Enforcement

Een boete van 60.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De bankrekening van de klager werd belast door ENDESA, waarbij de begunstigde een derde partij was. Deze derde partij was veroordeeld volgens het strafrecht en had een bevel van twee jaar gekregen dat betrekking had op de klager, haar woonplaats en werkplek. In plaats van de contractgegevens zoals gevraagd door de klager aan te passen, heeft ENDESA per ongeluk haar gegevens verwijderd en de gegevens van de derde partij ingevoerd. De AEPD (Spaanse Autoriteit voor Gegevensbescherming) heeft geconstateerd dat de openbaarmaking van de gegevens van de klager aan de derde partij een ernstige schending was van het principe van vertrouwelijkheid.

€60,000 fine - Spanish Data Protection Authority (aepd)

The complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confid

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 1,000 on a home owner association. The HOA displayed the personal data of debtors in the entrance hall of a building, which infringed on the duty of confidentiality. The HOA appealed the decision, but the AEPD dismissed it.

Een boete van 500.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft de Kamer van Koophandel, Industrie, Diensten en Transport van Spanje een boete van 500.000 euro opgelegd. Vanwege haar functie binnen de Spaanse regering heeft deze organisatie toegang tot de basisgegevens van alle Spaanse bedrijven, waaronder informatie over de financiële stabiliteit, contactgegevens, belastingnummers en meer. Ook zelfstandigen vallen onder deze gegevens. De organisatie heeft besloten om deze informatie openbaar te maken. Daartoe heeft de organisatie de rechtspersoon C opgericht.

€500,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500,000 on the Chamber of Commerce, Industry, Services and Navigation of Spain. Due to its function within the Spanish Executive, the controller has access to the basic data of all Spanish companies, including information regarding solvency, contact details, tax numbers and more. Self-employed persons are also included. The controller has decided to make this information available to the public. For this purpose, the controller created the legal entity C

600 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan FEDERACION DE COLUMBICULTURA DE CASTILLA-LA MANCHA. De verantwoordelijke partij was niet in staat om de vertrouwelijkheid van persoonlijke gegevens te waarborgen, wat resulteerde in een datalek. De oorspronkelijke boete van 1.000 euro is verlaagd tot 600 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on FEDERACION DE COLUMBICULTURA DE CASTILLA-LA MANCHA. The controller was unable to ensure the confidentiality of personal data, which resulted in a leak. The original fine of EUR 1,000 was reduced to EUR 600 due to immediate payment and admission of responsibility by the controller.

Een boete van 120.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse Autoriteit Persoonsgegevens (DPA) heeft een boete opgelegd aan SERVICIOS ESPECIALES, S.A. De zaak betrof een schending van de AVG tijdens een intern onderzoek naar een arbeidsconflict: het bedrijf deelde een rapport via e-mail met de personeelsvertegenwoordigers en 15 andere werknemers. Dit rapport bevatte de volledige namen, functies en details van de klachten van de betrokken personen. De DPA oordeelde dat deze openbaarmaking een schending vormde van artikel 5 (1) f) van de AVG, omdat het bedrijf de vertrouwelijkheid van de persoonsgegevens niet had gewaarborgd. De oorspronkelijke boete van 200.000 euro is verlaagd tot...

€120,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on SERVICIOS ESPECIALES, S.A. The case concerned a GDPR breach during an internal workplace conflict investigation: the company shared a report via email that included the full names, roles, and complaint details of the individuals involved, to the Works Committee and 15 additional employees. The DPA found this disclosure violated Article 5 (1) f) GDPR, as it failed to ensure the confidentiality of personal data. The original fine of EUR 200,000 was reduced to EUR

€3,000 fine - Croatian Data Protection Authority (azop)

The Croation DPA (AZOP) has imposed a fine of EUR 3,000 on a hospital. Despite the extensive and high-risk processing of health data, the hospital had not implemented sufficient organizational measures to ensure the security of data processing. Specifically, measures to ensure the confidentiality of health information were lacking, which undermined trust in medical services and patient privacy. The hospital was fined for breaching Art. 13, Art.32, Art. 33, and Art. 34(1) GDPR.

