Enforcement

Een boete van 4.500.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

Na een onderzoek door de autoriteit, heeft AZOP een telecombedrijf een boete van 4,5 miljoen euro opgelegd vanwege meerdere overtredingen van de AVG. De verantwoordelijke partij heeft klantgegevens overgedragen aan een verwerker in de Republiek Servië (een dochteronderneming die software onderhoudt). Deze overdrachten vonden plaats op basis van standaardcontractuele clausules (SCC's) vanaf 16 april 2020 tot uiterlijk 27 december 2022; daarna zijn de overdrachten doorgegaan zonder SCC's of equivalente waarborgen, ondanks dat Servië niet als voldoende beschermd land wordt beschouwd.

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

€500,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500,000 on the Chamber of Commerce, Industry, Services and Navigation of Spain. Due to its function within the Spanish Executive, the controller has access to the basic data of all Spanish companies, including information regarding solvency, contact details, tax numbers and more. Self-employed persons are also included. The controller has decided to make this information available to the public. For this purpose, the controller created the legal entity C

€4,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2,500 on the Istituto di Istruzione Superiore 'P. Galluppi' Tropea. The controller processed biometric data of its employees to control their work hours. The processing was designed in a way that, according to the DPA, did not comply with the principles of lawfulness, fairness and transparency and lacked a sufficient legal basis.

Een boete van 4.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 2.500 euro opgelegd aan het Istituto di Istruzione Superiore 'P. Galluppi' in Tropea. De verantwoordelijke partij heeft biometrische gegevens van haar werknemers verwerkt om hun werktijden te controleren. Volgens de DPA was de verwerking zodanig ingericht dat deze niet in overeenstemming was met de beginselen van rechtmatigheid, eerlijkheid en transparantie, en ontbrak er een voldoende juridische basis.

€50,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed a fine of EUR 50,000 on the Regional agency for development and services in agriculture (ARSAC). The controller processed geographic data of its employees without sufficient legal basis. The controller also failed to provide sufficient informations in its internal documents regarding the data procession, breached the basic principles of lawfullness, fairness, transparency and purpose limitation and failed to conduct a data protection impact assesement. The total sum of th

€15,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 15 million on OpenAI in connection with the operation of the generative AI chatbot “ChatGPT”. The DPA found that OpenAI had violated provisions of the GDPR, inter alia, by failing to notify the DPA of a data breach that occurred in 2023, by using users' personal data to train ChatGPT without providing a valid legal basis for such processing, and by violating the principle of transparency. Additionally, OpenAI did not implement age verification, potential

€2,385,276 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store 'Vinted'. The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using 'shadow blocking' to remove users from th

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€15,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€32,000,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has imposed a fine of EUR 32 million on AMAZON FRANCE LOGISTIQUE for unlawful surveillance of employees. CNIL found that Amazon France equips its warehouse employees with a scanner to document certain tasks. Each scan records data that is stored and can be used to calculate a series of indicators that provide information on the productivity of each employee. The CNIL considered the establishment of a system that measures interruptions in activity with precision and potentia

€7,500 fine - Slovak Data Protection Office

The Slovak DPA has imposed a fine of EUR 7,500 on an unknown controller. The controller violated the principle of lawfulness, the principle of transparency and the principle of accountability.

€1,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Autostrade per l'Italia spa ('ASPI') EUR 1 million for unlawfully processing the data of approx. 100,000 registered users of the toll reimbursement app 'Free to X.' A consumer organization reported problems with the service, which provides toll refunds for delays caused by roadworks, to the DPA. The DPA found that Autostrade held the position of the data controller, instead of a processor, as stated in the documents governing the relationship between 'ASPI' and 'Free to

€14,500,000 fine - Information Commissioner (ICO)

The UK DPA (ICO) has fined TikTok EUR 14.5 million. The ICO had found that more than one million British children under the age of 13 were using TikTok without the consent of their parents. The ICO criticized TikTok for failing to implement adequate controls to identify and remove underage children from its platform. Further, the ICO found that TikTok did not provide users of the platform with sufficient and easily understandable information about the collection, use and disclosure of their data

