Enforcement

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a driving school. The controller has installed video surveillance, but failed to adequatly inform data subjects. The original fine of EUR 500 was reduced to EUR 300 due to immediate payment and admission of responsibility by the controller.

Een boete van 300 euro - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming heeft een boete van 300 euro opgelegd aan een rijschool. De verantwoordelijke partij had cameratoezicht geïnstalleerd, maar heeft de betrokkenen niet voldoende geïnformeerd over de verwerking van hun gegevens. De oorspronkelijke boete van 500 euro is verlaagd tot 300 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€5,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 5,000 on a gynaecologist. The controller failed to completely fullfill an information request by a patient.

Een boete van 4.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft een boete opgelegd aan CREMA GAMES, S.L. De verantwoordelijke partij heeft een verzoek om informatie van een online klant niet inwilligend gemaakt. De verantwoordelijke partij had de betrokkene om een identiteitsbewijs gevraagd, maar de betrokkene had dit niet verstrekt. Hierdoor weigerde de verantwoordelijke partij het verzoek om informatie te behandelen. Volgens de DPA had de verantwoordelijke partij een digitale authenticatiemethode moeten gebruiken. De oorspronkelijke boete van 5.000 euro is verlaagd naar 4.000 euro vanwege een onmiddellijke betaling zonder erkenning van schuld.

€4,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine on CREMA GAMES, S.L. The controller failed to fulfill an information request from an online customer. The controller asked the data subject for an identity document, but the data subject did not provide one. As a result, the controller refused to fulfill the information request. According to the DPA, the controller should have used a digital authentication method. The original fine of EUR 5,000 was reduced to EUR 4,000 due to immediate payment without admission of

€100,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 100,000 on the real estate management company ATRIUM LEX SFC. An investor had filed a complaint with the DPA because the controller had requested a copy of the investor's ID card to enable them to receive information about a project. The DPA found that the controller had not provided sufficient information about this data processing and that the sending of copies of ID cards by email was not sufficiently secure. The DPA assessed this as a violation of Ar

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a data controller. The controller had installed a video surveillance system without adequately providing information for data subjects.

€4,750,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 4.75 million on Netflix. This fine is based on a complaint filed by the Austrian organization 'noyb'. During its investigation, the DPA found that between 2018 and 2020, Netflix did not sufficiently inform customers about the processing of their personal data. The privacy policy was partly unclear and, did not provide sufficient information on the purpose and legal basis of the data collection and use, for example. In addition, requests from data subjects

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,000 on MINAS DE VALDECASTILLO, S.A.. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly provided information about the data processing by the cameras and thus violated its duty to inform.

€10,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined LOCAL VERTICALS, S.L. EUR 10,000. An individual filed a complaint with the DPA because they could not access the privacy policy during the registration process on the controller's website. The link to the privacy policy led to a third-party company's website, making it impossible for the data subject to obtain the required information regarding data processing.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on DIGIMAN ALICANTE S.L.. The data controller had installed a video surveillance system without adequately providing information for data subjects. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and acknowledgement of responsibility.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 600 on ASSOCIACIO CANNABICA DEL MARESME ACANNAM. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly provided information about the data processing by the cameras and thus violated its duty to inform.

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000 on a bakery. The DPA found that the controller had violated its information obligations and the principle of data minimization in the context of data processing involving video surveillance.

€800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 1,000 was reduced to EUR 800 due to voluntary payment.

€15,000 fine - French Data Protection Authority (CNIL)

The French DPA has fined an association EUR 15,000 due to a lack of data security, non-compliance with the principle of data minimisation and a failure to comply with its information obligations under the GDPR.

€10,000 fine - French Data Protection Authority (CNIL)

The French DPA has fined an association EUR 10,000 due to a lack of data security, non-compliance with the principle of data minimisation and a failure to comply with its information obligations under the GDPR.

€6,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 6,000 on a public educational institution for violating the principle of data minimization and its information obligations unter the GDPR.

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 3,000 on CUBILLO GALLEGO S.L. for failing to ensure that the privacy policy on a website they operate complied with the requirements of Art. 13 GDPR.

Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed seven fines totaling EUR 16,000 on data controllers for failing to adequately mark video-monitored areas. This lack of marking resulted in people entering these areas not being informed of the surveillance, as the signs were either not visible on entry or did not contain all the necessary information. The fines ranged from EUR 500 to 4,000 and were imposed on various establishments, including hotels, restaurants, and shops. According to Art. 27 (1) of the Law

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 600 on a website operator for failing to ensure that the privacy policy on a website complied with the requirements of Art. 13 GDPR.