€120,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine against BEEDIGITAL AI, S.A.. A individual had lodged a complaint with the DPA against the controller because they had received advertising from the controller even though they were registered in the advertising objection register. In the course of its investigation, the DPA found that the controller had violated the principle of confidentiality. The original fine of EUR 150,000 was reduced to EUR 120,000 due to voluntary payment.

€20,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA imposed a fine of EUR 20,900 on Eidskog municipality for giving two former employees access to a whistleblower’s report without redacting sensitive health and financial data. The the DPA found that the municipality had no legal basis for processing this information and had previously published confidential information about the whistleblower.

€100,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 100,000 on the nursing home operator VIEC Limited. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. The controller had suffered a phishing attack in which an unauthorized third party gained access to an email account of a VIEC manager. As a result, the unknown third party also managed to access personal data such as health and biometric data of home residents. The DPA found this to be a breach of the principle of integrity and

€2,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 2,000 on a Property Owners Association. Two property owners had filed a complaint with the DPA. The individuals had submitted a request for a copy of financial documents to the board. The Association however published the requests with personal data of the individuals concerned on the bulletin board in a common area of the respective residential building. The DPA considered this to be a violation of the principle of confidentiality.

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 3,000 on INDECEMI, S.L.. A person had filed a complaint with the DPA against the controller after receiving an email from the controller containing personal data (first name, last name, address, telephone number, etc.) of another person in the context of a complaint. The DPA considered this to be a violation of the principle of integrity and confidentiality.

€70,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 70,000 on UNITED PARCEL SERVICE ESPAÑA LTD Y COMPAÑIA SRC (UPS). A person had filed a complaint with the DPA because UPS had delivered a package from them to a neighbor without their consent. The DPA considered this to be an unauthorized disclosure of their data, which was a result of a lack of technical and organizational measures for personal data protection. The DPA also found that this unauthorized disclosure of personal data constituted a violation

€56,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A person had filed a complaint with the DPA for having unsuccessfully requested a copy of their phone contract from Vodafone several times. Finally, the person received an e-mail, but with the phone contract of another customer. The DPA considered this to be a violation of the principle of integrity and confidentiality as set out in Art. 5 (1) f) GDPR. In addition, the DPA found that Vodafone failed to implement adequate technical an

€5,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined RESTEXPERIENCE, S.L. EUR 5,000. The controller had accidentally sent an email containing tax information of 36 individuals to 11 unauthorized individuals. The DPA considered this to be a breach of the principle of integrity and confidentiality. It also found that the company had failed to implement appropriate technical and organizational measures to protect personal data.

€35,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 35,000 on OES GLOBAL ENERGY S.L.. A customer of the controller had filed a complaint with the DPA after receiving an e-mail from the controller containing documents relating to the termination of electricity contracts of other customers. These documents contained personal data of the customers such as their names and ID numbers. The DPA considered this unlawful disclosure of personal to be a violation of the principle of confidentiality and integrity, as wel

€64,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on EVERIS SPAIN S.L.. Everis had published information on sold data of users of an insurance company as well as records with personal data of Spanish customers of the insurance company. The DPA considered this a violation of the confidentiality of the data. The DPA also found that the unlawful publication of the data had been possible due to, among other things, a lack of technical and organizational measures to protect personal data at the time of the data bre

€1,200 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on URBANO DIVERTIA S.L.. A customer had filed a complaint with the DPA, for having received a document from the controller with data relating to the previous tenant of the apartment they were now renting from the controller. The DPA considered this to be a violation of the principle of integrity and confidentiality. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility.

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 2,000 on Bitfactor SRL. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. Due to a malfunction of an application of the controller, marketing messages were sent to users of the website, resulting in a breach of confidentiality of the personal data concerning 1757 data subjects. During its investigation, the DPA found that the controller did not take adequate technical and organizational measures to protect the personal data

€6,700 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 6,700 on Hørsholm municipality. The municipality had reported a data breach to the DPA pursuant to Art. 33 GDPR. An employee's work computer, which contained sensitive and confidential information about approximately 1,600 municipality employees, had been stolen. During its investigation, the DPA determined that the data on the computer was not adequately secured and that the municipality had failed to take appropriate technical measures to protect person

€800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined EFS MANTENIMIENTO Y SERVICIOS TÉCNICOS, S.L. EUR 800. A trade union had filed a complaint with the DPA because the company had unauthorizedly shared information of one of its employees with the works council. The information shared caused the employee to be placed in a disadvantageous position. The DPA considered this to be a violation of the principles of integrity and confidentiality.

