Enforcement

€3,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact as

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

Enforcement

Boete LocateFamily.com. Het Woo-verzoek ging ook over algemene beleidsstukken over de omgang met dataverwerkers in derde landen. (afgewezen)

€42,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 42,000 on IBERCAJA BANCO, S.A. During a bank transfer, the controller transmitted more data then necessary to the recipient of the payment. The original fine of EUR 70,000 was reduced to EUR 42,000 due to immediate payment and admission of responsibility by the controller.

€80,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 80,000 on CALOGA. The controller is a company obtaining data from data brokers to use those for marketing purposes. The DPA found multiple infingements against the GDPR and the French Post and Electronic Communications Code. The controller failed to have sufficient legal basis for transferring data to third parties for advertising purposes. Additionally, the controller retained data longer than necessary.

€900,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 900,000 on SOLOCAL MARKETING SERVICES. The controller, a company that also engages in direct marketing activities for its clients, ist using direct messages to contact potential customers for its clients. The company also transfers data of potential customers to their clients. The controller obtained the data through data brokers and was unable to prove that the potential customers (data subjects) had given consent for the described use of their data. In addi

€530,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined TikTok EUR 530 million. In its decision, the DPC found, that TikTok infringed Art. 13 (1) f) GDPR and Art. 46 (1) GDPR due to the unlawful transfer and storage of personal data from users in the EEA on Chinese servers. TikTok was unable to verify, guarantee and demonstrate that the supplementary measures and the Standard Contractual Clauses were effective to guarantee that the data afforded a level of protection, which is equivalent of the level of protection guaran

€500,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500,000 on the Chamber of Commerce, Industry, Services and Navigation of Spain. Due to its function within the Spanish Executive, the controller has access to the basic data of all Spanish companies, including information regarding solvency, contact details, tax numbers and more. Self-employed persons are also included. The controller has decided to make this information available to the public. For this purpose, the controller created the legal entity C

€6,300,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 6.3 million on Poczta Polska SA (Polish Post) for the unlawful disclosure of personal data of over 30 million citizens from the PESEL database, in connection with the planned postal vote during the Covid-19 pandemic. Although the law amending the electoral regulations had not yet come into effect, the Ministry of Digital Affairs transferred sensitive data such as names, addresses, and PESEL numbers to the postal company. The data was only deleted weeks la

€600,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on IBERMUTUA, MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL NUM.274. Due to a technical error in its online platform, personal data, including health information, of 3,395 individuals was unlawfully transferred to 354 recipients. The DPA found that the controller had failed to implement appropriate technical and organisational measures to protect personal data that could have prevented such an incident. The original fine of EUR 1 million was reduced to EUR 600,000

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on CEGEDIM SANTÉ. The company, which provides software for medical practices, had transferred customer data for research purposes. However, the DPA found that this data was not anonymous but only pseudonymized, making re-identification possible.

€290,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 290 million on Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards. The DPA launched an investigation after 170 French drivers filed complaints with the 'Ligue des droits de l'Homme'. The DPA's investigation revealed that Uber had stored sensitive personal data—such as location information, payment details, identity documents, and health data—on US servers without adequate safeguards for over two years.

€1,300,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 1.3 million on Avanza Bank AB. The controller had used so-called meta pixels on its website and app, which caused personal data such as securities holdings and account numbers to be transmitted to Meta. These transfers took place from November 15, 2019 to June 2, 2021 due to incorrect settings. After becoming aware of this, Avanza deactivated the pixels and confirmed that Meta had deleted the data. Avanza has also improved its internal data security proc

€13,900,000 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has fined Avast Software s.r.o. EUR 13.9 million. The company had disclosed the personal data of around 100 million users of its antivirus software to the US company Jumpshot. Avast had transferred this data, including the users' pseudonymized Internet browsing history in connection with a unique ID, to Jumpshot, but falsely declared it to be anonymized. Users were incorrectly informed about the transfer of anonymized data, although partial identification of the data subjects was p

€1,200,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on CAIXABANK, S.A. A person filed a complaint with the DPA because they were asked to fill out a form with personal data. A clause on the form included consent for the data to be transferred to the General Treasury of Social Security, without the option to refuse consent. The original fine of EUR 2,000,000 was reduced to EUR 1,200,000 due to immediate payment and acknowledgement of responsibility.

