Enforcement

€20,000 fine - Hellenic Data Protection Authority (HDPA)

The Greek DPA has imposed a fine of EUR 20,000 on NN Greek Single-Member Anonymous Life Insurance Company. The controller failed to provide the data subject with the personal data they had requested, thereby infringing the data subject's right of access.

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system,

€2,385,276 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has imposed a fine of EUR 2,385,276 on the second-hand online store 'Vinted'. The DPA initiated an investigation after the Polish and French DPAs forwarded complaints against the company. During its investigation, the DPA found that the company had not adequately processed deletion requests from data subjects as they had not provided specific reasons for their deletion request. It was also revealed that the company was unlawfully using 'shadow blocking' to remove users from th

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a controller for not sufficiently respecting data subjects' rights (exercising the right of access to a medical file).

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

€75,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 75,000 on Azienda ospedale università di Padova. During its investigation, the DPA found that employees had accessed patient files without authorization and that the controller did not have appropriate access restrictions in place. This allowed employees to access patient files that were not necessary for their work, e.g. because they were not treating the patients in question.

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000 on a dentist due to a lack of data security and a failure to respect the right of access of a data subject.

€174,640 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 6,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club's ordinary meeting on its website, disclosing personal data without access restrictions.

€285,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA has fined a telecommunications company EUR 285,000. The company had suffered a data breach. Attackers had managed to access data from about 100,000 data subjects. During its investigation, the DPA found that such a breach was facilitated by the company's failure to implement adequate technical and organizational security measures for the processing of personal data. For example, the processing systems lacked access restrictions. In assessing the fine, it was taken into aggravati

€70,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Unicredit S.p.A. EUR 70,000. An employee had filed a complaint with the DPA claiming that their right to access their personal data had not been sufficiently respected. The company required a specific form to be filled out in order to gain access to personal data. During its investigation, the DPA found that the requirement to fill out the form made it disproportionately difficult to exercise the right of access.

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined the newspaper Il Sole 24 Ore S.p.a. EUR 40,000. The newspaper had published an article on the recognition by the Italian authorities of a U.S. judge's decision on the adoption of a child by a same-sex couple. By mistake, the newspaper also published personal data on the couple and the adopted child. The couple then demanded the deletion of the personal data and access to information about the processing of the personal data. The newspaper deleted the personal data, but

€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA (ANSPDCP) has imposed a fine of EUR 3,000 on Kaufland Romania SCS. The DPA initiated an investigation based on a complaint from an individual stating that the controller had not provided them with a complete copy of the video recordings for a certain period of time when they had been in the store premises. The DPA stated that the controller is obliged to disclose the video images of the data subject after they excercise their right of access, and that the controller may disclose

€53,800 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 53,800 on Midtjylland Region. On June 12, 2020, the DPA received a notification from the region regarding a personal data security breach pursuant to Art. 33 GDPR. According to the notification, all patients and staff at a lifestyle center were able to access a building where up to 100,000 physical patient records were stored, including health information and personal identity number details. The reason for this was that both staff and patients had been g

€3,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 3,000 on Club Náutico el Estacio. A data subject filed a complaint against the controller with the AEPD. The complaint is based on the fact that the controller has published the announcement and the record of the club's ordinary meeting on its website, disclosing personal data without access restrictions.

€10,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA imposed a fine of EUR 10,000 on the Cypriot Real Estate Registration Authority. The data subject submitted a written request to the controller requesting various information relating to him personally, exercising the right of access granted to him under Art. 15 GDPR. After the controller failed to respond to the request for information, the data subject filed a complaint with the DPA. In the course of the subsequent investigation by the DPA, the controller also failed to respond

€3,250 fine - Information Commissioner of Isle of Man

The DPA of Isle of Man has imposed a fine of EUR 3,250 on Cosmetic Medical Limited. A data subject had filed a complaint with the DPA regarding the controller's failure to comply with her request to exercise her right of access to personal data. As part of its investigation, the DPA sent the controller a request for information in order to clarify the facts of the case. However, the controller had not responded to this request in due time. The DPA concluded that as the controller did not properl

€1,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA (HDPA) imposed a fine of EUR 1,000 against the American College of Greece for violations of the right of access and the right to erasure of personal data.

€13,500 fine - Information Commissioner of Isle of Man

Fines for failure to comply with the right of access to personal data under Articles 12 and 15 GDPR. The Isle of Man has declared the GDPR - although it is not an EU state - to be applicable.

€5,800 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The data controller has not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.

€30,000 fine - Spanish Data Protection Authority (aepd)

Telefonica had failed to comply with decision TD / 00127/2019 of the Director of the AEPD, which states that it had to reply to data subjects' request for right of access and erasure of data.

Croatian Data Protection Authority (azop)

In the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers’ right of access. During the procedure initiated based on data subject’s complaints, the DPA ordered th

€5,000 fine - Hellenic Data Protection Authority (HDPA)

The Decision clarified that data subjects have a right of access to the processing of their personal data and that they must also be provided with a copy of the personal data processed. No reasons need to be given for the request.

€100,000 fine - Data Protection Authority of Baden-Wuerttemberg

The company had set up an applicant portal on its website where interested parties could submit their application documents online. However, the company did not offer an encrypted transmission of the data, nor did it store the applicant data in an encrypted or password-protected manner. In addition, the unsecured applicant data was linked to Google, so that anyone searching for the respective applicant names on Google could find their application documents and retrieve them without access restri