Enforcement

€3,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact as

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on the Commune di Nave. The controller has installed an automatic licence plate recognition system which processes data on when a car passes a specific control point. This data is stored for seven days, after which it is automatically deleted. The system is also connected to the Motor Vehicle Registry and automatically verifies the passing vehicle's insurance coverage, periodic inspection and environmental class. This data processing occurred witho

Een boete van 4.500.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

Na een onderzoek door de autoriteit, heeft AZOP een telecombedrijf een boete van 4,5 miljoen euro opgelegd vanwege meerdere overtredingen van de AVG. De verantwoordelijke partij heeft klantgegevens overgedragen aan een verwerker in de Republiek Servië (een dochteronderneming die software onderhoudt). Deze overdrachten vonden plaats op basis van standaardcontractuele clausules (SCC's) vanaf 16 april 2020 tot uiterlijk 27 december 2022; daarna zijn de overdrachten doorgegaan zonder SCC's of equivalente waarborgen, ondanks dat Servië niet als voldoende beschermd land wordt beschouwd.

Een boete van 6.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft de gemeente Orte een boete van 6.000 euro opgelegd. De gemeente heeft videobewaking geïnstalleerd op haar grondgebied op een manier die niet in overeenstemming is met de basisprincipes van gegevensverwerking.

€10,043,002 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 10,043,002 on Aena, S.M.E., S.A. The controller conducted a pilot project involving multiple airports, including the use of facial recognition systems. However, the controller failed to carry out a data protection impact assessment prior to doing so.

10.043.002 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 10.043.002 euro opgelegd aan Aena, S.M.E., S.A. De verantwoordelijke partij voerde een proefproject uit dat meerdere luchthavens omvatte, waaronder het gebruik van gezichtsherkenningssystemen. Echter, de verantwoordelijke partij heeft geen beoordeling van de impact op de privacy uitgevoerd voordat dit werd gedaan.

Een boete van 15.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft de gemeente Curtarolo een boete van 15.000 euro opgelegd. De verantwoordelijke partij heeft beelden van bewakingscamera's gebruikt in een tuchtprocedure tegen een werknemer, en heeft ook andere werknemers opgedragen om deze werknemer te bespioneren, foto's en video's van hem te maken.

Een boete van €7.700 - van het Poolse nationale bureau voor de bescherming van persoonlijke gegevens (UODO).

De Poolse autoriteit voor gegevensbescherming heeft een boete van 7.700 euro opgelegd aan een particuliere zorginstelling. Deze instelling bood huisbezoeken van artsen aan als onderdeel van haar diensten. Om deze bezoeken te realiseren, gebruikten de artsen hun privéauto's en vervoerden patiëntendossiers in deze auto's. Echter, bij de risicoanalyse heeft de verantwoordelijke partij de mogelijkheid van autodiefstal niet meegenomen, wat resulteerde in de oplegging van een boete.

€96,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 96,000 on SIDECU, S.A. The controller introduced facial recognistion system as the only access method to their facilities, without offering alternative access methodes. The controller did not have a sufficient legal basis for processing the data, failed to adequately inform the data subjects about the processing, and failed to carry out a data protection impact assessment. The original fine of EUR 160,000 was reduced to EUR 96,000 due to immediate payment an

€550,000 fine - Data Protection Authority of Ireland

The Irish DPA imposed a fine of EUR 550,000 on the Departement of Social Security. The controller uses the so called SAFE 2 registration process for anyone applying for a Public Services Card. The SAFE 2 registration, which is mandatory, processes biometric data without a sufficient legal basis. The controller also failed to adequately inform data subjects in regards to the processing and to conduct a data protection impact assessment.

Een boete van 50.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft de regio Lombardije een boete van 50.000 euro opgelegd. De verantwoordelijke partij heeft de internetactiviteiten van haar werknemers, inclusief privéactiviteiten, gevolgd zonder een voldoende juridische basis.

1.500 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan ULPIA TRAJANA ALAMEDA S.L. Tijdens het boekingsproces heeft de verantwoordelijke partij gegevens verwerkt die niet noodzakelijk waren voor het doel, wat een schending is van het beginsel van dataminimalisatie. De verwerkte gegevens omvatten ook biometrische gegevens (artikel 9 AVG), waarvoor de verantwoordelijke partij geen voldoende juridische basis had. De oorspronkelijke boete van 2.500 euro is verlaagd tot 1.500 euro vanwege de onmiddellijke betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€1,500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on ULPIA TRAJANA ALAMEDA S.L. During the booking process, the controller processed data that was unnecessary for the purpose, infringing on the principle of data minimization. The data processed also included biometric data (Art. 9 GDPR) for which the controller lacked a sufficient legal basis. The original fine of EUR 2,500 was reduced to EUR 1,500 due to immediate payment and admission of responsibility by the controller.