€10,000,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Uber Technologies Inc. and Uber B.V. EUR 10 million for failing to provide sufficient information about the storage period of European drivers' data and the countries outside of the EU to which the data was transferred. The DPA also found that Uber made it unnecessarily difficult for drivers to request access to their data. Although there was a digital form in the app that drivers could use to request access, it was not placed in an easily accessible position. In addition

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Reykjanesbær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes oth

€18,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 18,600 on the city of Hafnarfjörður. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the

€13,300 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 13,300 on the city of Reykjavik. The city had used the Google Education system in schools without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other t

€20,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city

€60,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 60,000 on Limit Call S.r.l.s. for unauthorized telemarketing. The controller had acquired lists of personal data without checking the legality of the data transfer, e.g. whether the data could also be used for commercial purposes or whether the data subjects had given their consent. In addition, it was not checked whether the telephone numbers called were entered in the public objection register.

€5,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 5 million on CAIXABANK, S.A.. A customer had filed a complaint about having access to a document containing information on a transfer from a third party. The document contained personal data of the third party, such as the name and bank details of the data subject. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data and prevent such incidents. The D

€6,100,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined ENDESA ENERGÍA, S.A.U. EUR 6,1 million due to a security breach resulting in unauthorized access to its systems. The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the Endesa platform, resulting in the compromise of data such as names, first names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers, of millions of individuals. The DPA found that the controller had f

€800,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined BANCO BILBAO VIZCAYA ARGENTARIA, S.A. EUR 800,000. A customer had lost her handbag, which also contained her bank card. The individual therefore requested the controller to block all banking products. However, the controller failed to comply, which is why it was then possible for third parties to access the individual's bank products and transfer money under false identities. During its investigation, the DPA found that the controller had failed to implement appropriate

€1,040 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 1,040 on a self employed person. The accused's website did not comply with GDPR requirements for cookies, as it processed data before obtaining consent, set cookies with an excessive expiration period, and may have transferred data outside the EU and EEA. The inspection was initiated by a Polish citizen. Despite a warning from the Office for personal data protection, the accused failed to address these issues.

€3,570 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 3,570 on a legal person. Following the complaint, the Office for personal data protection carried out an inspection of the accused's website. It found that its cookies also processed data for third parties and were transferred abroad (USA).

€25,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 25,000 on CDON AB. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses in the absence of an EU Commission adequacy decision for the USA. In the c

€1,000,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 1 million on Tele2 Sverige Aktiebolag. The Austrian organization None of your Business (NOYB) had filed a complaint against the company in light of the Schrems II judgment, stating that the company was unlawfully transferring personal data to the US. The company had used Google Analytics for visitor statistics and based the data processing by the statistics tool on the EU standard contractual clauses, as no adequacy decision had been issued by the EU Com

€4,900,000 fine - Data Protection Authority of Sweden

The Swedish Data Protection Authority (DPA) has imposed a fine of EUR 4.9 million on the music streaming provider Spotify. The DPA had launched an investigation after receiving a number of complaints and following a lawsuit filed against Spotify by the Austrian organization 'None of your Business'. In its investigation, the DPA found that Spotify had not sufficiently complied with data subject rights. Spotify failed, for example, to provide data subjects with sufficient information about the ori

€15,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 15,000 on Thin Srl. The authority took action following a complaint from a GP who alleged that the company had breached data protection regulations. The company was running an international project to improve patient care by collecting and analyzing health data. To participate in the project, GPs were required to add an additional function to their existing management software. The additional function was supposed to automatically anonymize patient data

€1,200,000,000 fine - Data Protection Authority of Ireland

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) al

€200,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 200,000 against GSMA LTD.. An individual had filed a complaint with the DPA because they had to transfer special categories of personal data (e.g., ID card data) to the controller in order to register for an event. In the course of its investigation, the DPA found that the controller had failed to conduct a data protection impact assessment for these processing operations.

€300,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 300,000 on Ediscom S.p.a.. The marketing company had collected data from 21 million individuals via various online portals in order to use them for marketing activities. The company also used so-called 'dark patterns' to mislead users into consenting to the processing of their data for marketing purposes and to the transfer of their data to third parties. The DPA found a number of other violations, including that in some cases of data processing, the com

€5,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 5,000 on Medijobs Platform SRL. The controller had informed the DPA about a data breach according to Art. 33 GDPR. Unauthorized third parties had succeeded in accessing the IT infrastructure of the controller and had downloaded, deleted and transferred personal data of applicants such as name, e-mail address, professional history, marital status, etc.. The DPA found that the controller had failed to implement adequate technical and organizational measur

€700 fine - National Commission for Data Protection (CNPD)

