Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€10,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 10,000 on a natural person. The controller operated a website on which identity cards containing personal data, including special category data, possible criminal convictions, data on the intimate lives of data subjects and possible debts, were published. The processing of this data was not based on a sufficient legal basis, and the controller did not ensure that the data was correct, complete or transparent. Furthermore, the controller did not adequate

€1,200 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,200 on a dental clinic. The controller used video surveillance in its clinic for security purposes, including a camera in the doctor's office where patients were treated. This resulted in excessive data processing. The original fine of EUR 2,000 was reduced to EUR 1,200 due to immediate payment and admission of responsibility by the controller.

€21,650 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has imposed a fine of EUR 21,650 on Timegrip AS. The controller had been tracking the working hours of employees at a company that went bankrupt. A former employee requested that the controller send the working hours to the data subject so that they could claim their unpaid wages from the bankruptcy estate. Furthermore, the bankruptcy estate itself requested the data, but the controller refused to send it to them.

€500 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500 on VOX ESPAÑA. The controller, a political party, posted a picture of of a receipt on its Facebook page. The picture of the recipt included the full name, signature and personal ID number of a natural person. The controller had no legal basis to publish this personal data.

€8,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 8,000 on KVIKU SPAIN, S.L.The controller requires customers to send a photo of themselves holding their ID card when verifying their identities, which violates the principle of data minimisation. The original fine of EUR 10,000 was reduced to EUR 8,000 due to immediate payment by the controller.

18.500 euro boete - Poolse nationale autoriteit voor de bescherming van persoonlijke gegevens (UODO).

De Poolse gegevensbeschermingsautoriteit heeft een boete van 18.500 euro opgelegd aan de regionale politie van Krakau. De autoriteit heeft persoonlijke gegevens, waaronder medische gegevens, van een betrokkene gepubliceerd die betrokken was bij een politieonderzoek. Deze publicatie was niet noodzakelijk voor het beoogde doel.

€18,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposd a fine of EUR 18,500 on the Komendanta Miejskiego Policji w Krakowie. The controller published personal data, including health data, of a data subject that had been involved in a police investigation, which was not necessary for the purpose of the publication.

€80,000 fine - Hellenic Data Protection Authority (HDPA)

The Greek DPA has imposed a fine of EUR 80,000 on ONE WAY PRIVATE COMPANY. The fined entity is the processor of Thessaloniki–Thessaly Gas Supply Company S.A. (ETid-3016). The processor, a call center involved in direct marketing activities, had implemented a system to check whether consent had been given to contact a specific person. However, this system could be bypassed or ignored by the operator, resulting in data subjects being contacted without their consent. Furthermore, the controller had

Een boete van 60.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De bankrekening van de klager werd belast door ENDESA, waarbij de begunstigde een derde partij was. Deze derde partij was veroordeeld volgens het strafrecht en had een bevel van twee jaar gekregen dat betrekking had op de klager, haar woonplaats en werkplek. In plaats van de contractgegevens zoals gevraagd door de klager aan te passen, heeft ENDESA per ongeluk haar gegevens verwijderd en de gegevens van de derde partij ingevoerd. De AEPD (Spaanse Autoriteit voor Gegevensbescherming) heeft geconstateerd dat de openbaarmaking van de gegevens van de klager aan de derde partij een ernstige schending was van het principe van vertrouwelijkheid.

€60,000 fine - Spanish Data Protection Authority (aepd)

The complainant's bank account was charged by ENDESA, the beneficiary of which was a third party, who had been convicted under criminal law and imposed with a two-year restraining order regarding the claimant, her domicile and work. Instead amending the contract details as requested by the claimant ENDESA deleted her data erroneously and fillid in the data of the third party. The AEPD found the disclosure of the claimant's data to the third party was a severe violation of the principle of confid

Boete van €9.600 - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

Een restaurant wilde een werknemer disciplinaire maatregelen opleggen op basis van beelden van een mobiele telefoonvideo. Deze video was opgenomen door een andere werknemer in het restaurant en diende als bewijsmateriaal. De initiële boete van 12.000 euro is verlaagd naar 9.600 euro.

€10,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 10,000 on Roumasport S.R.L The controller failed to implement adequate technical and organisational measures, resulting in multiple cyber incidents.

Een boete van 5.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse telecommunicatie- en informatiestructuur (SETSI) heeft besloten dat Vodafone een klant moest vergoeden voor kosten die ten onrechte aan hem waren doorbelast. Desondanks heeft Vodafone persoonlijke gegevens van deze betreffende klant doorgegeven aan een kredietregistratiebureau (BADEXCUG). De AEPD (Spaanse Autoriteit voor Gegevensbescherming) heeft geconstateerd dat dit gedrag in strijd is met het beginsel van juistheid.

