Regulatory actions, fines, warnings, and enforcement decisions
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on FREE TECHNOLOGIES EXCOM, S.L. The controller had reset user passwords and communicated the new passwords to the clients via email. However, the email was not encrypted and did not implement any other appropriate security measures.
€1,300 fine - Slovenian Supervisory Authority (Informacijski pooblaščenec)
The Slovenian DPA has imposed a fine of EUR 1,300 on a legal entity. An employee of the controller stored personal data on her work laptop without securing it, for example by encrypting it, and took the laptop outside of the secured workspace, thereby allowing third parties to gain access to the data. The entity was fined EUR 1,000, and the person responsible was fined EUR 300.
€4,750 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 4750 on the Powiatowego Inspektora Sanitarnego w Policach. The controller failed to implement adequate technical and organisational measures to ensure data security, which resulted in a data breach due to an employee loosing an unencrypted usb flash drive with personal health data and data regarding administrative proceedings.
Een boete van 4.750 euro - van het Poolse nationale bureau voor de bescherming van persoonlijke gegevens (UODO).
De Poolse gegevensbeschermingsautoriteit heeft een boete van 4750 euro opgelegd aan de Powiatowego Inspektora Sanitarnego in Policach. De verantwoordelijke partij heeft nagelaten om voldoende technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen, wat resulteerde in een datalek. Dit kwam doordat een werknemer een onversleutelde USB-stick met persoonlijke gezondheidsgegevens en gegevens over administratieve procedures heeft verloren.
€6,600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on the owner of a pharmacy office. The controller processed data of residents of two geriatric centers without a sufficient legal basis. The controller also failed to inform the data subjects about the fact, that the controller processed their data and that they obtained the data from a third party. Lastly, the controller failed to use encrypted email services. The original fine of EUR 11,000 was reduced to EUR 6,600 due to immediate payment and admission of re
Boete van 6.600 euro - Spaanse Autoriteit voor Gegevensbescherming (AEPD).
De Spaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan de eigenaar van een apotheek. De verantwoordelijke partij heeft gegevens van bewoners van twee verzorgingstehuizen verwerkt zonder een voldoende wettelijke basis. Bovendien heeft de verantwoordelijke partij de betrokkenen niet geïnformeerd over het feit dat hun gegevens werden verwerkt en dat deze gegevens van een derde partij afkomstig waren. Ten slotte heeft de verantwoordelijke partij geen gebruik gemaakt van versleutelde e-mailservices. De oorspronkelijke boete van 11.000 euro is verlaagd tot 6.600 euro vanwege de directe betaling en de erkenning van schuld.
Een boete van 6.600 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).
De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete opgelegd aan de eigenaar van een apotheek. De verantwoordelijke partij heeft gegevens van bewoners van verzorgingstehuizen verwerkt zonder een voldoende wettelijke basis. Bovendien heeft de verantwoordelijke partij de betrokkenen niet geïnformeerd over het feit dat hun gegevens werden verwerkt en dat de gegevens van een derde partij waren verkregen. Ten slotte heeft de verantwoordelijke partij geen gebruik gemaakt van versleutelde e-mailservices. Door erkenning en onmiddellijke betaling is de boete verlaagd naar 6.600 euro. De oorspronkelijke boete was...