The DPA of Luxembourg has imposed a fine of EUR 700 on a company that provides online services to citizens. During its investigation, the DPA found that the company had not provided information about data processing in a concise, transparent, intelligible and easily accessible form. The DPA considered this to be a violation of Art. 12 (1) GDPR. Furthermore the DPA found that the controller failed to provide the data subjects sufficient information on the transfer of personal data to a third coun

€400 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA has imposed a fine of EUR 400 on a legal person. The accused did not provide access to information about the purpose of the processing, the storage period, the sources of the personal data, the possible recipients to whom the personal data have been or will be transferred, the right to request the controller to rectify or erase the personal data or to restrict or object to the processing and the right to lodge a complaint with a supervisory authority.

€4,300,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has fined the Portuguese National Statistical Institute EUR 4,3 million. The DPA found numerous violations of the GPDR in connection with the 2021 census in Portugal. The DPA first found that the controller had failed to inform the data subjects that the provision of religious and health data was purely voluntary. The DPA considered this to be an interference with the data subjects' ability to freely express their will regarding data processing. In addition, the DPA found that

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 2,000 on SC Raiffeisen Bank SA. An individual had filed a complaint with the DPA for receiving text messages about money transfers to certain persons that they had not effected. During its investigation, the DPA found that the bank had accidentally used the telephone number of the data subject for transaction purposes in 44 cases. The data subject was not a customer of the bank and had not requested the transactions.

€530 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 530 on the Sułkowice Cultural Center. During its investigation, the DPA found that the controller had transferred the processing of personal data to a processor without concluding a written concession agreement. In addition, the controller did not verify the processor and did not verify whether the processor provides sufficient guarantees to ensure that appropriate technical and organizational measures are taken to protect personal data.

€900,000 fine - Data Protection Authority of Niedersachsen

The DPA of Lower Saxony has imposed a fine of EUR 900,000 on Hannoversche Volksbank. The bank had analyzed data from active and former customers without their consent. For this purpose, the bank analyzed digital usage behavior and evaluated, among other things, purchases in app stores, the frequency of use of bank statement printers and the total number of transfers in online banking compared to the use of in-branch services. In addition, the results were cross-checked with a credit agency, wher

€10,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 10 million on GOOGLE LLC. Two data subjects had complained to the DPA that Google had disclosed their personal data to third parties without authorization. In the course of the lengthy investigation, the DPA found that Google had passed on personal data of data subjects to the so-called Lumen project. Lumen is a project run by the Berkman Klein Center for Internet & Society at Harvard University. The project began in 2002 for the purpose of collec

€36,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of th

€720,000 fine - Data Protection Authority of Sweden

The Swedish DPA has imposed a fine of EUR 720,000 on Klarna Bank AB. Klarna is a financial company that processes a large number of personal data in various ways. As part of its investigation, the DPA found that Klarna had not properly complied with its information obligations. For example, Klarna did not provide sufficient information on its website about the purpose and legal basis for the processing of personal data. In addition, with regard to the transfer of data to Swedish and foreign cred

€200,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined XFERA MÓVILES, S.A. EUR 200,000. Two Xfera customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Xfera and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Xfera had not properly verified the identity of the fraudsters before issui

€70,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined ORANGE ESPAÑA VIRTUAL, S.L. EUR 70,000. Two Orange España Virtual customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Orange España Virtual and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA ,Orange España Virtual had not proper

€900,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined TELEFÓNICA MÓVILES ESPAÑA, S.A.U. EUR 900,000. Four Telefónica customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Telefónica and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Telefónica had not properly verified the identity

€700,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined Orange Espagne S.A.U. EUR 700,000. Two Orange Espagne customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Orange Espagne and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Orange Espagne had not properly verified the identity o

€3,940,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined Vodafone España, S.A.U. EUR 3.94 million. Nine Vodafone customers had filed complaints with the DPA. In the course of its investigation, the DPA found that fraudsters had pretended to be the data subjects when contacting Vodafone and had demanded a copy of their SIM cards. As a result, they were able to conclude contracts at the expense of the data subjects and carry out various transfers. According to the DPA, Vodafone had not properly verified the identity of the frau

€152,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 152,000 on the Uppsala hospital board. The fine is the result of an investigation by the Uppsala Region (the regional board and the hospital board). DPA had received two reports of incidents involving personal data from Uppsala region. The incidents involved sensitive personal health data that was transferred unencrypted to recipients inside and outside Sweden. Accordingly, Uppsala University Hospital had sent emails containing patient data to patients a