€56,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 56,000 on BANKINTER, S.A.. The controller had inadvertently sent a report on the data subject's investment portfolio to a third party. The controller states that the mis-sending occurred due to a computer error. For this reason, the DPA determined that the controller had violated the principle of integrity and confidentiality set out in Art. 5 (1) f) GDPR.

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 3,000 on S.C. Wine Point S.R.L.. A data subject had filed a complaint with the DPA for having received an advertising e-mail from the controller, which contained a distribution list in which the e-mail addresses of 810 other persons, as well as their own, were visible to the other recipients. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to ensure the confidentiality of t

€13,400 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen. A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media. Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach,

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 1,000 on the gas station operator LORIS FUEL SHOP SRL. A person had filed a complaint with the DPA because pictures of him were published on Facebook. The images originated from a video surveillance system installed in one of the controller's gas stations. During its investigation, the DPA found that the controller had not taken sufficient technical and organizational measures to ensure the confidentiality of the personal data generated through the CCTV

€70,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 70,000 on the healthcare facility Ospedale San Raffaele s.r.l.. The hospital had reported two data breaches to the DPA under Art. 33 GDPR. In the first case, the neurology department of the hospital had sent a newsletter in an open distribution list, which resulted in the email addresses of the recipients being visible to all recipients. Of the 499 email addresses affected, 321 email addresses related to patients and 46 related to family members/caregive

€500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500 on a homeowners' association. The executive board of the owners' association had publicly posted a list of defaulting owners. The DPA considered this to be a violation of the principle of confidentiality and integrity set out in Art. 5 (1) f) GDPR.

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Tecnomed Trento s.r.l. EUR 10,000. The controller had operated several video surveillance cameras in its premises, some of them without the required authorization. Furthermore, the DPA found that information signs regarding the processing of personal data by the cameras were missing. The DPA also found that three individuals with shared credentials had authorized access to the recorded images. The DPA concluded that this circumstance was not appropriate to guarantee the

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on Findomestic Banca spa. A customer had filed a complaint with the DPA regarding a breach of confidentiality related to the financial institution. The controller had unauthorizedly sent several payment reminders to the data subject's wife regarding a loan taken out by the data subject. The wife had indeed guaranteed a loan taken out by the data subject, however not the loan in question.

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 10,000 on Piraeus Bank. The bank had mistakenly sent a document containing data of the data subject to a third party. This error was based on a wrongly provided e-mail address by a co-owner of the account. Although the bank became aware of this error, they did not stop sending the communications to the third party, but instead instructed the data subject to exercise their right to correct the inaccurate data. As a result of its investigation, the DPA fo

€89,250 fine - Croatian Data Protection Authority (azop)

A retail company, i.e. the data controller, reported the breach of personal data to the DPA informing that its employees have recorded video surveillance footage via mobile phone which was unauthorised and contrary to the company’s internal acts and instructions. The recording was made public by leaking to social media and consequently other media outlets. The DPA determined that the data controller did not take adequate actions to prevent its employees from creating the footage. Although the co

€40,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on Vodafone España, S.A.U.. A woman filed a complaint against the controller based on the fact that the controller had sent telephone bills belonging to a third party to her e-mail address. After bringing this to the attention of the controller, she received no response. Thereupon, she contacted the controller by telephone in this regard. However, none of the employees were able to help her with this concern. The DPA concluded that the controller had violated t

€18,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine on CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L.. The data subject filed a complaint with the AEPD. He had requested an MRI scan of his knee due to an accident at work. In addition, he had contacted his insurance company in order to obtain a sick leave. The insurance company then contacted the controller, who transmitted the data subject's medical records. In doing so, the controller also provided the insurer with the report of a previous MRI scan of