€5,500,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac

€390,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi

€5,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined the Association for the prevention and study of crimes, abuses and negligence in information technology and advanced communications (APEDANICA) EUR 5,000. Employees of the company LEGAL ERASER SL had filed a complaint with the DPA. The controller had requested information about LEGAL ERASER from the DPA as part of the right to information based on the Spanish Transparency Act. The controller then published the documents, some of which contained personal data of LEGAL ER

€20,000,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 20,000,000 on Clearview AI Inc. The non-profit organization 'Homos Digitalis' had filed a complaint with the DPA on behalf of the data subject. The company holds a database of more than 20 billion facial images (including those of greek residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on

€45,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients. The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of th

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

€1,900,000 fine - Data Protection Authority of Bremen

The DPA of Bremen has imposed a fine of EUR 1.9 million on the housing association BREBAU GmbH. BREBAU GmbH had processed upwards of 9,500 datasets about potential tenants without a valid legal basis. In particular, the DPA found that the controller had processed particularly sensitive data as defined by Art. 9 GDPR. For example, the controller unlawfully processed information about the skin color, ethnic origin, religious affiliation, sexual orientation and health status of the data subjects. B

€20,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory. The company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation.

Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the 'Transparency & Consent Framework (TCF)' with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol. The OpenRTB protocol is a protocol for 'real-time bidding,' which is the automated online auction of user profiles for t

€2,800 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined the NGO EU DisinfoLab EUR 2,700. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw data obtained from this was then published without taking minimal security precautions, such as pseudonymizing the

€1,200 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined a researcher EUR 1,200. The fine was issued in connection with another fine against the NGO EU DisinfoLab. The researcher was employed at the NGO. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw d

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Ubi Banca spa (now Intesa Sanpaolo spa). A data subject had filed a complaint with the DPA for receiving a letter from the controller, with the envelope stating 'anomalous credit Chieti'. However, the letter did not contain payment reminders but only information about the transparency of banking and financial services. For this reason, the DPA found that the controller had violated the principles of lawfulness and transparency as well as the p

€52,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has fined a motor insurance center EUR 52,000. The controller had excessively requested patient data from within the healthcare system for the purpose of processing claims. However, much of the data was not necessary to process the claims. For example, the DPA found that the motor vehicle insurance center had also collected patient visit notes to determine whether the health care provider had billed for visits that were not related to the examination or treatment of injuries caus

€27,200 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal informat

€51,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic Data Protection Authority has imposed a fine of EUR 51,000 on the Ministry of Industry and Innovation and a fine of EUR 27,200 on YAY ehf. The fine is related to a campaign by the ministry to encourage Icelanders to travel domestically in the summer of 2020. This involved a digital gift voucher that could be obtained through the app of the company YAY ehf. The DPA received a number of complaints regarding the fact that the use of the travel gift required extensive personal informat

€925,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 925,000 on WS WiSpear Systems Ltd. The company had collected various data from individuals (Media Access Control addresses and International Mobile Subscriber Identity data) without their knowledge as part of tests and presentations of technologies. In this context, the DPA found a violation of the principle of legality, objectivity and transparency.

€900,000 fine - Data Protection Authority of Hamburg

The DPA from Hamburg has imposed a fine of EUR 900,000 on Vattenfall Europe Sales GmbH. The fine is related to data matching, which the controller had carried out in the period from August 2018 to December 2019 in the course of contract inquiries for special contracts. The special contracts served to attract new customers and were accompanied by bonus payments for the customers. The controller compared personal data of prospective customers who had submitted an inquiry for a special contract wit

€5,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 5,000 on the Ciechi Ardizzone Gioeni di Catania residential home for blind people. A visitor to the residence filed a complaint with the DPA. He based this on an installed video surveillance system in the accommodation. The video surveillance system recorded, among other things, the corridor connecting the accommodation with the communal showers. Moreover, the footage was not only recorded but also displayed in real time on the monitors of the

