Enforcement

€5,470,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed of fine of EUR 5,470,000 to a debt collection company. The investigation was triggered by an anonymous complaint stating that controller unlawfully processed personal data, with USB stick attached to the complaint containing personal data of 181,641 individuals. As a controller, the debt-collection company unlawfully processed sensitive data (health related) of their debtors, as well as the data of individuals who are not in a debtor-creditor relationship, mos

€150,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 150,000 on the company KG COM. The company operates several websites and offers fortune-telling consultations to customers via chat or telephone. After the company suffered a data breach, the DPA conducted three investigations. During its investigation, the DPA found that the controller systematically recorded conversations with customers as well as potential customers without properly justifying why such extensive recording was necessary. In addition, th

€15,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has fined a school EUR 15,000. The school had installed several video surveillance cameras on the building, which permanently recorded students, teachers and visitors. During its investigation, the DPA found that the school did not have a sufficient legal basis for the video surveillance. In view of the extensive video surveillance and the resulting restriction of the personal rights of the data subjects, the school could not rely on a legitimate interest (protection of property

€1,300 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The Hungarian DPA has imposed a fine of EUR 1,300 on a workshop. The workshop had installed a video surveillance system to protect the company's assets. However, the cameras also captured parts of the employee's work area. The DPA found that the recording of the employees was not necessary to ensure the purposes associated with the video surveillance and was therefore disproportionate. The DPA also found that the workshop had not sufficiently complied with its information obligations under Art.

€634,000 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The Hungarian DPA (NAIH) has fined Budapest Bank Zrt. EUR 634,000. NAIH reports that the bank used an artificial intelligence-driven software solution to automate the evaluation of customers' emotional state. The speech evaluation system determined which customers needed to be recalled based on the customer's mood. The bank operated the application to prevent complaints and to keep customers. The bank did not inform the data subjects, that the processing of their data serves, among other things,

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 6,000 on a private individual. The person had shared a video on Twitter showing images of a sexual assault by a man on a woman. The purpose of sharing the video was to draw attention to domestic violence against women. The DPA considers the sharing to be unlawful. Even though the person may have had a legitimate interest in sharing the video, the victim's right to privacy prevails.

€2,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has fined Fincas Miguel García S.L. in the amount of EUR 2,000. A data subject had filed a complaint against the controller, alleging a breach of Art. 13 GDPR. The DPA found that the information provided to the data subject by the controller did not comply with the provisions of Art. 13 GDPR, as essential aspects were missing, such as information on the purposes of the processing for which the personal data collected are intended and its legal basis, as well as information

€53,800 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA ( Datatilsynet) has imposed a fine of EUR 53,800 on Nordbornholms Byggeforretning Aps. In 2018, the DPA was contacted by a data subject who complained that his former employer Nordbornholms Byggeforretning ApS, had disclosed information about him to the company's customers. The controller had emailed two of the company's customers informing them that the former employee had committed crimes in the course of employment and had admitted to committing them, as well as describing in d

€34,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA (Persónuvernd) has imposed a fine of EUR 34,000 on Huppuís ehf. A former employee filed a complaint against the controller with the DPA. The reason for this was the camera surveillance installed by the controller. During their shifts, the controller's employees wore clothing provided by the controller.However, the designated changing room of the store was a storage room in which large quantities of cleaning materials were stored. Due to a lack of sufficient space in this room,

€50,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) fined Equifax Iberica S.L. EUR 50,000 for a violation of Art. 6 (1) f) GDPR. The controller had added the data subject to a debtor register without informing her beforehand. The data subject had outstanding payments of rent with her landlord, who had previously sent her corresponding requests for payment. The controller itself had also sent notices to the data subject requesting her to pay the debts. These, however, did not contain any information that the data subject wou

€2,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) fined Caixabank S.A. EUR 6,000,000 for violations of Art. 6 GDPR, Art. 13 GDPR and Art. 14 GDPR. Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the CaixaBank Group. At the same time, the data subjects were not given the option of specifically not consenting to this transfer. Instead, if they wished to disagree with the transfer of their data, they were required to s

€29,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined the housing company Uppsalahem AB SEK 300,000 (EUR 29,500). The housing company had installed surveillance cameras in an apartment building to monitor one floor after disturbances and security incidents occurred. The cameras not only monitored the staircase, but also the front door of a resident. Therefore, when the door was opened, the inside of the apartment was also captured by the video surveillance. While the company may have had a legiti

€1,000 fine - Belgian Data Protection Authority (APD)

The Belgian data protection authority has imposed a fine of EUR 1000 on a non-profit organisation for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection. The organisation claimed that it was relying on legitimate interests as a legal basis and not on the explicit consent of the data subjects. The data protection authority, however, denied the existence of any outweighing of legitimate interests.

€60,000 fine - Spanish Data Protection Authority (aepd)

According to the AEPD, the data subject has received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.

€24,000 fine - Spanish Data Protection Authority (aepd)

According to the AEPD, the company sent two SMS to an clients mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.

€40,000 fine - Spanish Data Protection Authority (aepd)

According to the AEPD, the company sent an SMS to an clients mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association ('KNLTB') with EUR 525,000 for selling the personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes. It was found that the KNLTB sold personal data such as name, gender and address to third parties without obtaining the consent of the data subjects. The data protection authority also rejected the existence of a legitimate

€2,860 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

An employee was on sick leave when his employer checked his desktop, laptop and emails to ensure that his work-related duties were being covered in his absence. The employer then suspended his account. The employee did not receive pre-notification and did not have the chance to copy / delete his private information (telephone numbers, messages). According to NAIH, employers must record the access with minutes and photos. Employment agreements must regulate whether employees can use work equipmen

€15,100 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The city based its video surveillance practice on its legitimate interests (Art. 6 (1) f GDPR). However, accordingt to Art. 6 (1) subparagraph 2 this legal basis shall not apply to processing carried out by public authorities in the performance of their tasks. The processing could not be based on another legal basis.

€150,000 fine - Hellenic Data Protection Authority (HDPA)

The processing of employee personal data was based on consent. The HDPA found that consent as legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest. In addition, the company gave employees the false impression that it was processing their person

€2,850 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

A client of a financial enterprise complained that the financial enterprise transferred his data after he objected against the processing and did not provide information on the processing of his data at his request. According to the financial enterprise, it sold its claim stemming from the contract concluded with its client to a third party, therefore such transaction necessitated the transfer of the relevant client data. NAIH highlighted that the financial enterprise sold the concerning claim a

€2,850 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The individual requested the deletion of his contact data (including his telephone number), however the controller further processed his contact data for claim enforcement purposes on the basis of its legitimate interest. NAIH determined that the controller had no compelling legitimate grounds for processing the telephone number of the data subject, since his address was also at hand, which is sufficient for claim enforcement purposes and for concerning communication with the data subject.

€2,850 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The complainants stated during the case that they concluded a credit agreement with the bank, which sold its claim against the complainants and transferred their respective data to a third-party company (controller). NAIH determined in the case that the controller can neither rely on the consent of the data subjects nor the performance of the credit contract as the legal basis of the data processing, since the data subjects concluded such contract with the bank, not with the controller. The appr

€3,200 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because