Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€3,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact as

Een boete van 32.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft EXCEL HOTELS & RESORTS, S.A. een boete van 32.000 euro opgelegd. Het bedrijf gebruikte beveiligingspersoneel om de toegang tot haar faciliteit te controleren. Dit beveiligingspersoneel liet regelmatig documenten met persoonlijke gegevens achter op hun post, waardoor deze toegankelijk werden voor derden. De oorspronkelijke boete van 40.000 euro is verlaagd naar 32.000 euro vanwege de onmiddellijke betaling.

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

Thr Romanian DPA has imposed a fine of EUR 2,000 on Nițu A. Cleopatra – Expert Accountant. The controller was the target of a successful cyber attack due to the inadequate technical and organisational measures in place to ensure data security.

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

Een boete van 6.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 6.000 euro opgelegd aan de Interprovinciale Orde van Medische Radiologie Technici en Technische Gezondheidsberoepen in Revalidatie en Preventie, actief in de regio's AQ, CH, PE en TE. De verantwoordelijke partij heeft gegevens doorgegeven zonder een voldoende juridische basis en heeft ook geen Functionaris Gegevensbescherming (FG) benoemd.

€600 fine - Austrian Data Protection Authority (dsb)

The Austrian DPA has imposed a fine of EUR 600 on the owner of a Tesla car. The controller's car had seven cameras installed, which filmed while the car was in use and while it was parked, recognising possible threats. However, the threat recognition system meant that the car filmed people who were not a threat and therefore for no reason. Additionally, data subjects had not been informed about the filming.

€15,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 15,000 on Vimar S.p.A. The controller created an internal and personalised email account with the personal data of a third party, without their knowledge. Multiple people within the controller's company used this account for three years.

Een boete van 80.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 80.000 euro opgelegd aan het universitaire ziekenhuis Careggi. De verantwoordelijke, een universitair ziekenhuis, gebruikte software waarmee medisch personeel de medische dossiers van patiënten kon doorzoeken, zelfs als deze informatie niet relevant was voor de specifieke medische behandeling.

€80,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 80,000 on the Ospedaliero-Universitaria Careggi. The controller, a university hospital, used software that allowed medical personnel to search through the data subject's history, even if this was unrelated to the specific medical treatment.

Een boete van 42.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft IBERCAJA BANCO, S.A. een boete van 42.000 euro opgelegd. Tijdens een bankoverboeking heeft de verantwoordelijke partij meer gegevens dan nodig doorgegeven aan de ontvanger van de betaling. De oorspronkelijke boete van 70.000 euro is verlaagd tot 42.000 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

900.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming heeft SOLOCAL MARKETING SERVICES een boete van 900.000 euro opgelegd. De verantwoordelijke, een bedrijf dat ook direct marketingactiviteiten uitvoert voor haar klanten, gebruikt direct contact om potentiële klanten voor haar klanten te benaderen. Het bedrijf draagt ook gegevens van potentiële klanten door aan haar klanten. De verantwoordelijke heeft de gegevens verkregen via databrokers en kon niet bewijzen dat de potentiële klanten (betrokkenen) toestemming hadden gegeven voor het beschreven gebruik van hun gegevens. Bovendien...

€900,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 900,000 on SOLOCAL MARKETING SERVICES. The controller, a company that also engages in direct marketing activities for its clients, ist using direct messages to contact potential customers for its clients. The company also transfers data of potential customers to their clients. The controller obtained the data through data brokers and was unable to prove that the potential customers (data subjects) had given consent for the described use of their data. In addi

Een boete van 5.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 5.000 euro opgelegd aan de organisatie "Patronage and Assistance for Citizens and Agriculture Board". De verantwoordelijke partij heeft persoonsgegevens van een betrokkene opgeslagen voor een periode die de wettelijke bewaartermijn, zoals vastgesteld in de nationale wetgeving, overschrijdt.

Een boete van 120.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse Autoriteit Persoonsgegevens (DPA) heeft een boete opgelegd aan SERVICIOS ESPECIALES, S.A. De zaak betrof een schending van de AVG tijdens een intern onderzoek naar een arbeidsconflict: het bedrijf deelde een rapport via e-mail met de personeelsvertegenwoordigers en 15 andere werknemers. Dit rapport bevatte de volledige namen, functies en details van de klachten van de betrokken personen. De DPA oordeelde dat deze openbaarmaking een schending vormde van artikel 5 (1) f) van de AVG, omdat het bedrijf de vertrouwelijkheid van de persoonsgegevens niet had gewaarborgd. De oorspronkelijke boete van 200.000 euro is verlaagd tot...

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system,

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed a fine of EUR 2,000 on l’Istituto Alberghiero Mediterraneo di Pulsano. The controller, a school, published a christmas video on the video platform YouTube, which included some minor pupils without the consent of their parents.

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed a fine of EUR 20,000 on Encore Thermoengineering s.r.l. The controller legally obtained employee data from another company that had gone bankrupt. The controller never hired those subjects. However, the controller failed to comply with the principle of data minimization by storing the data without a time limit, and failed to adequately respond to a request for erasure by the data subjects.

