Regulatory actions, fines, warnings, and enforcement decisions
€284,450 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of GBP 247,590 (EUR 284,450) on MediaLab.AI, Inc.The controller of the image-sharing and hosting platform Imgur failed to implement age verification. This resulted in the controller processing children's data without sufficient legal basis, as the consent given was not provided by the children's parents or carers.
€20,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 20,000 onTensa Art Design S.A.The DPA began investigating the controller's data processing activities, but the controller failed to respond to the DPA's requests.
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me
€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped
€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 1,000 on the Alliance for the Union of Romanians (AUR) Party. The controller failed to react adequately to a data subject's request to exercise their rights regarding a personal letter containing electoral information.
€15,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 15,000 on Continental Automotive Products SRL. The controller failed to implement adequate technical and organisational measures, resulting in a cyber incident.
€8,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 8,000 on PREMIER RESTAURANTS ROMANIA SRL. The controller failed to implement adequate technical and organisational measures, resulting in a cyber incident.
€18,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposd a fine of EUR 18,500 on the Komendanta Miejskiego Policji w Krakowie. The controller published personal data, including health data, of a data subject that had been involved in a police investigation, which was not necessary for the purpose of the publication.
18.500 euro boete - Poolse nationale autoriteit voor de bescherming van persoonlijke gegevens (UODO).
De Poolse gegevensbeschermingsautoriteit heeft een boete van 18.500 euro opgelegd aan de regionale politie van Krakau. De autoriteit heeft persoonlijke gegevens, waaronder medische gegevens, van een betrokkene gepubliceerd die betrokken was bij een politieonderzoek. Deze publicatie was niet noodzakelijk voor het beoogde doel.
27 miljoen euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).
De Franse autoriteit voor gegevensbescherming (CNIL) heeft FREE een boete van 15.000.000 euro opgelegd. Het bedrijf heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen. Dit werd veroorzaakt door het gebruik van een ontoereikende authenticatiemethode om verbinding te maken met hun VPN voor thuiswerken. Bovendien heeft het bedrijf de betrokken personen niet voldoende geïnformeerd, omdat essentiële informatie ontbrak in de e-mail waarin de datalek werd gemeld.
€15,000,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 15,000,000 on FREE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email.
€27,000,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 27,000,000 on FREE MOBILE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email. Lastly, the controller failed to adequately sort data and retain persona
€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 2,000 on Money Seeds S.R.L. The controller failed to fulfil a data subject's request to exercise their rights.
€232,379 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 232,379 on the Polish Postal Service. The controller appointed a person as DPO who also held a managerial position with authority over security and classified information protection issues. However, the controller failed to conduct an analysis to ensure the DPO's independence. Furthermore, the controller was unable to ensure that the DPO could fulfil their role without any conflicts of interest.
€10,000 fine - Hellenic Data Protection Authority (HDPA)
The Greek DPA has imposed a fine of EUR 10,000 on Thessaloniki–Thessaly Gas Supply Company S.A. The controller, an energy provider, used external processors for direct marketing via telephone. The controller forwarded complaints by data subjects to the external processors, but failed to ensure, that the processors response was adequate, gernerally failing to adequatly controll processors.
€5,000 fine - Hellenic Data Protection Authority (HDPA)
The Greek DPA has imposed a fine of EUR 5,000 on REVMA PLUS Retail S.A.. The fined entity is the processor of Thessaloniki–Thessaly Gas Supply Company S.A. (ETid-3016). The processor, a call center involved in direct marketing activities, suffered a technical error in its system that prevented operators from calling data subjects that had not given their consent for direct marketing calls. The processor also failed to inform the controller of the technical error.
€10,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 10,000 on Roumasport S.R.L The controller failed to implement adequate technical and organisational measures, resulting in multiple cyber incidents.
€60,000 fine - Spanish Data Protection Authority (aepd)
After the claimant did alledgedly not pay back a microcredit to an online credit agany, the claim was assigned to the debt collecting agancy. Subsequently, the latter startet sending emails not only to email addresses provided by the claimant but also to an institutional email address of his workplace accessible by any co-worker which was never provided by the claimant.
€3,500,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact as
€980 fine - Czech Data Protection Auhtority (UOOU)
The operator of an online game was exposed to several DDoS attacks which caused the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As part of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old
Slovak Data Protection Office
A Data Controller failed to comply with data subject´s request to access his/her personal data processed by audio recordings.
€3,140 fine - Czech Data Protection Auhtority (UOOU)
The bank established a personal bank account for a data subject without his consent or knowledge. The bank supposedly had his personal data available because the subject had disposed of his employer’s company account. The bank was not able to provide The Office for Personal Data Protection with the necessary documentation to prove entering into contract with the data subject.