€6,600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on the owner of a pharmacy office. The controller processed data of residents of geriatric centers without a sufficient legal basis. The controller also failed to inform the data subjects about the fact, that the controller processed their data and that they obtained the data from a third party. Lastly, the controller failed to use encrypted email services. Due to acknowledgment and immediate payment, the fine had been reduced to EUR 6,600. The original fine of
€358,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 358,000 on a company. The company had inadvertently published customer data (first name, last name, email address, home address, encrypted passwords) in the process of redesigning its website. The incident affected approximately 20,000 data subjects. The DPA found that the controller had not sufficiently ensured the security of personal data during the process, for example, by conducting regular tests and risk assessments. Instead, it relied on informatio
€4,700 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 4,700 on a subcontractor that was contracted to redesign the website of another company. This fine is linked to ETid-2491. Due to an error by an employee of the subcontractor, customer data (including first name, last name, email address, address, and encrypted passwords) was accidentally published on the website during the redesign process. The incident affected approximately 20,000 data subjects. During its investigation, the DPA found that the subcontr
€91,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 91 million on Meta Platforms Ireland Limited (MPIL). The DPC had initiated an investigation after MPIL reported that user passwords had been stored unencrypted on internal systems; however, external parties did not have access to these passwords. During the investigation, the DPC found that MPIL had not implemented appropriate technical and organizational measures to protect personal data, as the passwords should have been stored in encrypted form. T
€26,800 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 26,800 on the municipality of Vejen. The municipality had suffered a security incident involving the theft of three unencrypted computers containing information about children. During its investigation, the DPA found that 300 other computers were not encrypted either.
€56,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) has imposed a fine of EUR 56,000 on Res-Gastro M. Gaweł Sp. k. The controller had reported a data breach involving the loss of an unencrypted USB stick by an employee. The data medium contained documents with data such as name, adress, gender, date of birth etc. of another employee. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an inciden
€273,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed two fines on the medical facility “Centrum Medyczne Ujastek” totaling approximately EUR 273,000. The first fine of approximately EUR 163,000 was imposed for the unlawful installation of surveillance equipment in two neonatal rooms. These devices recorded images of newborns and their mothers during intimate acts such as breastfeeding or care without informing patients or staff, which constitutes a violation of data protection regulations. The second fine, of around EUR
€15,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests' credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. The hotel claimed it coll
€3,400 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 3,400 on a company. The controller had reported a data breach to the DPA. The company car of a senior employee had been broken into, resulting in the theft of a company laptop on which personal data of three persons were processed. During its investigation, the DPA determined that the controller had failed to implement appropriate technical and organizational measures to protect personal data. Among other things, the laptop had not been properly encrypted
€17,600 fine - Data Protection Authority of Sweden
The Swedish DPA has fined Skåne region EUR 17,600. An employee of the region had lost an unencrypted USB stick containing the social security numbers and sensitive personal data of nearly 2,000 people. The DPA found that the region had failed to implement adequate technical and organizational measures to protect personal data.
€5,400 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,400 on a disciplinary officer of the Polish Bar Association after an unencrypted USB stick containing personal data was lost.
€145,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 145,000 on AFIANZA ASESORES S.L.. The controller had reported a data breach to the DPA, stating that a backpack containing a USB stick with personal data (including data relating to court proceedings) had been stolen. During its investigation, the DPA found that the USB stick was not encrypted and that the controller had failed to implement appropriate technical and organizational measures to protect personal data.
€4,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has fined the Partidul Uniunea Salvați România party EUR 4,000. The controller had suffered a phishing attack in which the attackers gained unauthorized access to personal data such as first name, last name, email, phone number, as well as data on the political affiliation of the data subjects. The DPA found that the controller had failed to implement adequate technical and organizational measures such as data encryption to protect personal data, which facilitated such an attack
€6,400 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 6,400 on the Szczecin-Centrum District Court. The court had reported a data breach to the DPA involving the loss of three data carriers. One data carrier was an official and encrypted one, the other two were private and unencrypted data carriers containing drafts of court rulings and statements with personal data. In the course of its investigation, the DPA discovered that data carriers which had not been checked and secured by the court's IT department h
