months. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DP

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) fined Miropass S.r.l. EUR 40,000. Miropass is the provider of the TuPassi booking system, which among others has been used by the Municipality of Rome since 2015. The booking system enables the booking of appointments both on the website of the controller (www.tupassi.it) as well as via the corresponding app. For this purpose, the company collects and processes the personal data of the users. In the course of its investigation, the Italian DPA found that Miropass, parti

€27,800,000 fine - Italian Data Protection Authority (Garante)

Between January 2017 and 2019, the data protection authority received hundreds of notifications, in particular concerning the receipt of unsolicited commercial communications made without the consent of the data subjects or despite their registration in the public register of objections. Furthermore, irregularities in data processing in connection with competitions were also complained about. In addition, incorrect and non-transparent information on data processing was provided in Apps provided

€8,500,000 fine - Italian Data Protection Authority (Garante)

The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person's refusal to receive promotional

€10,000 fine - Czech Data Protection Auhtority (UOOU)

Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation') and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').