Een boete van €7.800 - van het Poolse Nationaal Bureau voor de Bescherming van Persoonlijke Gegevens (UODO).

De Poolse autoriteit voor gegevensbescherming heeft een uitvaartonderneming een boete van 7.800 euro opgelegd. De uitvaartonderneming heeft onvoldoende technische en organisatorische maatregelen genomen om een datalek te voorkomen. De onderneming had documenten met persoonlijke gegevens opgeslagen in onvergrendelde dozen. Bovendien heeft het bedrijf die dozen vervoerd in een open vrachtwagen, waardoor 10 dozen uit de vrachtwagen vielen en op de berm van een weg terechtkwamen. De dozen werden daar door de politie gevonden. De chauffeur merkte het verlies niet op, omdat...

€40,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 40,000 on a real estate company for inappropriately monitoring its employees. A software program recorded “periods of inactivity” and regularly took screenshots of the computers of employees working from home. The program automatically detected when an employee made no keyboard or mouse movements for a period of 3 to 15 minutes. In addition, the employees in the offices were continuously filmed. These measures were deemed disproportionate and were considered

€1,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1 million on LIGA NACIONAL DE FÚTBOL PROFESIONAL. The controller had introduced access controls for visitors to football stadiums using biometric systems without first carrying out the necessary data protection impact assessment.

€135,600 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA fined a company in the banking sector EUR 135,600. The DPA inspected the fined company and found several violations of the GDPR. First, the company failed to ensure that the DPO could report directly to top management and that the DPO did not receive instructions on the performance of the tasks given to the DPO. Second, the company failed to include profiling in the list of data processing operations. Third, the company failed to conduct a privacy impact assessment regarding the u

€200,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational

€220,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined CARTONAJES BAÑERES, S.A. EUR 220,000. During its investigation, the DPA found that the controller had failed to grant a former employee access to their personal data. The DPA also found that the controller had failed to carry out a data protection impact assessment regarding the operation of a biometric facial recognition system installed to track working hours.

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Olimpia S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being entered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects' personal is carried out in accordance with data protection regulations throughout the s

€175,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 175,000 on the Greek Ministry of Immigration and Asylum. The DPA found that the controller had failed to properly carry out a required data protection impact assessment and had not cooperated properly with the DPA.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) imposed a fine of EUR 20,000 on Centro Riparazioni Piacentino S.p.A.. The controller had kept a former employee's email account active despite the termination of his/her employment. Furthemrore the data subject had not been informed about such a further use of their e-mail account.

€365,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 365,000 on CTC EXTERNALIZACIÓN, S.L.. An employee had filed a complaint with the DPA due to the fact that the controller had requested fingerprints of employees in order to implement a new time and attendance system. However, it was not communicated that the fingerprints would also be stored in the staff portal. For this reason, the DPA found that the controller had violated its duty to inform. The DPA also found that the controller was unable to demonst

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on International Card Services B.V. (ICS). ICS failed to carry out a data protection impact assessment before starting the digital identification of customers in the Netherlands in 2019. The identity check covered around 1.5 million people and involved sensitive personal data such as pictures of the data subjects.

€26,500 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 26,500 on the Östersund Municipality's Department for Children and Education. The authority had failed to carry out a data protection impact assessment before introducing the digital school platform Google Workspace in 24 schools in the municipality.

€50,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA imposed a fine of EUR 50,000 on the Athens Urban Transport Organization. As part of its investigation, the DPA found that the controller had failed to comply with the principle of data protection by design and by default. It also failed to carry out a data protection impact assessment and to set appropriate retention periods for the storage of personal data.

€300,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Rinascente S.p.A. EUR 300,000. The DPA acted on a complaint from a customer who, following an incident with a store employee, had her long-standing loyalty card cancelled and received a new, unsolicited card that contained offensive information about the complainant in her name. The customer complained that their information had been accessed without their consent. During the investigation, the DPA also found that the information on the loyalty card did not specify the

€200,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 200,000 against GSMA LTD.. An individual had filed a complaint with the DPA because they had to transfer special categories of personal data (e.g., ID card data) to the controller in order to register for an event. In the course of its investigation, the DPA found that the controller had failed to conduct a data protection impact assessment for these processing operations.

€12,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine on ALBERO FORTE COMPOSITE, S.L.. The company had taken pictures of employees at the entrance for the purpose of recording their working hours. However, the company had failed to conduct a data protection impact assessment. The original fine of EUR 20,000 was reduced to EUR 12,000 due to voluntary payment and admission of responsibility.