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on UST GLOBAL ESPAÑA, S.A.. An employee filed a complaint against the controller with the DPA. UST GLOBAL ESPAÑA, S.A. was acting as a service provider for OpenBank as part of a project. On 08.01.2020, the controller informed OpenBank by email that two new employees (one of them the complainant) would join the project, for which it requested access to the VPN and other applications. This email, which was sent with a copy to both employees, i

€80,700 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company's test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre. The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared con

Croatian Data Protection Authority (azop)

A Croatian IT company provides IT services to entities such as mobile operators, banks and state institutions in Croatia, as well as to companies abroad (USA, Great Britain, the Netherlands, etc.), thereby acting as a data processor in relation to personal data. The data controller, a telecommunications company using the services of the IT provider, informed the DPA as well its users of the potential breach of personal data by the IT provider. The incident consisted of a security breach which le

€40,000 fine - Italian Data Protection Authority (Garante)

The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software suppl

€40,000 fine - Italian Data Protection Authority (Garante)

The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian Data Protection Authority (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000

€1,200,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 117

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 40,000 on the municipality of Palermo. A data subject had filed a complaint with the Italian DPA against the municipality of Palermo. His complaint was based on the fact that his personal data from a food subsidy application he had submitted had been acquired by an unauthorized person and processed for his own purposes. As the DPA determined in the course of its investigations, such processing had occurred because the municipality had not imple

€27,700 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The Hungarian DPA (NAIH) has fined the XI District Office of the Government of Budapest EUR 27,700.The controller had emailed health data regarding Covid-19 rapid tests, as well as the contact details of the people tested, to doctors in a single Excel file, unencrypted and without any further measures to ensure confidentiality. The DPA found that the controller had failed to implement technical and organizational measures that ensured the protection of personal data. In addition, the controller

€15,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) imposed a fine of EUR 15,000 on a homeowners' association. The controller had publicly displayed the record of a homeowners' meeting in the elevator of the building where the participants lived. From the records, the names, floors and apartment numbers of the meeting participants could be obtained, as well as the floors and apartment numbers of neighbors about whom the participants had complained during the meeting. The controller had justified the public notice with the f

€22,200 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) fined Krajowa Szkoła Sądownictwa i Prokuratury (National School of Justice and Prosecution) EUR 22,200. UODO launched an investigation against the controller after it reported a data breach on its training platform website. During a test migration to the new platform, the data of more than 50,000 individuals had been exposed on the Internet. Among other things, this included the names, user names, postal and e-mail addresses, telephone numbers, units and departments of the

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA (ANSPDCP) imposed a fine of EUR 1,000 on ING Bank N.V. Amsterdam - Bucharest Branch. It was found that the controller had sent files to a contractual partner in order to issue insurance policies. The sent files contained outdated information, as employees of the insurance policy monitoring department had not checked and processed the insurance policies according to the work process, which affected 270 people. Considering these aspects, it was found that the technical and organiz

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA (ANSPDCP) fined Qualitance QBS SA EUR 1,000 for a violation of Art. 32 GDPR. The company had sent information by email to 295 individuals, disclosing the email addresses of the other recipients. The ANSPDCP noted that the company had not taken sufficient security measures to ensure the confidentiality of the personal data of the data subjects.

€100,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA (ANSPDCP) fined Banca Transilvania SA EUR 100,000 for violations of Art. 5 (1) f) GDPR, Art. 32 (1) GDPR and Art. 32 (2) GDPR. It was found that the bank requested a declaration from a customer about the intended use of a certain amount of money wished to withdraw from its account. This statement was submitted to the bank online and forwarded to several employees of the bank. One employee photographed the declaration with his cell phone and spread it via WhatsApp. Subsequently,

€20,000 fine - Italian Data Protection Authority (Garante)

The union UILCOM Sardegna filed a complaint with the Italian DPA (garante) against the call center operator Concentrix Cvg Italy s.r.l. regarding an internal regulation of the controller. Under the terms of a 'clean desk policy,' the company had prohibited employees from keeping certain items, such as smartphones, on their desks, which was intended to ensure confidentiality in the processing of customers' personal data. Exceptions were made for medication, which the data subjects proved they nee