Enforcement

€21,650 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 21,650 on Timegrip AS. The controller had been tracking the working hours of employees at a company that went bankrupt. A former employee requested that the controller send the working hours to the data subject so that they could claim their unpaid wages from the bankruptcy estate. Furthermore, the bankruptcy estate itself requested the data, but the controller refused to send it to them.

€10,000 fine - Spanish Data Protection Authority (aepd)

The company installed cookies on an end users terminal device without prior consent of the data subject.

Boete van €10.000 - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

Het bedrijf heeft cookies geplaatst op het apparaat van de eindgebruiker zonder voorafgaande toestemming van de betrokkene.

€120,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 120,000 on Pioneer Hi-Bred Italia Sementi s.r.l. The controller installed satellite telematics tracking devices to monitor driving behaviour and provide drivers with scores.

€1,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 1,500,000 on AMERICAN EXPRESS CARTE FRANCE. The controller used excessive cookies on its website and failed to adequately inform data subjects about them.

1.500.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming heeft AMERICAN EXPRESS CARTE FRANCE een boete van 1.500.000 euro opgelegd. De verantwoordelijke partij gebruikte een buitensporig aantal cookies op haar website en heeft de betrokkenen niet voldoende geïnformeerd over deze cookies.

Een boete van 750.000 euro - van de Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit heeft LES PUBLICATIONS CONDE NAST een boete van 750.000 euro opgelegd. De verantwoordelijke partij gebruikte meerdere cookies op haar website, maar heeft deze niet op een adequate manier geïmplementeerd.

€750,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 750,000 on LES PUBLICATIONS CONDE NAST. The controller used multiple cookies on its website but failed to adequately implement them.

125.000.000 euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming heeft GOOGLE IRELAND LIMITED een boete van 125.000.000 euro opgelegd. Bij het aanmaken van een account voor de diensten van de verantwoordelijke, heeft deze de procedure voor toestemming voor cookies zodanig ontworpen dat een vrije, geïnformeerde toestemming niet mogelijk was. De betrokkene kon alleen kiezen tussen de gratis dienst met gepersonaliseerde marketing of een betaalde versie zonder dit. De verantwoordelijke heeft ook haar e-maildienst zo ontworpen dat advertenties getoond konden worden in gebieden waar betrokkene normaal gesproken...

€150,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 150,000,000 on INFINITE STYLES SERVICES CO. LIMITED, which operates under the name 'SHEIN'. The controller used cookies unlawfully on its website. Firstly, the controller failed to obtain the data subject's consent before placing cookies. Second, the controller used incomplete cookie banners. Third, the controller failed to provide adequate second-level information. Finally, the controller's mechanisms for refusing or withdrawing consent were inadequate.

200 miljoen euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit heeft GOOGLE LLC een boete van 200 miljoen euro opgelegd. Bij het aanmaken van een account voor de diensten van de verantwoordelijke, heeft deze de procedure voor het verkrijgen van toestemming voor cookies zodanig ontworpen dat een vrije, geïnformeerde toestemming niet mogelijk was. De betrokkene kon alleen kiezen tussen de gratis dienst met gepersonaliseerde marketing of een betaalde versie zonder dit. De verantwoordelijke heeft ook haar e-maildienst zo ontworpen dat advertenties konden worden weergegeven in gebieden waar betrokkene normaal gesproken berichten ontving.

150 miljoen euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit heeft INFINITE STYLES SERVICES CO. LIMITED, dat opereert onder de naam 'SHEIN', een boete van 150.000.000 euro opgelegd. De verantwoordelijke partij heeft op haar website op onrechtmatige wijze cookies gebruikt. Ten eerste heeft de verantwoordelijke partij de toestemming van de betrokkene niet verkregen voordat cookies werden geplaatst. Ten tweede heeft de verantwoordelijke partij onvolledige cookiebanners gebruikt. Ten derde heeft de verantwoordelijke partij onvoldoende informatie op een tweede niveau verstrekt. Ten slotte waren de mechanismen van de verantwoordelijke partij om toestemming te weigeren of in te trekken ontoereikend.

€22,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA imposed a fine of EUR 22,000 on Kristiansand municipality. The controller offers a helpline for childreen, which had become victims of violence, abuse or neglect. The webiste of the helpline uses tracking pixels resulting in the providers of those pixels gaining acces to personal data of the data subjects without sufficient legal basis.