€3,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact as

€5,000 fine - Spanish Data Protection Authority (aepd)

The spanish telecommunications and informations agancy (SETSI) decided Vodafone had to reimburse a customer for costs he was wrongfully charged for. Nevertheless, Vodafone reported personal data of this respective customer to a solvency registry (BADEXCUG). The AEPD found this behaviour violated the principle of accuracy.

Slovak Data Protection Office

Documents containing personal data were disposed of in the area of the municipal garbage dump.

€9,600 fine - Spanish Data Protection Authority (aepd)

A restaurant wanted to impose disciplinary sanctions on an employee using images from a mobile phone video which was recorded by another employee in the restaurant for evidence purposes. The initial fine of EUR 12.000 was reduced to EUR 9.600.

€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 2,000 on the Order of General Nurses, Midwives and Medical Assistants of Romania – Neamt Branch. The controller used video surveillance in a manner that was not in accordance with the GDPR.

Een boete van 2.000 euro - van de Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).

De Roemeense autoriteit voor gegevensbescherming heeft een boete van 2.000 euro opgelegd aan de Roemeense vereniging van algemene verpleegkundigen, verloskundigen en medische assistenten, afdeling Neamt. De verantwoordelijke partij heeft videobewaking gebruikt op een manier die niet in overeenstemming is met de Algemene Verordening Gegevensbescherming (AVG).

Een boete van 6.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft Geturhotels Srl een boete van 6.000 euro opgelegd. Het bedrijf was betrokken bij direct marketingactiviteiten en gebruikte daarbij persoonsgegevens die niet op een manier waren verkregen of verwerkt die in overeenstemming is met de algemene principes van gegevensverwerking.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on Geturhotels Srl. The controller was involved in direct marketing operations, using personal data that had not been acquired or processed in accordance with general principles of data processing.

Een boete van 500.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U. een boete van 500.000 euro opgelegd. De verantwoordelijke partij heeft een communicatietool gebruikt die niet was ontworpen in overeenstemming met het "privacy by design"-principe. Hierdoor zijn berichten met persoonlijke gegevens, die bestemd waren voor een andere klant, in handen gekomen van een onafhankelijke derde partij.

€500,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 500,000 on CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U. The controller used a communication tool that was not designed in accordance with the privacy-by-design principle. This resulted in an unaffiliated third party receiving messages containing personal data intended for another customer.

€1,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 1,000,000 on MOBIUS SOLUTIONS LTD. The fined entity had been the former data processor for Deezer, which suffered a data breach in 2022. The processor failed to fulfil its duties as a data processor, which resulted in a data breach.

1.000.000 euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming (CNIL) heeft MOBIUS SOLUTIONS LTD. een boete van 1.000.000 euro opgelegd. Het bedrijf was voorheen verantwoordelijk voor de gegevensverwerking voor Deezer, dat in 2022 een datalek heeft ervaren. Het bedrijf is tekortgeschoten in de nakoming van haar verplichtingen als gegevensverwerker, wat heeft geleid tot een datalek.

€1,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 1,000 on 'Principe Umberto di Savoia' State Scientific and Linguistic High School. The controller processed the personal data of employees in relation to their employment, including medical data such as sick leave due to serious illness. The controller failed to introduce sufficient technical and organisational measures, resulting in employees gaining unauthorised access to personal data. The processor also failed to adequately inform data subjects regar

€1,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 1,000 on Roverbella Comprehensive School. The controller has sent an email containing a reminder about the vaccination of pupils under the age of 16, along with an undisclosed list of recipients.

€12,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 12,000 on the Commune di Tuscania. The controller had been using video surveillance and licence plate recognition within its territory for the purposes of territorial security and supervising separate waste collection at recycling centers. However, the controller did not put up any relevant signs containing the privacy policy or warning signs. The controller also failed to enter into data processing agreements with processors handling data on its behalf,

€3,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 3,600 on DELAFRUIT, S.L. The controller installed video surveillance in the staff break area and dining room, but did not put up the necessary information signs. The original fine of EUR 6,000 was reduced to EUR 3,600 due to immediate payment and admission of responsibility by the controller.

