Enforcement

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

Boete van 30.000 euro - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse Autoriteit Persoonsgegevens heeft ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A. een boete van 30.000 euro opgelegd. De verantwoordelijke partij publiceerde een video van een gewelddadig incident, waarin de stemmen van het slachtoffer en de dader te horen waren, waardoor deze identificeerbaar werden. De stemmen hadden vervormd kunnen worden om de identiteit van de betrokkenen te beschermen. Daarom heeft de verantwoordelijke partij het beginsel van dataminimalisatie geschonden. De oorspronkelijke boete van 50.000 euro is verlaagd tot 30.000 euro vanwege de directe betaling en de erkenning van de fout.

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Energia Verde S.p.A. The controller had been active in direct marketing activities. The controller processed data without a sufficient legal basis, without sufficient technical and organisational measures to ensure data security and without prior and correct identification of the roles of processors and subjects. The controller fruther failed to adequately react to requests from data subjects to exercise their rights, to demonstrate, that the

Een boete van 100.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit (DPA) heeft een boete van 100.000 euro opgelegd aan Energia Verde S.p.A. De verantwoordelijke partij was actief met direct marketing. De verantwoordelijke partij heeft gegevens verwerkt zonder een voldoende wettelijke basis, zonder voldoende technische en organisatorische maatregelen om de gegevensbeveiliging te waarborgen, en zonder voorafgaandelijk en correct de rollen van verwerkers en betrokkenen te identificeren. Bovendien heeft de verantwoordelijke partij niet adequaat gereageerd op verzoeken van betrokkenen om hun rechten uit te oefenen, en heeft ze niet aangetoond dat...

600 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming heeft een boete opgelegd aan een onbekende verantwoordelijke voor de gegevensverwerking. Deze verantwoordelijke bewaarde volledige kopieën van persoonlijke identificatiegegevens voor verificatiedoeleinden. In dit geval was het opslaan van alle informatie die op een identiteitsbewijs staat, onnodig en schendde het principe van dataminimalisatie. De oorspronkelijke boete van 1.000 euro is verlaagd tot 600 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke.

Boete van 3.000 euro - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete opgelegd aan EDA TV CONSULTING, S.L. De verantwoordelijke partij had kopieën van persoonlijke identificatiegegevens opgeslagen om de identiteit van de betrokkenen te verifiëren. Volgens de DPA heeft de verantwoordelijke partij het beginsel van dataminimalisatie geschonden, omdat niet alle informatie die op de identificatiekaart stond vermeld, nodig was voor het specifieke verificatieproces. De oorspronkelijke boete van 5.000 euro is verlaagd tot 3.000 euro vanwege de onmiddellijke betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€4,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS. The controller had suffered a data breach where unknown third parties gained access to the customer data management system using credentials of a broker which allowed them to access customer data such as name, IBAN, personal identification number. The incident affected approximately 1.5 million individuals. During its investigation, the DPA found, in particular, that the controller had failed to impl

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on CEGEDIM SANTÉ. The company, which provides software for medical practices, had transferred customer data for research purposes. However, the DPA found that this data was not anonymous but only pseudonymized, making re-identification possible.

€900,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 900,000 on Postel S.p.A. The company suffered a ransomware attack that resulted in the loss of access to files containing personal data of approximately 25,000 individuals. Data subjects included employees, former employees, and job applicants. The compromised data included contact details, identification details, payment details, and criminal records (special category data) of the data subjects. Although the company had been aware of the security vulner

€13,900,000 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has fined Avast Software s.r.o. EUR 13.9 million. The company had disclosed the personal data of around 100 million users of its antivirus software to the US company Jumpshot. Avast had transferred this data, including the users' pseudonymized Internet browsing history in connection with a unique ID, to Jumpshot, but falsely declared it to be anonymized. Users were incorrectly informed about the transfer of anonymized data, although partial identification of the data subjects was p

€2,800,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2.8 million on UniCredit S.p.a.. The bank had suffered a cyberattack on its mobile banking portal, during which the attackers gained access to numerous data (e.g. name, social security number, identification codes) of thousands of customers and former customers. The attackers were also able to determine the PIN to access the portal of over 6,800 customers. During its investigation, the DPA found that the controller had failed to implement appropriate tec

€150,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 150,000 on International Card Services B.V. (ICS). ICS failed to carry out a data protection impact assessment before starting the digital identification of customers in the Netherlands in 2019. The identity check covered around 1.5 million people and involved sensitive personal data such as pictures of the data subjects.

