Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€5,000 fine - Hellenic Data Protection Authority (HDPA)

The Greek DPA has imposed a fine of EUR 5,000 on REVMA PLUS Retail S.A.. The fined entity is the processor of Thessaloniki–Thessaly Gas Supply Company S.A. (ETid-3016). The processor, a call center involved in direct marketing activities, suffered a technical error in its system that prevented operators from calling data subjects that had not given their consent for direct marketing calls. The processor also failed to inform the controller of the technical error.

€80,000 fine - Hellenic Data Protection Authority (HDPA)

The Greek DPA has imposed a fine of EUR 80,000 on ONE WAY PRIVATE COMPANY. The fined entity is the processor of Thessaloniki–Thessaly Gas Supply Company S.A. (ETid-3016). The processor, a call center involved in direct marketing activities, had implemented a system to check whether consent had been given to contact a specific person. However, this system could be bypassed or ignored by the operator, resulting in data subjects being contacted without their consent. Furthermore, the controller had

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Greek DPA has imposed a fine of EUR 10,000 on SIGMA & KAPPA IMPORTING SOCIÉTÉ ANONYME. The fined entity is the processor of Thessaloniki–Thessaly Gas Supply Company S.A. (ETid-3016). The processor, a call center involved in direct marketing activities, had not implemented sufficient technical and organisational measures to prevent operators from calling data subjects who had not given their consent for direct marketing calls.

Een boete van 5.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse telecommunicatie- en informatiestructuur (SETSI) heeft besloten dat Vodafone een klant moest vergoeden voor kosten die ten onrechte aan hem waren doorbelast. Desondanks heeft Vodafone persoonlijke gegevens van deze betreffende klant doorgegeven aan een kredietregistratiebureau (BADEXCUG). De AEPD (Spaanse Autoriteit voor Gegevensbescherming) heeft geconstateerd dat dit gedrag in strijd is met het beginsel van juistheid.

€5,000 fine - Spanish Data Protection Authority (aepd)

The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on the Commune di Nave. The controller has installed an automatic licence plate recognition system which processes data on when a car passes a specific control point. This data is stored for seven days, after which it is automatically deleted. The system is also connected to the Motor Vehicle Registry and automatically verifies the passing vehicle's insurance coverage, periodic inspection and environmental class. This data processing occurred witho

€12,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 12,000 on the Commune di Tuscania. The controller had been using video surveillance and licence plate recognition within its territory for the purposes of territorial security and supervising separate waste collection at recycling centers. However, the controller did not put up any relevant signs containing the privacy policy or warning signs. The controller also failed to enter into data processing agreements with processors handling data on its behalf,

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2,000 on Istituto Comprensivo Centro di Casalecchio di Reno. The controller published a ranking of its teachers on its website without a sufficient legal basis.

Een boete van 2.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft een boete van 2.000 euro opgelegd aan Istituto Comprensivo Centro di Casalecchio di Reno. De verantwoordelijke organisatie publiceerde een ranglijst van haar docenten op haar website zonder voldoende juridische basis.

€1,560,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,560,000 on SPRINTER MEGACENTROS DEL DEPORTE, S.L. The controller suffered a cyber attack due to insufficient technical and organisational measures being in place to ensure data security. Furthermore, the controller failed to adequately inform the affected data subjects. The original fine of EUR 2,600,000 was reduced to EUR 1,560,000 due to immediate payment and admission of responsibility by the controller.

1.560.000 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft SPRINTER MEGACENTROS DEL DEPORTE, S.L. een boete van 1.560.000 euro opgelegd. De verantwoordelijke partij is het slachtoffer geworden van een cyberaanval als gevolg van onvoldoende technische en organisatorische maatregelen om de gegevensbeveiliging te waarborgen. Bovendien heeft de verantwoordelijke partij de betrokken personen die door de inbreuk zijn getroffen, niet voldoende geïnformeerd. De oorspronkelijke boete van 2.600.000 euro is verlaagd tot 1.560.000 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

Een boete van 4.500.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

Na een onderzoek door de autoriteit, heeft AZOP een telecombedrijf een boete van 4,5 miljoen euro opgelegd vanwege meerdere overtredingen van de AVG. De verantwoordelijke partij heeft klantgegevens overgedragen aan een verwerker in de Republiek Servië (een dochteronderneming die software onderhoudt). Deze overdrachten vonden plaats op basis van standaardcontractuele clausules (SCC's) vanaf 16 april 2020 tot uiterlijk 27 december 2022; daarna zijn de overdrachten doorgegaan zonder SCC's of equivalente waarborgen, ondanks dat Servië niet als voldoende beschermd land wordt beschouwd.