€3,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 3,600 on RISING SUN CAR RENTAL S..L. The controller used video surveillance to ensure security at its facility, affecting more areas than were necessary for this purpose. Additionally, the controller failed to install signs to inform data subjects regarding the video surveillance. The original fine of EUR 6,000 was reduced to EUR 3,600 due to immediate payment and admission of responsibility by the controller.

Boete van €3.600 - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft DELAFRUIT, S.L. een boete van 3.600 euro opgelegd. De verantwoordelijke partij had videobewaking geïnstalleerd in de pauzeruimte en de kantine, maar had de vereiste informatieborden niet geplaatst. De oorspronkelijke boete van 6.000 euro is verlaagd tot 3.600 euro vanwege de onmiddellijke betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft RISING SUN CAR RENTAL S.L. een boete van 3.600 euro opgelegd. De verantwoordelijke partij gebruikte videobewaking om de veiligheid op haar locatie te waarborgen, maar dit omvatte meer gebieden dan noodzakelijk was voor dit doel. Bovendien heeft de verantwoordelijke partij geen borden geplaatst om betrokkenen te informeren over de videobewaking. De oorspronkelijke boete van 6.000 euro is verlaagd tot 3.600 euro vanwege de onmiddellijke betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke partij.

€400,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 400,000 on Verisure Italy s.r.l. The controller had been active in direkt marketing activities. The controller failed to ensure that the consent provided by data subjects was valid. Additionally, the controller failed to implement adequate retention periods for the processed data. Lastly, the controller failed to adequately respond to data subjects' requests to exercise their rights, and failed to adequately inform them regarding the processing of their

€300,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 300,000 on Aimag S.p.A. The controller offered its customers a service that allowed them to view their consumption data on the controller's website, but the log-in procedure was insufficient. The way the controller gained consent for the use of promotional messages was also inadequate.

Een boete van 400.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft Verisure Italy s.r.l. een boete van 400.000 euro opgelegd. De verantwoordelijke partij was actief met direct marketingactiviteiten. De verantwoordelijke partij heeft nagelaten te waarborgen dat de toestemming die door de betrokkenen was verstrekt, geldig was. Bovendien heeft de verantwoordelijke partij nagelaten om adequate bewaartermijnen voor de verwerkte gegevens in te stellen. Ten slotte heeft de verantwoordelijke partij niet adequaat gereageerd op de verzoeken van de betrokkenen om hun rechten uit te oefenen, en heeft zij hen niet voldoende geïnformeerd over de verwerking van hun gegevens.

Een boete van 300.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft Aimag S.p.A. een boete van 300.000 euro opgelegd. De verantwoordelijke partij bood haar klanten een dienst aan waarmee ze hun verbruiksgegevens op de website van de verantwoordelijke partij konden inzien, maar de inlogprocedure was ontoereikend. Ook de manier waarop de verantwoordelijke partij toestemming verkreeg voor het gebruik van promotieboodschappen was onvoldoende.

€4,500,000 fine - Croatian Data Protection Authority (azop)

Following an ex officio investigation, AZOP imposed a EUR 4.5 million fine on a telecommunications operator for multiple GDPR infringements. The controller transferred customer personal data to a processor in the Republic of Serbia (a group company maintaining software). Transfers had been based on Standard Contractual Clauses (SCCs) from 16 April 2020 until at the latest 27 December 2022; after that date, transfers continued without SCCs or equivalent safeguards, despite Serbia lacking an adequ

Een boete van 4.500.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

Na een onderzoek door de autoriteit, heeft AZOP een telecombedrijf een boete van 4,5 miljoen euro opgelegd vanwege meerdere overtredingen van de AVG. De verantwoordelijke partij heeft klantgegevens overgedragen aan een verwerker in de Republiek Servië (een dochteronderneming die software onderhoudt). Deze overdrachten vonden plaats op basis van standaardcontractuele clausules (SCC's) vanaf 16 april 2020 tot uiterlijk 27 december 2022; daarna zijn de overdrachten doorgegaan zonder SCC's of equivalente waarborgen, ondanks dat Servië niet als voldoende beschermd land wordt beschouwd.

€5,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 5,000 on ACTIVOS INTELIGENTES, S.L. The controller is asking its guests for selfies with their ID-card to verify their identity, processing data found on the ID-card which is not necessary for the purpose.

Boete van €5.000 - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft ACTIVOS INTELIGENTES, S.L. een boete van 5.000 euro opgelegd. Het bedrijf vraagt zijn gasten om selfies te maken met hun identiteitskaart om hun identiteit te verifiëren, waarbij gegevens van de identiteitskaart worden verwerkt die niet noodzakelijk zijn voor dit doel.