€300,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 300,000 on FREE SAS. The DPA had received several complaints from individuals experiencing difficulties in exercising their rights to access and delete their personal data at FREE. During its investigation, the DPA found that the company did not process the requests for access and deletion of personal data in a timely manner. The DPA also found that the company failed to ensure the security of personal data. For example, the company allowed users to use i
€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 5,000 on Curtea Veche Publishing SRL. The controller had reported two data breaches to the DPA pursuant to Art. 33 GDPR. In the first data breach, the controller had inadvertently published a file containing the customer database in a public forum. This resulted in the unauthorized disclosure of personal data such as first name, last name, phone number, email, password in encrypted form and IP address of 10,793 customers. The second data breach concerne
€250,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 250,000 on GIE INFOGREFFE. The portal operates a website where people can access legal information about companies and order documents certified by the commercial courts. As part of its investigation, the DPA found that the personal data of 25% of members and subscribers, such as bank details, surnames, first names, addresses and telephone numbers, were kept for longer than intended (36 months). The DPA considered this to be a violation of Art. 5 (1) e) G
€20,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA imposed a fine of EUR 20,000 on a medical laboratory. During its investigation, the DPA found that the laboratory had failed to conduct a data protection impact assessment and thus violated Art. 35 GDPR. In addition, the laboratory had violated, Art. 5 (1) f) GDPR and Art. 32 GDPR, as it was possible for physicians to view patients' personal data on the website without encryption. Finally, the DPA found that the laboratory had not published a privacy statement on its website, in
€67,200 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 67,200 on the law firm SIRIUS. The law firm had suffered a cyber attack in which hackers gained access to the firm's servers and encrypted them. This gave them access to information about the firm's clients and business partners. During its investigation, the DPA found that the law firm lacked basic security measures, which increased the risk of unauthorized access to client data. The firm's systems, for example, did not contain sufficient verification me
€13,400 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 13,400 on the Danish agency Civilstyrelsen. A Civilstyrelsen USB stick containing more than 800 pages of sensitive and confidential information had been lost. During its investigation, the DPA found that the USB stick was not encrypted. In addition, the agency did not have any policies for its employees on the use of removable and portable media. Moreover, the DPA found that despite being aware of this data breach, the agency had not reported the breach,
€1,500,000 fine - French Data Protection Authority (CNIL)
The French DPA (CNIL) has imposed a fine of EUR 1.5 million on DEDALUS BIOLOGIE. DEDALUS distributes software solutions for medical analysis laboratories. In February, the press revealed a data leak at DEDALUS that resulted in the leak of nearly 500,000 individuals' data. The leaked data included information on the surnames, first names, social security number, name of the treating physician, data on medical examinations and illnesses of the data subjects. During its investigation, the CNIL foun
€115,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined law firm Tuckers Solicitors LLP EUR 115,000. Tuckers suffered a ransomware attack on its systems, which resulted in a personal data breach. As part of its investigation, the DPA determined that Tuckers had failed to take appropriate technical and organizational measures to protect personal data. This failure left its systems vulnerable to malicious attacks. The attackers managed to encrypt 972,191 individual files of which 24,712 were related to court proceedings and t
€28,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board. The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden. The regional board had transmitted sensitive personal data and personal identity n
€152,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 152,000 on the Uppsala hospital board. The fine is the result of an investigation by the Uppsala Region (the regional board and the hospital board). DPA had received two reports of incidents involving personal data from Uppsala region. The incidents involved sensitive personal health data that was transferred unencrypted to recipients inside and outside Sweden. Accordingly, Uppsala University Hospital had sent emails containing patient data to patients a
€53,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined PIKA Sp. z o.o. in the amount of EUR 53,000. The fine is related to a fine imposed on Fortum Marketing and Sales Polska S.A.. PIKA was acting as a processor for Fortum. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data.The data breach occurred at the time of the introduction of a change in the company's IT environment by PIKA. As part of this change, an additional Fortum customer database was created. How
€1,000,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 1 million on Fortum Marketing and Sales Polska S.A.. The company had reported a data breach to the DPA in accordance with Art. 33 GDPR. During its investigation, the DPA found that unauthorized persons had managed to access and siphon off customer data. The data breach occurred at the time of the introduction of a change in the company's IT environment. The change was made by a processing agent. As part of the change, an additional Fortum customer databas
