Enforcement

850.000 euro boete - Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 850.000 euro opgelegd aan een netwerk van agentschappen en bedrijven. Dit netwerk opereerde namens Acea Energia S.p.A. en voerde agressieve telefooncamps om klanten terug te winnen en marketinggesprekken te voeren (ETid-2660). De agentschappen en bedrijven hadden geen voldoende juridische basis voor de gegevensverwerking en voldeden ook niet aan andere algemene principes voor gegevensverwerking. De ernst van de overtredingen verschilt per agentschap en bedrijf. Er zijn individuele boetes opgelegd.

€850,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed a fine of EUR 850,000 on a network of agencies and companies. The network operated on behalf of Acea Energia S.p.A. and engaged in aggresive customer recovery and marketing calls, ETid-2660. The agencies and companies had no sufficient legal basis for the data processing and also failed to comply with other general data processing principles. The severety of the infirngiments vary in between the different agencies and companies. Following individual fines had been imposed

€18,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed fines on 3 companies which ammount to EUR 6,000 each. The fined companies (Powerfit s.s.d.a.r.l., Soleo s.s.d.a.r.l. and Zero Due Villa s.s.d.a.r.l.) run a chain of gyms. The controllers used the phone numbers of customers for direct marketing purposes without the consent of the data subjects. The controllers also failed to respond to respect the data subjects right to deletion.

€4,000 fine - Croatian Data Protection Authority (azop)

The Croation DPA (AZOP) has imposed a fine of EUR 4,000 on a hospital. The AZOP found that the hospital used a company which automatically retrieved personal data of vehicle owners via the Ministry of the Interior's web service without a legal basis, to issue parking fines for vehicle owners. Additionally, the hospital failed to inform parking users transparently and in accordance with legal requirements about the processing of their personal data related to parking fees. Furthermore, the hospit

4.000 euro boete - Kroatische Autoriteit voor Gegevensbescherming (AZOP).

De Kroatische beschermingsautoriteit (AZOP) heeft een ziekenhuis een boete van 4.000 euro opgelegd. De AZOP heeft vastgesteld dat het ziekenhuis een bedrijf gebruikte dat automatisch persoonlijke gegevens van autobezitters ophaalde via de webdienst van het Ministerie van Binnenlandse Zaken, zonder daar een wettelijke basis voor te hebben, om parkeerboetes aan autobezitters te sturen. Bovendien heeft het ziekenhuis parkeergebruikers niet op een transparante en in overeenstemming met de wettelijke vereisten geïnformeerd over de verwerking van hun persoonlijke gegevens met betrekking tot parkeerkosten. Verder...

€35,700 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed fines totaling EUR 35,700 on nine companies for failing to adequately indicate their video surveillance areas and for failing to provide all the necessary information on data processing related to video processing.

Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed seven fines totaling EUR 16,000 on data controllers for failing to adequately mark video-monitored areas. This lack of marking resulted in people entering these areas not being informed of the surveillance, as the signs were either not visible on entry or did not contain all the necessary information. The fines ranged from EUR 500 to 4,000 and were imposed on various establishments, including hotels, restaurants, and shops. According to Art. 27 (1) of the Law

€273,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed two fines on the medical facility “Centrum Medyczne Ujastek” totaling approximately EUR 273,000. The first fine of approximately EUR 163,000 was imposed for the unlawful installation of surveillance equipment in two neonatal rooms. These devices recorded images of newborns and their mothers during intimate acts such as breastfeeding or care without informing patients or staff, which constitutes a violation of data protection regulations. The second fine, of around EUR

Data Protection Authority of Hamburg

The DPA of Hamburg has imposed two fines on members of the police for accessing police databases for private research purposes.

€41 fine - Data Protection Authority of Hessen

The DPA of Hessen has imposed fines totaling EUR 13,486 on 41 data controllers. In its 2024 activity report, the DPA of Hesse reported a total of 47 fines that year. Six of these fines were presented in more detail and can be found in the Enforcement Tracker under ETiD numbers 2636–2641. The remaining 41 fines amount to a total sum of EUR 13,486. According to the report, the issued fines cover a broad range of sectors and types, with a focus on healthcare, marketing activities, and violations of

Data Protection Authority of Hamburg

The DPA of Hamburg has imposed five fines of private individuals for taking or storing photos of individuals without their consent.