22.000 euro boete - Noorse Toezichtsautoriteit (Datatilsynet).

De Noorse Autoriteit Persoonsgegevens heeft de gemeente Kristiansand een boete van 22.000 euro opgelegd. De instantie biedt een hulplijn voor kinderen die slachtoffer zijn geworden van geweld, misbruik of verwaarlozing. De website van de hulplijn maakt gebruik van trackingpixels, waardoor de aanbieders van die pixels toegang krijgen tot persoonlijke gegevens van de betrokkenen zonder voldoende wettelijke basis.

€40,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of €40,000 on Coolblue. The company collected personal data via cookies without users' explicit consent, relying on pre-ticked consent boxes.

€45,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 45,000 on two hotels for unlawfully processing personal data through the use of cookies.

€698,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 698,000 on Apohem AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers who had consented to marketing cookies to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organi

€50,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 600,000 on A.S. Watson Health & Beauty Continental Europe B.V.. The controller had tracked visitors to their drugstore website “Kruidvat.nl” with tracking cookies without their consent. The cookie banner on the website had the boxes for consenting to the placement of tracking software pre-ticked by default. Visitors who nevertheless wanted to reject the cookies could only do so with greater difficulty. This allowed the controller to collect sensitive perso

€15,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€1,040 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 1,040 on a self employed person. The accused's website did not comply with GDPR requirements for cookies, as it processed data before obtaining consent, set cookies with an excessive expiration period, and may have transferred data outside the EU and EEA. The inspection was initiated by a Polish citizen. Despite a warning from the Office for personal data protection, the accused failed to address these issues.

€12,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 12,000 on the website operator CHATWITH.IO WORLDWIDE, S.L. During its investigation, the DPA found that the controller had failed to adequately comply with its information obligations under Art. 13 GDPR. For example, there was a lack of detailed information on the purposes of processing personal data on the website. Furthermore, the design of a cookie banner used so-called dark patterns, with the pop-up giving users only the choice between consent and ac

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent

€30,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 30,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent

Czech Data Protection Auhtority (UOOU)

In the period from January 2023 to July 2023, the Czech DPA imposed fines totaling EUR 178,000, with the highest fine being EUR 36,000. These fines were imposed due to unlawful processing of personal data in relation to cookies. The types of violations vary. Given examples are: Insufficient legal basis, insufficient compliance with information obligations or design issues. The DPA emphasizes that it will not publish individual fines due to the non-public nature of administrative proceedings.

€3,570 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 3,570 on a legal person. Following the complaint, the Office for personal data protection carried out an inspection of the accused's website. It found that its cookies also processed data for third parties and were transferred abroad (USA).

€40,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 40 million on CRITEO. The controller is specialized in 'retargeting advertising'. This involves the company tracking the surfing behavior of Internet users via so-called Criteo trackers (cookies) in order to show them personalized advertising. In the course of its investigation, the DPA found numerous deficiencies in data processing. First, the DPA found that the controller failed to prove that Internet users had given their consent to be tracked using th

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 20,000 on Ew Business Machines S.p.A.. The controller had installed a video surveillance system that not only recorded images in real time, but also made audio recordings, capturing employees. Both the company's legal representative and their family had access to these recordings via a smartphone. During its investigation, the DPA found that the employees were not adequately informed about the additional audio monitoring. In addition, the company used an

Data Protection Authority of Bremen

The DPA of Bremen has imposed five fines on website operators for using the tracking tool 'Google Analytics' without the prior consent of website users.