€6,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined Praktiškas UAB, the operator of SportGates sports clubs, EUR 6,000. The controller had processed biometric data of customers in the context of their access to sports facilities. During its investigation, the DPA found that the customers' consent to the processing of their biometric data could not be considered voluntary. This was because the controller did not offer the provision of any other type of information for access to the sports clubs. Nor did it provide the

€55,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Giuliano Isontina . The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients'

€55,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Occidentale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients'

€55,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 55,000 on Azienda Universitaria Friuli Centrale. The health authority has created patient profiles using algorithms and personal patient data to indicate the risk of having complications in the event of a Covid 19 infection. This was intended to identify appropriate diagnostic and therapeutic pathways in a timely manner in the event of complications. However, the DPA found that the health authority did not have a valid legal basis to process patients' pe

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximat

€4,300,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. In addition, the DPA found that

€2,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2 million on Alpha Exploration. Alpha Exploration operates the social network Clubhouse. In the course of its investigation, the DPA found numerous violations of the GDPR. For example, the DPA found that there was a lack of transpanency regarding the use of users' data and their chat contacts. In addition, users of the network were able to store and share audio messages from other users without their consent. Moreover, account information was shared with

€20,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory. During its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. In addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients' personal data on the website without encryption. Finally, the DPA found that the laboratory had not published a privacy statement on its website, in

€6,700 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 6,700 on Lolland municipiality. The municipality had reported a data breach to the DPA in accordance with Art. 33 GDPR. One of the municipality's employees had their work phone stolen. The employee used the phone to access their work email account which contained information on the names of several citizens, social security numbers and health data. During its investigation, the DPA found that the phone was not protected by a password. Therefore, it was po

€1,100,000 fine - Data Protection Authority of Niedersachsen

The DPA of Lower Saxony has imposed a fine of EUR 1. 1 million on Volkswagen. The company had installed cameras on a test vehicle. The vehicle was being used to test and train the functionality of a driving assistance system to prevent traffic accidents. For this purpose, the traffic around the vehicle was recorded with the cameras. However, Volkswagen failed to provide information in accordance with Art. 13 GDPR about the data processing by the cameras attached to the vehicle. The DPA further f

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

€150,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 150,000 on Tarento municipality. The company Amiu S.p.A had operated the local waste collection service on behalf of the municipality. The company had installed several video surveillance cameras with the permission of the municipality to monitor illegal waste disposal. The DPA found that Amiu had posted some images from the cameras on Facebook, showing individuals sufficiently visible making it possible to identify them. During its investigation, the DP

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has fined Azienda ospedaliera di Perugia EUR 40,000. During an investigation at the healthcare facility, the DPA found multiple GDPR violations. The DPA's investigation took place as part of a series of inspections dealing with the processing of data in the context of whistleblower systems at employers. The healthcare facility used an open source-based whistleblowing web application. However, the application was accessed through systems that were not properly configured

€100,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Brussels Airport Charleroi EUR 100,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid lega

€200,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined Brussels Airport Zaventem EUR 200,000. The DPA had launched an investigation against the airport following media reports about temperature monitoring of persons at the airport. Due to the Covid-19 pandemic the airport used thermal imaging cameras to filter out people with body temperatures above 38 degrees. Those filtered out were then required to answer questions about possible coronavirus symptoms. The DPA particularly noted that the airport did not have a valid legal

€6,700 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 6,700 on the Danish National Genome Center. The center had conducted a data protection impact assessment that revealed circumstances that could pose a high risk to the rights of data subjects. The DPA imposed the fine because the center had processed personal data without first consulting the DPA, even though the impact assessment had revealed a high risk to data subjects. The center has complied with all the DPA's requests and has shown good cooperation

Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol. The OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for t

€6,000,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 6 million on Cosmote Mobile Telecommunications S.A.. Cosmote had reported a data breach to the DPA pursuant to Art. 33 GDPR. A hacker had penetrated the controller's systems and obtained and subsequently leaked data from Cosmote customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident. For this reason, the DPA found that Cosmot

€1,250,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has imposed a fine of EUR 1.25 million on the Lisbon City Council. The fine is the sum of 225 fines from various violations committed by the municipality since 2018. The municipality had sent 111 notifications about demonstrations to various departments and offices within the municipality, as well as to third parties, to ensure that they could properly perform their public duties. The notices contained, among other things, sensitive data of the demonstrators and organizers of

€608,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined Vastaamo psychotherapy center EUR 608,000. In September 2020, the psychotherapy center reported an attack on its patient database to the DPA. An unauthorized third party had gained access to Vastaamo's medical database on at least two occasions, in December 2018 and March 2019. The attacker had also siphoned off data and left a ransom note on the servers. Due to insufficient logging, neither the exact date of the breach nor the network addresses used by the attacker cou

€16,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine on SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L.. The company had installed five terminals with a fingerprint control system to record its employees' working hours. In doing so, the company had failed to conduct a data protection impact assessment. The AEPD found a violation of Art. 35 GDPR for this reason. The original fine of EUR 20,000 was reduced to EUR 16,000 due to voluntary payment.