€2,700 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 2,700 on a Covid-19 test center. The test center had send the data subjects an unencrypted e-mail containing a URL that allowed them to access the test result without taking any further security measures. In some cases, the download link was structured in a way that led to the download of a PDF file with the file name corresponding to the last name of the person tested. With knowledge of the directory path, it was therefore possible to view third-part
Data Protection Authority of Brandenburg
The DPA of Brandenburg has imposed a five-digit fine on a bank. The bank had installed a video surveillance system that covered parts of the foyer of the branch with ATMs, the entrance area and the sidewalk and parking spaces in front of it. The transmission of the images as well as the commands to access the camera were carried out unencrypted via the Internet. The bank suffered a data breach in which unknown third parties compromised the video cameras and then posted the images on the Internet
€110,000 fine - Lithuanian Data Protection Authority (VDAI)
The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company's customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been publish
€412,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Østre Toten municipality EUR 412,000. The municipality suffered a cyberattack in January 2021, as a result of which the municipality's data was encrypted as well as backups were deleted. A larger amount of data was later published on the dark web. Approximately 30,000 documents were affected by the attack. The documents contained, among other things, information on ethnic origin, political opinion, religious beliefs, union memberships, sexual orientation, health statu
€10,000 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 10,000 on Favrskov municipality. On August 19, 2020, the DPA received a notification from Favrskov Municipality of a personal data breach under Art. 33 GDPR. The notification stated that during a break-in at the municipality's premises, a laptop was stolen which contained a program that provided an overview of the municipality's care facilities and thus information on the names and personal identity numbers of approximately 100 individuals with physical o
€2,200 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) has imposed a fine of EUR 2,200 on the president of the Zgierz District Court. The president had reported a data breach involving the loss of an unencrypted USB stick by a probation officer. The data medium stored the data of 400 persons under probation supervision. The lost and at the same time unsecured data carrier has not yet been found, so that unauthorized persons could still have access to the personal data it contained. The president had assumed that the duty to sec
€29,000 fine - Information Commissioner (ICO)
The ICO has fined transgender charity Mermaids EUR 29,000 for failing to protect the personal data of its users, in breach of Art. 5 (1) f) UK GPDR and Art. 32 (1), (2) UK GDPR. The ICO conducted an investigation after it received a report of a data breach relating to an internal email group. During the investigation, the ICO found that the group was created with insufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly three yea
€40,000 fine - Italian Data Protection Authority (Garante)
The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian Data Protection Authority (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000
€40,000 fine - Italian Data Protection Authority (Garante)
The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software suppl
€25,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 25,000 on Region Värmland. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1
€64,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 64,500 on Voice Integrate Nordic AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded call
€1,200,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 1,200,000 on MedHelp AB. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 117
€50,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 50,000 on Region Stockholm. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the
€25,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 25,000 on Region Sörmland. The fine is related to an investigation against three companies and three Swedish regions. In all 21 regions of Sweden, a telephone hotline that offers advice on various health-related topics can be reached by dialing 1177. Each region operates its own health advice service, either internally or through contracted subcontractors, but together they form a national network. In 2019, the media reported that recorded calls to the 1
€27,700 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
The Hungarian DPA (NAIH) has fined the XI District Office of the Government of Budapest EUR 27,700.The controller had emailed health data regarding Covid-19 rapid tests, as well as the contact details of the people tested, to doctors in a single Excel file, unencrypted and without any further measures to ensure confidentiality. The DPA found that the controller had failed to implement technical and organizational measures that ensured the protection of personal data. In addition, the controller
Data Protection Authority of Sachsen-Anhalt
Original summary: The DPA of Saxony-Anhalt imposed a fine of EUR 200 on a private individual. The controller had taken photos of vehicles and, in some cases, their drivers and emailed them to the city of Magedburg in an unencrypted form as part of reports of violations of the Road Traffic Regulations. Update: The fine proceedings have been closed.
€12,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA (AP) has fined an orthodontic clinic EUR 12,000. The web form that new patients used to sign up contained mandatory fields for all sorts of patient personal data. The data that the patients (mostly children) entered into the form was then sent to the orthodontic clinic via an unencrypted - and thus unsecured - connection. This presented the risk of unauthorized third parties accessing the personal data of the data subjects.