Boete van €9.450 - Pools Nationaal Bureau voor de Bescherming van Persoonsgegevens (UODO).

De Poolse autoriteit voor gegevensbescherming heeft een boete van 9.450 euro opgelegd aan een gynaecologisch centrum. Het bedrijf heeft een datalek gehad en heeft dit niet gemeld aan de functionaris voor gegevensbescherming.

€9,450 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.

€32,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 32,000 on the Provincia Autonoma di Bolzan. The controller implemented video surveillance with automated licence plate recognition capabilities for vehicles, with the aim of guiding policies on mobility and infrastructure and preventing and investigating crimes. However, the controller did not comply with the basic principles of the GDPR, nor did they adequately comply with the DPA.

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 10,000 on Shield of David - K.I.D.A.F. The controller, a day care centre for people with autism, has legally installed video surveillance on its premises. However, the controller failed to adequately respond to a data subject's request to exercise their rights. Furthermore, the controller forwarded data to third entities without notifying the data subject. Lastly, the controller failed to cooperate adequately with the DPA.

Een boete van 3.500 euro - van het Poolse nationale bureau voor de bescherming van persoonlijke gegevens (UODO).

De Poolse autoriteit voor gegevensbescherming heeft een boete van 3.500 euro opgelegd aan het Gemeentelijk Sociaal Hulpcentrum in Aleksandrów. De verantwoordelijke partij heeft onvoldoende technische en organisatorische maatregelen genomen om de informatiebeveiliging te waarborgen, wat heeft geleid tot een datalek.

€3,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 3,500 on the Municipal Social Welfare Center in Aleksandrów. The controller did not implement sufficient technical and organisational measures to ensure information security, resulting in a data breach.

€6,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on the owner of a pharmacy office. The controller processed data of residents of two geriatric centers without a sufficient legal basis. The controller also failed to inform the data subjects about the fact, that the controller processed their data and that they obtained the data from a third party. Lastly, the controller failed to use encrypted email services. The original fine of EUR 11,000 was reduced to EUR 6,600 due to immediate payment and admission of re

€6,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on the owner of a pharmacy office. The controller processed data of residents of geriatric centers without a sufficient legal basis. The controller also failed to inform the data subjects about the fact, that the controller processed their data and that they obtained the data from a third party. Lastly, the controller failed to use encrypted email services. Due to acknowledgment and immediate payment, the fine had been reduced to EUR 6,600. The original fine of

€3,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed a fine of EUR 3,000,000 on Acea Energia S.p.A. The controller built a network of call centers that engaged in aggressive customer recovery and marketing calls using data obtained and collected by the controller in a list. The controller had no legal basis for processing the data.

3.000.000 euro boete - Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft Acea Energia S.p.A. een boete van 3.000.000 euro opgelegd. De verantwoordelijke partij heeft een netwerk van callcenters opgebouwd die agressieve telefoontjes pleegden om klanten terug te winnen en marketingactiviteiten uit te voeren. Deze telefoontjes werden gevoerd op basis van gegevens die de verantwoordelijke partij had verzameld en in een lijst had opgeslagen. De verantwoordelijke partij had geen wettelijke basis om deze gegevens te verwerken.

€80,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 80,000 on a company. The company was responsible for monitoring parking lots at several supermarkets and a hospital. However, it accessed personal data – in particular license plate numbers and owner information – from the Croatian Ministry of the Interior's (MUP) vehicle registry without a valid legal basis. Access was gained via a web service that the company had secured the right to use in certain areas on the basis of a concession. However, t

€4,800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 4,800 on TECNOCRÃTICA CENTRO DE DATOS S.L. The controller failed to reply to an information request by the AEPD within the given deadline. The original fine of EUR 6,000 was reduced to EUR 4,800 due to immediate payment and admission of responsibility by the controller.

€3,200,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 3,200,000 on CENTROS COMERCIALES CARREFOUR, S.A. The controller suffered a cyberattack, resulting in the leak of a large amount of personal data. The controller failed to implement sufficient technical and organizational measures to ensure data security. Additionally, the notification of the data subjects in regards to the data breach was insufficient.

