Enforcement

10.043.002 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 10.043.002 euro opgelegd aan Aena, S.M.E., S.A. De verantwoordelijke partij voerde een proefproject uit dat meerdere luchthavens omvatte, waaronder het gebruik van gezichtsherkenningssystemen. Echter, de verantwoordelijke partij heeft geen beoordeling van de impact op de privacy uitgevoerd voordat dit werd gedaan.

€10,043,002 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 10,043,002 on Aena, S.M.E., S.A. The controller conducted a pilot project involving multiple airports, including the use of facial recognition systems. However, the controller failed to carry out a data protection impact assessment prior to doing so.

Een boete van 96.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 96.000 euro opgelegd aan SIDECU, S.A. De verantwoordelijke partij heeft een gezichtsherkenningssysteem geïntroduceerd als de enige manier om toegang te krijgen tot hun faciliteiten, zonder alternatieve toegangsmethoden aan te bieden. De verantwoordelijke partij had geen voldoende juridische basis voor de verwerking van de gegevens, heeft de betrokkenen niet voldoende geïnformeerd over de verwerking en heeft geen beoordeling van de impact op de privacy uitgevoerd. De oorspronkelijke boete van 160.000 euro is verlaagd tot 96.000 euro vanwege een onmiddellijke betaling.

550.000 euro boete - Ierse Autoriteit voor Gegevensbescherming.

De Ierse Autoriteit Persoonsgegevens heeft een boete van 550.000 euro opgelegd aan het Ministerie van Sociale Zekerheid. De verantwoordelijke instantie gebruikt een zogenaamd SAFE 2-registratieproces voor iedereen die een "Public Services Card" aanvraagt. Deze verplichte SAFE 2-registratie verwerkt biometrische gegevens zonder voldoende juridische basis. Bovendien heeft de verantwoordelijke instantie de betrokkenen niet voldoende geïnformeerd over de verwerking en geen impactanalyse op het gebied van gegevensbescherming uitgevoerd.

€550,000 fine - Data Protection Authority of Ireland

The Irish DPA imposed a fine of EUR 550,000 on the Departement of Social Security. The controller uses the so called SAFE 2 registration process for anyone applying for a Public Services Card. The SAFE 2 registration, which is mandatory, processes biometric data without a sufficient legal basis. The controller also failed to adequately inform data subjects in regards to the processing and to conduct a data protection impact assessment.

1.500 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan ULPIA TRAJANA ALAMEDA S.L. Tijdens het boekingsproces heeft de verantwoordelijke partij gegevens verwerkt die niet noodzakelijk waren voor het doel, wat een schending is van het beginsel van dataminimalisatie. De verwerkte gegevens omvatten ook biometrische gegevens (artikel 9 AVG), waarvoor de verantwoordelijke partij geen voldoende juridische basis had. De oorspronkelijke boete van 2.500 euro is verlaagd tot 1.500 euro vanwege de onmiddellijke betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€1,500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on ULPIA TRAJANA ALAMEDA S.L. During the booking process, the controller processed data that was unnecessary for the purpose, infringing on the principle of data minimization. The data processed also included biometric data (Art. 9 GDPR) for which the controller lacked a sufficient legal basis. The original fine of EUR 2,500 was reduced to EUR 1,500 due to immediate payment and admission of responsibility by the controller.

Een boete van 4.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 2.500 euro opgelegd aan het Istituto di Istruzione Superiore 'P. Galluppi' in Tropea. De verantwoordelijke partij heeft biometrische gegevens van haar werknemers verwerkt om hun werktijden te controleren. Volgens de DPA was de verwerking zodanig ingericht dat deze niet in overeenstemming was met de beginselen van rechtmatigheid, eerlijkheid en transparantie, en ontbrak er een voldoende juridische basis.

€4,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2,500 on the Istituto di Istruzione Superiore 'P. Galluppi' Tropea. The controller processed biometric data of its employees to control their work hours. The processing was designed in a way that, according to the DPA, did not comply with the principles of lawfulness, fairness and transparency and lacked a sufficient legal basis.

€1,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1 million on LIGA NACIONAL DE FÚTBOL PROFESIONAL. The controller had introduced access controls for visitors to football stadiums using biometric systems without first carrying out the necessary data protection impact assessment.

€220,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined CARTONAJES BAÑERES, S.A. EUR 220,000. During its investigation, the DPA found that the controller had failed to grant a former employee access to their personal data. The DPA also found that the controller had failed to carry out a data protection impact assessment regarding the operation of a biometric facial recognition system installed to track working hours.