Czech Data Protection Auhtority (UOOU)

In the period from January 2023 to July 2023, the Czech DPA imposed fines totaling EUR 178,000, with the highest fine being EUR 36,000. These fines were imposed due to unlawful processing of personal data in relation to cookies. The types of violations vary. Given examples are: Insufficient legal basis, insufficient compliance with information obligations or design issues. The DPA emphasizes that it will not publish individual fines due to the non-public nature of administrative proceedings.

€215,000 fine - Data Protection Authority of Berlin

The DPA of Berlin has imposed fines totaling EUR 215,000 on Humboldt Forum Service GmbH. Humboldt Forum had improperly documented sensitive information about individual employees and assessed their continued employment as 'critical' or 'very critical' on the basis of the information. The document also contained information on personal statements, health concerns, a possible interest in forming a works council and treatment in psychotherapy. During its investigation, the DPA found that the contro

Data Protection Authority of Bremen

The DPA of Bremen has imposed five fines on website operators for using the tracking tool 'Google Analytics' without the prior consent of website users.

Data Protection Authority of Bremen

The DPA of Bremen has imposed ten fines between EUR 100 and EUR 1,000 on police officers for unlawfully accessing police databases.

Data Protection Authority of Bremen

The DPA of Bremen has imposed five fines on a real estate agency. The controller had repeatedly sent advertising messages to a former prospect and tried to contact them by telephone, even after the data subject had asked for their data to be deleted.

€20,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Ambuce Rescue Team EUR 20,000. The fine is related to the fines against Brussels Airport Charleroi and Brussels Airport Zaventem. Due to the Covid 19 pandemic, the airports used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then asked to answer questions about possible coronavirus symptoms. In this process, Ambuce Rescue Team provided the questionnaires. Specifically, the DPA found that there was no valid l

Data State Inspectorate (DSI)

Six fines for failing to provide information requested by the DPA during an investigation.

Data Protection Authority of Saxony

Nine fines between EUR 200 and EUR 1000 for unlawful use of a dashcam.

Data State Inspectorate (DSI)

Five fines for failing to comply with orders issued by the DPA.

€1,250,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of

€6,300,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Grindr LLC EUR 6.3 million. Grindr is a location-based social networking app designed for gay, bi, trans and queer people. In 2020, the Norwegian Consumer Protection Authority filed a complaint against Grindr with the Norwegian DPA, alleging that the portal had shared information about users' GPS location, IP address, cell phone advertising ID, age and gender with several third parties for marketing purposes. Under GDPR, consent is required for the sharing of this per

€30,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has fined ICA s.r.l. EUR 30,000. The municipality of Collegno had implemented a system developed by ICA through which citizens could pay fines for traffic violations. However, due to a lack of security precautions, it was theoretically possible for unauthorized persons to access personal data stored via the program. For this reason, the DPA found that ICA had failed to implement appropriate technical and organizational measures providing a level of security commensurate

€400,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public t

€800,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transp

€30,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 30,000 on Flowbird Italia s.r.l.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters that were installed in the city of Rome in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchas

€8,150,000 fine - Spanish Data Protection Authority (aepd)

Since 2018, the Spanish DPA (AEPD) had received a total of 191 complaints against Vodafone España, S.A.U. The data subjects complained about advertising calls and messages (e-mail and SMS) made on behalf of Vodafone España as part of marketing campaigns. The contact was made without the prior consent of the data subjects and continued even after they had exercised their right to object. Furthermore, many data subjects were contacted even though their numbers were on the Robinson list. The AEPD e

Data Protection Authority of Berlin

Originally, a fine in the amount of EUR 14.500.000 was issued against Deutsche Wohnen SE for using an archiving system for the storage of personal data of tenants that, according to the data protection authority, did not provide for the possibility of removing data that was no longer required. According to the data protection authority, personal data of tenants were stored without checking whether storage was permissible or even necessary and it was therefore possible to access personal data of

€13,450 fine - Danish Data Protection Authority (Datatilsynet)

Original summary: On June 3, 2019, the Danish DPA (Datatilsynet) reported IDdesign to the police and demanded payment of a fine in the amount of EUR 200,850 for the processing of personal data of approximately 385,000 customers for a longer period than necessary for the purposes for which they were processed. Additionally, the company had not established and documented deadlines for deletion of personal data in their new CRM system. The deadlines set for the old system were not deleted after the

Data Protection Authority of Saxony

Nineteen fines between EUR 100 and EUR 1,000 for unlawful use of a dashcam.