€20,000 fine - Croatian Data Protection Authority (azop)
The Croatian DPA (azop) has imposed a fine of EUR 20,000 on a telecommunications company. A data subject had filed a complaint with the DPA claiming that the company was still processing their personal data even though they had not been a customer of the company for more than ten years. During its investigation, the DPA found that the company had still been storing the data due to an alleged debt. The debt was no longer outstanding, however, the company had failed to delete the data of the data
€12,000 fine - Spanish Data Protection Authority (aepd)
The gas company did not have appropriate measures in place to verify the identity of the data subject. The person who filed the complaint alleges that the company e-mailed his information to a third party in response to a request.
€10,000 fine - Spanish Data Protection Authority (aepd)
The company installed cookies on an end users terminal device without prior consent of the data subject.
€1,600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,600 on NAROBESA INV, S.L. The controller failed to react to requests made by the DPA. The original fine of EUR 2,000 was reduced to EUR 1,600 due to immediate payment
€600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 300 on 4USPORT INSTALACIONES DEPORTIVAS, S.L. The controller failed to react to requests made by the DPA.
€300 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 300 on an unkonwn person/entity. The controller failed to react to requests made by the DPA.
€6,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 6,000 on BLUE TEAM FLIGHT SCHOOL, S.L. The controller failed to react to requests made by the DPA.
€6,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 6,000 on the Commune di Nave. The controller has installed an automatic licence plate recognition system which processes data on when a car passes a specific control point. This data is stored for seven days, after which it is automatically deleted. The system is also connected to the Motor Vehicle Registry and automatically verifies the passing vehicle's insurance coverage, periodic inspection and environmental class. This data processing occurred witho
€40,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 40,000 on Anticimex s.r.l. Following termination of employment, the former employer requested to exercise his rights. The controller failed to respond within the required timeframe. Furthermore, the controller conducted a forensic analysis of the former employee's email account to check for any violations of the non-competition agreement.
€40,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 40,000 on LTL S.p.A. The controller failed to respond within the legal time period to a request by a former employee to exercise their rights. Additionally, the controller forwarded emails received by the former employee's email account to another company account for two months after termination of employment.
€2,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 2,000 on Elba Catering Distribuzioni s.r.I.s. The controller installed video surveillance, which affected the public road. Furthermore, the controller failed to install signs to inform data subjects regarding data processing.
€120,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 120,000 on Pioneer Hi-Bred Italia Sementi s.r.l. The controller installed satellite telematics tracking devices to monitor driving behaviour and provide drivers with scores.
175.000 euro boete - Nederlandse Autoriteit Persoonsgegevens (AP).
De Nederlandse Autoriteit Persoonsgegevens heeft een boete van 175.000 euro opgelegd aan de Hogeschool Arnhem en Nijmegen. De verantwoordelijke partij heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen.
€1,000,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 1,000,000 on MOBIUS SOLUTIONS LTD. The fined entity had been the former data processor for Deezer, which suffered a data breach in 2022. The processor failed to fulfil its duties as a data processor, which resulted in a data breach.
€75,474 fine - Slovenian Supervisory Authority (Informacijski pooblaščenec)
The Slovenian DPA has imposed a fine of EUR 75,474 on a legal entity. Without a sufficient legal basis, the controller installed software on an employee's work computer which allowed them to monitor all of the employee's activity on that computer, including private activity. The software also allowed the controller to monitor private communications via Facebook or email, as well as audio conversations. The entity was fined EUR 71,474, and the person responsible was fined EUR 4,000.
€15,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 15,000 on Crowd Entertainment Limited. The controller failed to adequatly react to a data subjects request to exercise their rights.
€5,100 fine - Slovenian Supervisory Authority (Informacijski pooblaščenec)
The Slovenian DPA has imposed a fine of EUR 5,100 on a legal entity. The controller operated a website where natural persons could fil in their personal data in a form. The controller failed to ensure that the Informations referred to in Art. 13 GDPR was provided to the data subjects in an adequate manner. The entity was fined EUR 4,800, and the person responsible was fined EUR 300.
€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 1,000 on Compania de Apa Oltenia S.A. The controller failed to implement adequate technical and organisational measures to ensure data security, resulting in personal data beeing leaked on social media.
€12,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 12,000 on the Commune di Tuscania. The controller had been using video surveillance and licence plate recognition within its territory for the purposes of territorial security and supervising separate waste collection at recycling centers. However, the controller did not put up any relevant signs containing the privacy policy or warning signs. The controller also failed to enter into data processing agreements with processors handling data on its behalf,