€220,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 220,000 on CARTONAJES BAÑERES, S.A. following a complaint filed by a former employee. The employee had submitted a request to the controller for access to their personal data, particularly inquiring about the purpose and categories of data held. However, they did not receive a proper response. The employee also stated that the controller used a biometric facial recognition system that allowed employees to clock in and out, but did not offer an alternative me

€5,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the food delivery service Foodinho Srl EUR 5 million for unlawfully processing the data of approximately 35,000 drivers and for several violations of the GDPR. The DPA's investigation revealed that the company collected drivers' location data without their knowledge or consent—not only during working hours but also when the app was running in the background or inactive. Additionally, the DPA found that the company shared driver data with third parties without a valid le

€120,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 120,000 on Cappello Giovanni & Figli s.r.l.. The controller had used facial recognition technology to monitor the attendance of employees. During its investigation, the DPA found that such extensive recording of biometric data to monitor attendance was not permitted. The controller referred to the consent given by the employees as the legal basis for the data processing. However, the DPA concluded that the controller could not rely on consent, as volunta

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

€365,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 365,000 on CTC EXTERNALIZACIÓN, S.L.. An employee had filed a complaint with the DPA due to the fact that the controller had requested fingerprints of employees in order to implement a new time and attendance system. However, it was not communicated that the fingerprints would also be stored in the staff portal. For this reason, the DPA found that the controller had violated its duty to inform. The DPA also found that the controller was unable to demonst

€5,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 5,000 on Nimbus s.r.l.. The controller had introduced a biometric attendance system at the workplace without adequately informing the employees and obtaining their consent.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 20,000 on Ew Business Machines S.p.A.. The controller had installed a video surveillance system that not only recorded images in real time, but also made audio recordings, capturing employees. Both the company's legal representative and their family had access to these recordings via a smartphone. During its investigation, the DPA found that the employees were not adequately informed about the additional audio monitoring. In addition, the company used an

€6,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined Praktiškas UAB, the operator of SportGates sports clubs, EUR 6,000. The controller had processed biometric data of customers in the context of their access to sports facilities. During its investigation, the DPA found that the customers' consent to the processing of their biometric data could not be considered voluntary. This was because the controller did not offer the provision of any other type of information for access to the sports clubs. Nor did it provide the

€100,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 100,000 on the nursing home operator VIEC Limited. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The controller had suffered a phishing attack in which an unauthorized third party gained access to an email account of a VIEC manager. As a result, the unknown third party also managed to access personal data such as health and biometric data of home residents. The DPA found this to be a breach of the principle of integrity and

€5,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) imposed a fine of EUR 5,000 on Comune di Borgia. The municipality processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis. Also the Garante found that the municipality failed to provide t

€8,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) imposed a fine of EUR 8,000 on Comune di Vicchio. The municipality processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) imposed a fine of EUR 20,000 on Sportitalia. The controller processed biometric data (fingerprints) of employees for the purpose of registering their attendance. Garante found that such extensive processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Furthermore, Garante determined that the processing of biometric data had taken place without sufficiently informing the data subjects about the processing

€20,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has fined Clearview Al Inc. EUR 20,000,000. The company holds a database of more than 20 billion facial images (including those of french residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals to be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those i

€20,000,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 20,000,000 on Clearview AI Inc. The non-profit organization 'Homos Digitalis' had filed a complaint with the DPA on behalf of the data subject. The company holds a database of more than 20 billion facial images (including those of greek residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

€565,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 565,000 on the Dutch Foreign Ministry. As part of its investigation, the DPA found that the National Visa Information System (NVIS) suffered from significant security deficiencies. This is particularly serious as the Foreign Ministry has processed an average of 530,000 visa applications per year over the last three years and the personal data processed in the course of the applications was therefore inadequately secured. The data included sensitive informa

€20,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory. The company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation.

€20,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 20,000 on DAVISER SERVICIOS, S.L.. The company had been processing biometric data (fingerprints) of employees for access to certain rooms, although less intrusive means (such as key cards) could have been used to protect the privacy of the data subjects. The AEPD found that the controller had violated the principle of data minimization.

€16,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine on SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.. The company had installed five terminals with a fingerprint control system to record its employees' working hours. In doing so, the company had failed to conduct a data protection impact assessment. The AEPD found a violation of Art. 35 GDPR for this reason. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment.

€2,520,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees. During its investigation, the DPA found numerous privacy violations. For instance, the system violated the principle of data minimization, the principle of necessity and proport

€20,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that t

€30,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) imposed a fine of EUR 30,000 on Azienda sanitaria provinciale di Enna. The controller processed biometric data of employees for the purpose of registering their attendance. Garante found that such processing was not proportionate and therefore constituted an unjustified infringement of the rights of the data subjects. Subsequently, Garante determined that the processing of biometric data had taken place without a legal basis.

€725,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The organisation had required its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.

Polish National Personal Data Protection Office (UODO)

Original summary: A school in Gdansk used biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily. Update: Update: On August 7, 2020, the Provincial Administrative Court in Warsaw overturned the decision of the Polish DPA i

Czech Data Protection Auhtority (UOOU)

A company stored biometric signatures of its customers, which violated the principle of data minimization.

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The company processed biometric data (fingerprints) of the employees for access to certain rooms tough less intrusive means for the privacy of the data subjects could be used (violation of principle of 'data minimization')

€511,000 fine - Data Protection Commision of Bulgaria (KZLD)

Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.

€18,630 fine - Data Protection Authority of Sweden

A school in Skellefteå made a trial to use facial recognition technology. The fine was imposed against the school which had used facial recognition technology to monitor the attendance of students. Even though, in general, data processing for the purpose of monitoring attendance is possible doing so with facial recognition is disproportioned to the goal to monitor attendance. The supervisory authority is of the opinion that biometric data of students was processed which is why Art. 9 GDPR is app