€72,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on CAJA RURAL CENTRAL, S.C.C.. The controller had suffered a cyber attack in which the attackers were able to access customer data due to a security vulnerability in its systems. The DPA found that the company had failed to implement the necessary security measures that could have prevented such an incident. The original fine of EUR 90,000 was reduced to EUR 72,000 due to voluntary payment.

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 2,000 on Unirea Medical Center S.R.L. The controller publicly exposed the access credentials for a data subject's email account on a workstation.

€300,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300,000 on LÍNEA DIRECTA ASEGURADORA, S.A.. A data subject had filed a complaint with the DPA stating that they had inquired about a car insurance quote with Línea Directa and were subsequently contacted by one of Línea Directa's processors. Without their consent, the processor had accessed their driving license points via the website of a traffic authority.

€678,897 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 678,897 on the energy company Illumia Spa for unlawfully processing personal data for marketing purposes. The fine follows complaints from users who received unwanted advertising calls from call centers working on behalf of Illumia. The DPA found that the company had not carried out sufficient controls along the entire telemarketing supply chain. Among other things, advertising calls were made without a legal basis, and necessary technical and organizati

€190,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR).

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a company operating a call center. The controller had systematically recorded all incoming and outgoing calls for training, evaluation and dispute purposes. The CNIL found that such comprehensive recording violated the principle of data minimization and that random and selective recording for training purposes was sufficient.

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 5,000 on CENTRUL MEDICAL UNIREA SRL. The controller had suffered a data breach in which personal data of patients and employees were disclosed on the internet without authorization. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data.

€8,700 fine - Information Commissioner (ICO)

The UK DPA (ICO) has fined the Central Young Men’s Christian Association EUR 8,700. The controller had sent an email to individuals participating in a program for individuals suffering from HIV without using the blind copy option, which made the email addresses of all recipients known to other recipients. 166 individuals could be identified or potentially identified based on their email addresses. From this it could be concluded that these people were probably living with HIV.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) imposed a fine of EUR 20,000 on Centro Riparazioni Piacentino S.p.A.. The controller had kept a former employee's email account active despite the termination of his/her employment. Furthemrore the data subject had not been informed about such a further use of their e-mail account.

€30,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 30,000 on CENTRO MÉDICO SALUS BALEARES, S.L.. An individual had filed a complaint with the DPA due to the clinic's use of an electronic clinical thermometer with a temperature display attached to a screen on the wall so that the body temperature could be briefly visible to third parties in the waiting room when the individual moved away from the device.

€273,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed two fines on the medical facility “Centrum Medyczne Ujastek” totaling approximately EUR 273,000. The first fine of approximately EUR 163,000 was imposed for the unlawful installation of surveillance equipment in two neonatal rooms. These devices recorded images of newborns and their mothers during intimate acts such as breastfeeding or care without informing patients or staff, which constitutes a violation of data protection regulations. The second fine, of around EUR

€72,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 72,000 on Eurocollege Oxford English Institute S.L. The data subject stated that they had signed a training contract with the affiliated school Centro De Estudios Aeronauticos, S.L. (CEAE). Prior to enrolment, CEAE required the complainant to undergo a medical examination with the presentation of a medical certificate, complete a health declaration with personal health information and present a police clearance certificate. However, during its investigat

€20,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 20,000 on Piraeus Leasing S.M.S.A.. An individual had filed a complaint with the DPA because the controller processed an image on which the license plate of the individual's car was visible. The DPA also found that the controller had not complied with the request for access to their personal data.

€30,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 30,000 on APOLLONIA TOPCO, S.L.. An individual had filed a complaint with the DPA due to the fact that, in order to receive a refund, they were required to send in their driving license as proof of identity. The DPA considered this to be a violation of the principle of data minimization, as the processing of the data on the driver's license was not necessary for the refund and the identity check could have been carried out with less intrusive means for t

€70,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has fined the Stockholm School Board EUR 70,000 for excessive video surveillance in a school. A school had installed extensive video surveillance due to past problems with incendiary crimes. During its investigation, the DPA found that there were about 50 fixed cameras in the school monitoring hallways, stairwells and corridors in conjunction with doors, toilets and student lockers. Surveillance was taking place 24/7 with image recording. The DPA concluded that video surveillance