€2,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 2,000 on UNIQUE HOTEL APARTMENT. The controller had copied identification documents for the purposes of guest registration and stored the copies. However, the DPA found that a copy of the identification documents was excessive and not strictly necessary for the purpose of guest registration.

€15,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed of fine of EUR 15,000 to a hotel. The hotel was collecting personal data from guests in excess of what would have been necessary for the purpose of booking a hotel room and without a valid legal basis. Specifically, the hotel collected the CVC number of guests' credit cards and copies of their identification documents. The hotel also failed to provide clear and transparent information to guests on the collection and use of their data. The hotel claimed it coll

€25,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 25,000 on Zagreb Holding d.o.o., utilities company owned by the city of Zagreb. The DPA had received a complaint from a citizen concerning Zagreb Holding's practice of requesting a copy of users' personal identification cards before issuing invoices via email. Previously, to receive invoice by email the users only needed to provide their name, surname, address, personal identification number, facility number and their user number. During the inve

€2,265,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 2,265,000 on a debt collection agency. The fine is the highest ever imposed by AZOP. AZOP had received an anonymous complaint in December 2022 stating that a large number of debtors' personal data had been processed by the collection agency without authorization. Attached to the complaint was a USB stick containing personal data (name, date of birth, personal identification number) of 77,317 debtors. During its investigation, AZOP found that cont

€1,020 fine - Bulgarian Commission for Personal Data Protection (KZLD)

The Bulgarian DPA has imposed a fine of EUR 1,020 on a telecommunications operator. The controller did not implement sufficient identification methodes, resulting in a customer profile being created for an individual who neither knew nor wanted a profile to be made.

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on Bper Banca S.p.A.. An individual had filed a complaint with the DPA regarding the failure to fulfill their right to erasure of personal data. The individual had requested the bank to delete their personal data processed by the bank. The bank then asked the data subject to send their identification documents in order to verify their identity for the purpose of fulfilling their request. The data subject submitted their data, but did not receive a

€85,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 85,000 on Otavamedia Oy. The DPA had received eleven complaints regarding Otavamedia between 2018 and 2021. Namely, the complaints primarily concerned the lack of response to inquiries from data subjects. Otavamedia explained that some of the privacy requests had not been fulfilled due to a technical problem with email management. During the incident, messages received in the privacy inquiry email box were not forwarded to customer service representative

€110,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined UAB Prime Leasing, the operator of the short-term car rental platform CityBee, EUR 110,000. The DPA conducted the investigation on its own initiative after information about a possible personal data breach (Art. 33 GDPR) of the company's customers became public in February 2021. According to the company, they learned about the security breach from another cybersecurity service provider who informed them that the customer data of 110,302 CityBee users had been publish

€78,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) has imposed a fine of EUR 78,000 on Bank Millennium S.A.. The UODO had become aware of a data protection breach following a complaint against the bank. It turned out that correspondence sent by the bank through a courier service containing personal data such as first name, last name, PESEL number, home address, account numbers and identification numbers of customers, had been lost. In this regard, the UODO found that the bank had failed to report the incident to the DPA and

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller's privacy notice. Namely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearl

€120,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The reason for this had been a complaint from a person relating to a lack of authentication. Accordingly, only the ID number had to be given as identification when providing information by telephone. This could allow any person to call, provide an ID number, and thus receive the information associated with the ID number without any verification that the caller is actually the ID holder. The DPA considered this to

€3,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identificatio

€20,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA (VDAI) has imposed a fine of EUR 20,000 on UAB VS FITNESS. After receiving a notification from an individual stating that scanning a fingerprint was necessary to use the services of a sports club owned by the controller, the DPA started an investigation against the controller. The DPA's review found that the consent given by customers to have their fingerprint patterns processed was not voluntary as there were no other identification measures. In addition, the DPA found that t

€1,600,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has fined Storstockholms Lokaltrafik (Stockholm Local Transport Company) EUR 1,600,000. The controller had equipped ticket inspectors with body-worn cameras, which were designed to prevent threatening situations, document incidents, and ensure that the right person was fined for traveling on Stockholm's public transportation without a valid ticket. Ticket inspectors were required to keep the camera on for their entire shift and were therefore able to film all passengers who passe

€40,000 fine - Italian Data Protection Authority (Garante)

The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian DPA (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000 and its software suppl

€40,000 fine - Italian Data Protection Authority (Garante)

The identity of whistleblowers must be protected by special confidentiality rules, as the information processed is particularly sensitive and the risk of retaliation and discrimination in the work environment is high. In this context, the controller is obliged to comply with the principles of data protection and to ensure the integrity and security of the data. Against this background, the Italian Data Protection Authority (Garante) fined Aeroporto Guglielmo Marconi di Bologna S.p.a. EUR 40,000