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,000 on DELSA ALQUILERES S.L.. The controller had installed video surveillance cameras in a residential complex which, among other things, also recorded common areas, although this was not authorized by the homeowners' association. In addition, the controller did not sufficiently comply with its information obligations under Art. 13 GDPR.

€1,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined a store owner EUR 1,000. The controller had installed video surveillance cameras in its premises without properly informing data subjects about the processing of personal data by the video surveillance.

€500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500 on JUNTA DE CONSERVACION SECTOR RESIDENCIAL ELORDIGAN SAT. The controller had installed a video surveillance system without sufficiently informing data subjects about the CCTV.

€800 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform. The original fine of EUR 1000 was reduced to EUR 800 due to voluntary payment.

€365,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 365,000 on CTC EXTERNALIZACIÓN, S.L.. An employee had filed a complaint with the DPA due to the fact that the controller had requested fingerprints of employees in order to implement a new time and attendance system. However, it was not communicated that the fingerprints would also be stored in the staff portal. For this reason, the DPA found that the controller had violated its duty to inform. The DPA also found that the controller was unable to demonst

€174,640 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined a company s.r.l. EUR 2,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance.

€10,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Uber Technologies Inc. and Uber B.V. EUR 10 million for failing to provide sufficient information about the storage period of European drivers' data and the countries outside of the EU to which the data was transferred. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data. Although there was a digital form in the app that drivers could use to request access, it was not placed in an easily accessible position. In addition

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Mushtaq Rubina Kebabish EUR 2,000. The controller had operated video surveillance cameras in one of their premises without properly informing about the CCTV and the processing of personal data by the cameras.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.

€500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500 on a private individual. The individual had installed a video surveillance system in a laundromat operated by them without sufficiently informing data subjects about the CCTV. The DPA considered this to be a breach of Art. 13 GDPR.

€240 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 240 on a private individual. The controller had installed video surveillance cameras without properly informing data subjects.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 600 on a hotel. The controller had installed video surveillance cameras which, among other things, also covered the public space and private properties. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the data processing by the video surveillance and thus violated its duty to inform.

€180 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 180 on a private individual. The controller had installed video surveillance cameras without properly informing data subjects.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined a private individual EUR 600 for installing a video surveillance camera that captured parts of a commonly shared garage. The DPA considered this a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.

€3,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Palombaro s.r.l. EUR 3,000. The controller had installed video surveillance cameras in its premises without properly informing the data subjects about the processing of the data by the video surveillance.

€420 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined CHINA CENTER LLEIDA due to a lack of sufficient data processing information in relation to video surveillance in their premises. The original fine of EUR 700 was reduced to EUR 420 due to immediate payment and admission of responsibility.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and a neighbour property. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.

€12,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 12,000 on the website operator CHATWITH.IO WORLDWIDE, S.L. During its investigation, the DPA found that the controller had failed to adequately comply with its information obligations under Art. 13 GDPR. For example, there was a lack of detailed information on the purposes of processing personal data on the website. Furthermore, the design of a cookie banner used so-called dark patterns, with the pop-up giving users only the choice between consent and ac

€25,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 25,000 on Zagreb Holding d.o.o., utilities company owned by the city of Zagreb. The DPA had received a complaint from a citizen concerning Zagreb Holding's practice of requesting a copy of users' personal identification cards before issuing invoices via email. Previously, to receive invoice by email the users only needed to provide their name, surname, address, personal identification number, facility number and their user number. During the inve

€10,300 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has fined the University of Iceland EUR 10,300. The university had not sufficiently informerd about the existence of video surveillance cameras on university buildings and had not provided sufficient information about the purpose, nature and scope of the data processing.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 300 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space, without properly informing the data subjects.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The person had installed a surveillance camera in an apartment building without first obtaining permission from the owners' association.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has fined a private individual EUR 300 for failing to provide sufficient information about a video surveillance system installed at their property.

€300 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 300 on a private individual. The controller had installed a video surveillance system in a shared garage without properly informing about it.

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 600 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space. The DPA considered this to be a violation of the principle of data minimization. In addition, the controller had not properly informed the data subjects about the processing of the data by the video surveillance and thus violated its duty to inform.

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on ELECTRAWORKS - CEUTA, S.A.. The controller had failed to provide sufficient information about the retention periods of personal data. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and acknowledgement of responsibility.

Czech Data Protection Auhtority (UOOU)

In the period from January 2023 to July 2023, the Czech DPA imposed fines totaling EUR 178,000, with the highest fine being EUR 36,000. These fines were imposed due to unlawful processing of personal data in relation to cookies. The types of violations vary. Given examples are: Insufficient legal basis, insufficient compliance with information obligations or design issues. The DPA emphasizes that it will not publish individual fines due to the non-public nature of administrative proceedings.