Belgian Data Protection Authority (APD)

Original fine summary: The Belgian DPA has imposed a fine of EUR 50,000 on the media company SA Rossel & Cie. During its investigation, the DPA found GDPR violations on three websites operated by the company. For instance, the company had placed cookies that were not required without the consent of the website visitors. Also, the company considered visiting other websites as consent for further cookie placement on these pages. In addition, the boxes for the consent of third-party cookies were al

€50,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 50,000 on Roularta Media Group. As part of its investigation, the DPA found that the cookie management on two websites operated by Roularta did not comply with the GDPR. In order to use cookies, controllers must obtain prior consent from the user, except in cases where the cookies are strictly necessary for website operation. The DPA found that consent to the processing of personal data through cookies on websites operated by Roularta was not valid, as n

€7,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has fined Hörpu tónlistar- og ráðstefnuhúss ohf. EUR 7,000. The DPA had received a complaint regarding the concert hall's collection of ID number and date of birth information as part of an electronic ticket purchase. The incident occurred prior to the start of the Covid-19 pandemic, when the registration of personal data for contact tracking in the context of event visits was not yet required. The DPA concluded that it would not have been necessary to collect the data for issu

€60,000,000 fine - French Data Protection Authority (CNIL)

On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000,000 on Google Ireland Ltd. The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com. The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as ea

€90,000,000 fine - French Data Protection Authority (CNIL)

On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 90,000,000 on GOOGLE LLC. The CNIL received several complaints regarding the manner in which cookies could be refused on the websites of google.fr and youtube.com. The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Ra

€60,000,000 fine - French Data Protection Authority (CNIL)

On December 31, 2021, the French DPA (CNIL) imposed a fine of EUR 60,000,000 on Facebook Ireland Ltd. The CNIL received several complaints regarding the manner in which cookies could be refused on the website of Facebook.com. The CNIL subsequently conducted an online review of the websites and found that, although the websites offered a button to accept cookies immediately, there was no equivalent solution that would allow the Internet user to reject the deposit of cookies just as easily. Rather

€5,300 fine - National Commission for Data Protection (CNPD)

The DPA from Luxembourg has imposed a fine of EUR 5,300 on a company. The company had installed 75 surveillance cameras on its premises as well as tracking devices in some of its vehicles used by employees to travel to customers. A few of these cameras covered, among other things, parts of a public street and a private neighboring property. During its investigation, the DPA also found that the cameras covered the employee cafeteria, allowing employees to be monitored outside of their working hou

€2,520,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has fined Mercadona S.A. EUR 2,520,000. The controller had installed facial recognition systems in Mercadona stores for the purpose of tracking individuals with criminal convictions or restraining orders. The system captured everyone who entered the stores, including minors and MERCADONA employees. During its investigation, the DPA found numerous privacy violations. For instance, the system violated the principle of data minimization, the principle of necessity and proport

€4,900 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA (Datatilsynet) imposed a fine of EUR 4,900 on the municipality of Ålesund. At two schools in Ålesund, teachers asked students to download the training app Strava for physical education classes. The students were then given tasks that the teachers controlled via the tracking function. According to the Norwegian DPA's investigation, this resulted in data breaches because the municipality failed to provide standard procedures for privacy-compliant app use in schools. For example,

€600,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has fined the municipality of Enschede EUR 600,000. In 2017, the municipality decided to install special measurement boxes to measure crowds in the city center of Enschede. Sensors in the measurement boxes detected the wifi signals from the cell phones of passers-by and registered them with a code. Based on the registered codes, it was possible to calculate how busy the city center was. However, this also made it possible to track which measurement box a particular cell phone

€400 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 400 on a legal person. Proceedings were initiated following an inspection carried out in response to a complaint. The accused processed and archived personal data for the purpose of offering services via a call centre. However, the data was processed without a valid legal basis. While the data subjects had purportedly given consent verbally over the phone, no evidence of this was available. Additionally, the accused used cookies in breach of the GDPR and e

€3,000 fine - Spanish Data Protection Authority (aepd)

The company had published a cookie policy on its website, which on the one hand contained no information about the purpose of the use of cookies and on the other hand no information about the properties of the installed cookies and the time period for which they remain active in the end user's terminal equipment.

€3,000 fine - Spanish Data Protection Authority (aepd)

Fines for lack of sufficient data processing information in relation to video surveillance on business premises and for insufficient information when cookies were used on its website.

€30,000 fine - Spanish Data Protection Authority (aepd)

The Spanish Data Protection Agency (AEPD) has sanctioned Vueling Airlines with 30,000 euros for not giving users the ability to refuse their cookies and force them to use them if they want to browse its website. In other words, it was not possible to browse the Vueling page without accepting their cookies. AEDP issued a sanctioning resolution for the amount of 30,000 euros, which could be reduced to 18,000 for immediate payment.