€75,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 75,000 on ParkkiPate Oy. A number of people had been issued parking tickets by the controller and had thereupon requested information about which personal data was being processed and, in some cases, requested the deletion of their data. However, in order to process the requests, the controller stated that it needed the ID card number and address of the data subjects for identification purposes, as their name with the parking ticket number was not suffic

€150,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company's website. Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website. In the course

€75,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) fined a company and its subcontractor EUR 150,000 and EUR 75,000 for failing to take sufficient measures against credential stuffing attacks on the company's website. Between June 2018 and January 2020, the CNIL received several notifications of personal data breaches related to a website where several million customers regularly shop. In response, the CNIL decided to investigate the company and its subcontractor entrusted with the management of this website. In the course

€5,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during

€70,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) fined University College Dublin (UCD) EUR 70,000 due to seven personal data breaches. Unauthorized third parties were able to access UCD e-mail accounts, and login credentials for UCD e-mail accounts were posted online. It was found that the controller did not take appropriate technical and organisational measures to protect data security when processing personal data in its email service. In addition, the controller stored certain personal data in an email account in a form

€100,000 fine - Estonian Data Protection Authority (AKI)

The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription dru

€100,000 fine - Estonian Data Protection Authority (AKI)

The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription dru

€100,000 fine - Estonian Data Protection Authority (AKI)

The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription dru

€400 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 400 on a legal person. The accused did not provide evidence that the data subject had consented to the scanning or copying of their ID card or other identification documents in connection with a contract for renting sports equipment. Furthermore, she failed to justify the necessity of both scanning/copying and storing these documents.

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The data protection authority finds that the company has not taken adequate technical and organisational measures to ensure an adequate level of information security. This applies in particular to the collection and transmission of copies of customers' identification documents via WhatsApp.

€14,000 fine - Danish Data Protection Authority (Datatilsynet)

A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.

€30,000 fine - Italian Data Protection Authority (Garante)

The fine is based on the fact that, according to the data protection authority, the Sapienza Università made available online identification data of two people who had reported possible illegal behaviour to the university. This was due to the lack of adequate technical access control measures within the whisleblowing management system, which had not limited access to such data to authorized personnel only.

€75,000 fine - Spanish Data Protection Authority (aepd)

An individual filed a complaint against the company alleging that the company had used its personal data as a former customer, such as first and last name, VAT identification number and address, to enter into an electricity supply contract.

€11,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The fine was imposed because the controller failed to take appropriate technical and organisational measures leading to the loss and unauthorised access to personal data (name, bank card number, CVV code, cardholder's address, personal identification number, serial and identity card number, bank account number, authorised credit limit) of approximately 1,100 data subjects.

€60,000 fine - Spanish Data Protection Authority (aepd)

CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The violation affected about 11,000 people, including identification data, employment data, data about criminal convictions and health data.

€10,000 fine - Belgian Data Protection Authority (APD)

The Belgian data protection authority has imposed a fine of 10,000 euros on a merchant who wanted to use an electronic identity card (eID) to create a customer card. The DPA's investigation revealed that the merchant required access to personal data located on the eID, including the photo and barcode which is linked to the data subject's identification number. In the meantime, the decision of the data protection authority has been annulled by a court: link

€511,000 fine - Data Protection Commision of Bulgaria (KZLD)

Leakage of personal data due to inadequate technical and organisational measures to ensure the protection of information security. Third parties had access to over 23000 credit records relating to over 33000 bank customers including personal data such as names, citizenships, identification numbers, adresses, copies of identity cards and biometric data.

€10,000 fine - Czech Data Protection Auhtority (UOOU)

Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation') and not only kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').

€27,100 fine - Bulgarian Commission for Personal Data Protection (KZLD)

Repeated registration of prepaid services without the knowledge and consent of the data subject Employees of the telecommunications provider have used personal data and registered the complainant with the company's prepaid service. The data subject had not signed the application and had not consented to the processing of his personal data for the stated purpose. There was also no other legal basis applicable. The signature of the application and the complainant own genuine application were not i

€1,560 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

A data subject requested information about and erasure of the data processed, which the debt collector refused stating that it could not identify the subject. For identification purposes he requested place of birth, mother’s maiden name and further details from the data subject. After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. S

€21,000 fine - Spanish Data Protection Authority (aepd)

Vodafone had processed personal data of the claimant (bank details, name, surname and national identification number) years after the contractual relationsid had ended. The fine of EUR 35.000 was reduced to EUR 21.000.