€45,000,000 fine - The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of EUR 45,000,000 on Vodafone GmbH. The controller failed to properly supervise a third agency, which the controller used as a data processor. This resulted in employees of the third agency defrauding the controller's customers. The controller also failed to implement sufficient technical and organizational measures during an authentication process, which created the risk of third parties gaining ac

€200,000 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational

€70,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined INTERURBANA DE AUTOBUSES, S.A. EUR 70,000 after an employee filed a complaint over the publication of personal data on the company's bulletin boards. According to the data controller, an error in the HR department led to printing a full list of the employees—including sensitive details like addresses—instead of the electoral roll, which is meant to include only the information necessary for union elections. The DPA considered this to be a violation of the principle of d

€5,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the food delivery service Foodinho Srl EUR 5 million for unlawfully processing the data of approximately 35,000 drivers and for several violations of the GDPR. The DPA's investigation revealed that the company collected drivers' location data without their knowledge or consent—not only during working hours but also when the app was running in the background or inactive. Additionally, the DPA found that the company shared driver data with third parties without a valid le

€250,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 250,000 on COSMOSPACE. The controller is a company that offers personalized clairvoyance consultations by telephone. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, a maximum of three years would have been admissibl

€150,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 150,000 on TELEMAQUE. The controller is a company that offers digital services in the field of divinatory arts, including fortune telling by SMS, VAS or online chat. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, t

€45,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 45,000 on two hotels for unlawfully processing personal data through the use of cookies.

€190,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR).

€26,800 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 26,800 on the municipality of Vejen. The municipality had suffered a security incident involving the theft of three unencrypted computers containing information about children. During its investigation, the DPA found that 300 other computers were not encrypted either.

€80,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 80,000 on Selectra S.p.A.. A former employee had lodged a complaint with the DPA on the grounds that the controller was able to access their e-mail inbox even after the termination of the employment relationship. The DPA found that such a long retention period for e-mails (in some cases three years after the termination of the employment relationship) was excessive. The DPA also found that the controller had not provided the data subjects with sufficient

€8,700 fine - Information Commissioner (ICO)

The UK DPA (ICO) has fined the Central Young Men’s Christian Association EUR 8,700. The controller had sent an email to individuals participating in a program for individuals suffering from HIV without using the blind copy option, which made the email addresses of all recipients known to other recipients. 166 individuals could be identified or potentially identified based on their email addresses. From this it could be concluded that these people were probably living with HIV.

Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed seven fines totaling EUR 16,000 on data controllers for failing to adequately mark video-monitored areas. This lack of marking resulted in people entering these areas not being informed of the surveillance, as the signs were either not visible on entry or did not contain all the necessary information. The fines ranged from EUR 500 to 4,000 and were imposed on various establishments, including hotels, restaurants, and shops. According to Art. 27 (1) of the Law

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€15,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 15,000 on a data controller operating in the gambling and betting sector. The data controller collected and processed personal data of data subjects through cookies without providing them the opportunity to give or withdraw consent for such processing in an informed and voluntary manner, violating Art. 6 (1) a) GDPR and Art. 7 GDPR. In cases where personal data processing relies on consent and serves multiple purposes, the consent mechanism, such

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Olimpia S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being entered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects' personal is carried out in accordance with data protection regulations throughout the s

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Facile.Energy S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being registered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects' personal is carried out in accordance with data protection regulations through

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 20,000 on Banca di Credito Cooperativo Appulo Lucana soc. cooperativa. A former employee had requested access to the personal data in their personnel file. However, the controller did not fully comply with this request.

€79,100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Enel Energia SpA EUR 79.1 million due to its lack of compliance with technical and organisational measures aimed at limiting the potential abuses by agencies that unlawfully performed telemarketing activities. According to the DPA, Enel Energia acquired as many as 978 contracts from four different previously sanctioned companies, even though they did not belong to the energy company’s sales network. Moreover, following subsequent inspections at Enel Energia, the DPA asc

€10,000 fine - Data Protection Authority of Hessen

The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company obtained the data through internet research.

Data Protection Authority of Hamburg

The DPA of Hamburg has imposed a fine on a private individual for recording a video of their neighbor in the bathroom without their consent.

€16,000 fine - Data Protection Authority of Hessen

The DPA of Hessen has imposed a fine of EUR 16,000 on a freelancer. The controller operates a website without a privacy policy. The DPA contacted the controller, ordering him to include a privacy policy on his website, and announced that he would be fined EUR 2,000 if he did not comply. The controller ignored the order, resulting in the DPA ordering him a second and third time to include a privacy policy on his website. The controller continued to ignore the DPA's orders. Therefore, the DPA impo

€400,000 fine - Information Commissioner (ICO)

The UK DPA has fined the Ministry of Defense EUR 400,000 for disclosing personal data of individuals who were to be relocated to the UK after the Taliban took control of Afghanistan in 2021. The Ministry of Defense had sent an email to a distribution list of Afghan nationals who were eligible for evacuation without hiding the e-mail adresses and thus revealing the personal e-mail addresses and personal data of the recipients to the other e-mail recipients. The ICO stated that if the data had fal

€48,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a finea INSTITUT MARQUÉS OBSTETRICIA I GINECOLOGIA, S.L.P. The controller had suffered a data breach in which personal patient and employee data had been unlawfully accessed. During its investigation, the DPA found that the controller had failed to take appropriate technical and organizational measures to protect personal data. The DPA also found that the controller failed to properly inform data subjects about the data breach. The original fine of EUR 80,000 was redu