€200,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible t

€225,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp

€2,500,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has fined food delivery service Deliveroo Italy s.r.l. EUR 2,500,000 for unlawfully processing the personal data of approximately 8000 drivers. Garante's investigation revealed numerous and serious data protection violations. The violations included a lack of transparency in the algorithms used to manage drivers, both when assigning jobs and when booking work shifts. Deliveroo had used a centralized system for driver management through which it then processed and manage

€1,600,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket. Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passe

€15,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has fined PURPLE SEA MΟΝΟΠΡΟΣΩΠΗ ΙΚΕ EUR 15,000 due to the illegal installation and operation of a video surveillance system. The controller had installed a video surveillance system in the office premises without informing the employees about it, thus violating the principles of legality, fairness, transparency, purpose limitation and accountability.

€1,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 1,000,000 on Equifax Ibérica, SL. A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ('FIJ') without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several

€300,000 fine - Italian Data Protection Authority (Garante)

Original fine summary: The Italian DPA (Garante) imposed a fine of EUR 300,000 on the Istituto Nazionale Previdenza Sociale (INPS). The Italian National Institute for Social Security had been tasked with anti-fraud investigations related to COVID-19 relief funds. After press reports raised problems with the institute's data processing practices around the application review of politicians, the Italian DPA opened an investigation against INPS in August 2020. During that investigation, the DPA ide

€40,000 fine - Slovak Data Protection Office

The Slovak DPA has imposed a fine of EUR 40,000 on a controller. The controller had violated the principle of accountability (lack of proof that a data protection impact assessment had been carried out) and the principle of fairness and transparency. In addition, the controller had not concluded a contract with the processor.

€1,500 fine - Belgian Data Protection Authority (APD)

The Belgian DPA (APD/GBA) imposed a fine of EUR 1,500 on a social housing company for non-compliance with several principles of the GDPR such as data processing as well as the principles of legality and transparency (e.g. insufficient privacy policy, lack of information on camera surveillance).

€600,000 fine - Belgian Data Protection Authority (APD)

The Belgian data protection authority has fined Google Belgium SA, a subsidiary of Google, 600,000 euros. The reasons for the fine were the rejection of an application by a data subject for dereferencing outdated articles that the data subject had considered to be damaging to its reputation, and lack of transparency in Google's form for dereferencing applications. The Belgian data protection authority found that articles relating to unfounded harassment complaints could have serious consequences

€800,000 fine - Italian Data Protection Authority (Garante)

The fine relates to data protection infringements concerning the processing of customer data for the activation of SIM cards and the manner in which payment data was recorded. In addition, the data protection authority stated that the company had violated the principles of lawfulness, fairness and transparency as well as the integrity and confidentiality with regard to the processing of personal data for direct marketing purposes and the storage of customer data in the personal area of its websi

€5,000 fine - Spanish Data Protection Authority (aepd)

Breach of transparency principle. No further information available at the moment.

€4,000 fine - Italian Data Protection Authority (Garante)

The AEPD's decision reveals that the high school unlawfully published health data and other information in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.

€4,000 fine - Italian Data Protection Authority (Garante)

The AEPD's decision reveals that the high school unlawfully published health data and other information of more than 2000 teachers in the teacher rankings published on the Institute's website. This publication was made in violation of the principles of lawfulness, fairness, transparency and data minimization.

€4,000 fine - Data Protection Commissioner of Malta

The controller had sent unsolicited commercial messages. In addition, the privacy policy did not comply with transparency requirements and the controller failed to comply with requests for information from data subjects.

€20,000 fine - Data Protection Commissioner of Malta

The controller failed to comply with a data subject's right to information. In addition, the data protection policy did not meet the transparency requirements.

€150,000 fine - Hellenic Data Protection Authority (HDPA)

The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their person