€20,450,000 fine - Information Commissioner (ICO)

Original Summary: The ICO issued a notice of its intention to fine Marriott International Inc due to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the

€50,000 fine - Spanish Data Protection Authority (aepd)

Fines for the transfer of the data subject's personal data to Evo Finance EFC, SA in the course of processing a health insurance application, without a sufficient legal basis for the transfer of data, as the medical treatment in question has never been carried out.

€5,000 fine - Spanish Data Protection Authority (aepd)

Fines for sending direct marketing communications without sufficient consent, as the form Real Sporting de Gijón submitted to club members did not comply with the GDPR (opt-out instead of opt-in).

€16,700,000 fine - Italian Data Protection Authority (Garante)

Fines for several unlawful data processing activities relating to direct marketing. Hundreds of data subjects claimed to have received unsolicited communications sent without their prior consent by SMS, e-mail, telephone calls and automated calls. The data subjects were not able to exercise their right to withdraw their consent and object to processing for direct marketing purposes because the information contained in the Data Protection Policy was incomplete in relation to the contact details.

€12,000 fine - Spanish Data Protection Authority (aepd)

Fines for violation of Art. 5 (1) d) GDPR for changing the customer's master data into the name of a third party, the ex-spouse of the customer.

€13,500 fine - Information Commissioner of Isle of Man

Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.

€3,000 fine - Spanish Data Protection Authority (aepd)

Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.

€134,000 fine - Norwegian Supervisory Authority (Datatilsynet)

Fines for security breaches in a voice mailbox function.

€6,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The sanctions were imposed following a complaint alleging that Enel Energie had unlawfully processed an individual's personal data and was unable to prove that it had obtained the individual's consent to send e-mail notifications. In addition, the ANSPDCP pointed out that the operator had not taken the necessary measures to stop the transmission of notifications, despite the fact that the person had repeatedly exercised his right to object. The operator of SC Enel Energie SRL was sanctioned cont

€3,000,000 fine - Italian Data Protection Authority (Garante)

The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The second fine of EUR 3 million concerns infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas under 'market economy' conditions. Many persons complained to the Authority that they only learned of the conclusion of a n

€8,500,000 fine - Italian Data Protection Authority (Garante)

The Italian supervisory authority imposed two fines totalling EUR 11,5 million on Eni Gas and Luce (Egl) for unlawful processing of personal data in the context of advertising activities and activation of unsolicited contracts. The first fine of EUR 8.5 million relates to the unlawful processing in connection with telemarketing and telesales activities. Amongst others, promotional calls were made without the consent of the person contacted or despite that person's refusal to receive promotional

€14,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The sanctions were applied as a result of a complaint alleging that Hora Credit IFN SA transmitted documents containing personal data of another person to a wrong e-mail address. Following the investigation it was found that Hora Credit IFN SA processed the data without providing effective mechanisms for verifying and validating the accuracy of the data collected processed according to the principles set out in art. 5 of the GDPR. It was also found that the operator did not take sufficient secur

Data Protection Authority of Berlin

In addition to sanctioning violations of privacy by design principles (Art. 5 GDPR, Art. 25 GDPR - see separate entry), the Berlin data protection commissioner imposed further fines of between 6,000 and 17,000 euros on the company for the inadmissible storage of personal data of tenants in 15 specific individual cases.

€2,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€70,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

€10,000 fine - Cypriot Data Protection Commissioner

The decision found that the use of the Bradford factor for profiling and monitoring sick leave constituted unlawful processing of personal data in breach of Article 6 and Article 9 of the GDPR. Three fines of EUR 70,000, EUR 10,000 and EUR 2,000 were imposed for this infringement. The decision was announced on 2020/10/13.

Data Protection Authority of Niedersachsen

Nine fines between EUR 350 and EUR 1,000 for unlawful use of a dashcam.

€160,000 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA reported the taxi company to the police and recommended a fine (of 1.2M DKK) for non-adherence to the data-minimization principle. While the company deleted the names of its passengers from all its records after two years, the deletion did not include the rest of the ride records (about 8,873,333 taxi trips). Hence, the company continued to hold onto individual's phone numbers. Please note: Since Danish law does not provide for administrative fines as in the GDPR (unless it is an

Data Protection Authority of Saxony

Eight fines between EUR 50 and EUR 800 for unlawful use of a dashcam.