Enforcement

De Franse autoriteit voor gegevensbescherming (CNIL) heeft FREE een boete van 15.000.000 euro opgelegd. Het bedrijf heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen. Dit werd veroorzaakt door het gebruik van een ontoereikende authenticatiemethode om verbinding te maken met hun VPN voor thuiswerken. Bovendien heeft het bedrijf de betrokken personen niet voldoende geïnformeerd, omdat essentiële informatie ontbrak in de e-mail waarin de datalek werd gemeld.

€9,450 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.

Een boete van 5.000 euro - van het Poolse nationale bureau voor de bescherming van persoonlijke gegevens (UODO).

De Poolse gegevensbeschermingsautoriteit heeft een boete van 5.000 euro opgelegd aan een gerechtsdeurwaarder. De ambtenaar heeft een brief met persoonlijke gegevens naar de verkeerde persoon gestuurd, zonder de betrokken personen of de gegevensbeschermingsautoriteit te informeren.

€5,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.

€870 fine - Austrian Data Protection Authority (dsb)

The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.

870 euro boete - Oostenrijkse Autoriteit voor Gegevensbescherming (dsb).

De Oostenrijkse gegevensbeschermingsautoriteit heeft een bedrijf een boete van 870 euro opgelegd. Nadat het bedrijf werd geïnformeerd over een datalek, heeft de verantwoordelijke partij adequate maatregelen genomen om de lek te dichten, maar heeft deze de gegevensbeschermingsautoriteit niet op de hoogte gesteld.

Boete van €9.000 - Griekse Autoriteit voor Gegevensbescherming (HDPA).

De Griekse autoriteit voor gegevensbescherming heeft een boete van 9.000 euro opgelegd aan Hestia Publishers & Booksellers I. D. Kollaros & Co. S.A. De verantwoordelijke partij heeft de identiteit van een anonieme auteur onthuld door hun volledige naam te vermelden, naast andere persoonlijke gegevens en het pseudoniem waaronder hun werk is gepubliceerd.

€1,100 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.

1.100 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft ADMINISTRACIONES BENIPON, S.L. een boete van 1.100 euro opgelegd. Het bedrijf heeft niet voldaan aan de verplichting om de verantwoordelijke te informeren over een datalek en heeft bovendien een onderaannemer ingezet zonder voorafgaande toestemming en zonder een juridisch overeenkomst.

Boete van €20.725 - Informatiecommissaris (ICO).

De Britse gegevensbeschermingsautoriteit (DPA) heeft een boete van 18.000 pond (20.725 euro) opgelegd aan Birthlink. Deze organisatie, een Schotse stichting, heeft nagelaten voldoende technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen, wat heeft geleid tot het verlies van onvervangbare persoonlijke gegevens.

125.000 euro boete - Ierse Autoriteit voor Gegevensbescherming.

De Ierse autoriteit voor gegevensbescherming (DPA) heeft een boete van 125.000 euro opgelegd aan het "City of Dublin Education and Training Board". De verantwoordelijke partij heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen, waarbij gegevens van ongeveer 13.000 personen betrokken waren. Bovendien heeft de verantwoordelijke partij de autoriteit voor gegevensbescherming en de betrokken personen niet tijdig op de hoogte gesteld.

Boete van €70.300 - Informatiecommissaris (ICO).

De Britse gegevensbeschermingsautoriteit (ICO) heeft het advocatenkantoor DPP Law Ltd. een boete van 60.000 pond (ongeveer 70.300 euro) opgelegd. Het bedrijf was het slachtoffer van een cyberaanval waarbij persoonlijke gegevens van 791 klanten en getuigen zijn gestolen en op het dark web zijn gepubliceerd. De gegevensbeschermingsautoriteit heeft geconstateerd dat het bedrijf onvoldoende technische en organisatorische maatregelen had genomen om dergelijke aanvallen te voorkomen, waaronder het niet regelmatig controleren van beheerdersaccounts op het netwerk, waarmee artikel 5 (1) f), 32 (1) en 3 van de relevante wetgeving zijn overtreden.

€251,000,000 fine - Data Protection Authority of Ireland

The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children's data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Met

€6,900 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.

€940,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller

€210 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.

€18,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.

€326,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.

€800,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the

€36,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.

€2,300 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.

€6,000 fine - Data Protection Authority of Hamburg

The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.

€2,300 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.

€5,900 fine - Austrian Data Protection Authority (dsb)

The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.

€24,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.

€24,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.

€2,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.

€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.

€11,100 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 11,100 on a housing cooperative. The controller had disclosed personal data of a member of the cooperative to an unauthorized person. The incident was recorded in an internal register of violations, however the controller failed to inform the DPA and the data subject of the incident in a timely manner.

€40,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 40,000 on Vodafone. An individual had filed a complaint with the DPA because, following a request for access to records of conversations with a Vodafone call center, Vodafone had provided them with another customer's conversations. Vodafone in addition failed to report this incident to the DPA in a timely manner.

€321 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 321 on a housing association. The controller had suffered a data breach involving the theft of documents, including a copy of a notarial deed. During its investigation, the DPA found that the controller had both failed to report the data breach to the DPA in a timely manner and to notify the data subjects affected by the incident. Further, the DPA found that the controller had not adequately checked if the processor provided sufficient guarantees to imple

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has fined Dent Estet Clinic SA (dental practice) EUR 1,000. An employed dentist at the practice had published medical information of a patient, such as photos and X-rays, in an article on a medical blog. However, the dentist failed to obtain the patient's consent before publishing the medical data. Although the patient had informed the clinic, it failed to notify the DPA of the data breach in a timely manner.

€9,000 fine - Data Protection Authority of Sachsen-Anhalt

The DPA of Sachsen-Anhalt has imposed a fine of EUR 9,000 on Magdeburg University Hospital. The clinic had failed to report to the DPA a data breach involving a former employee having unlawfully disclosed personal data from the clinic's systems to third parties.

€2,120 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 2,120 on the University Hospital of the Medical University of Warsaw. The university hospital had suffered a data breach in which a patient had received a referral from a doctor that contained, among other things, personal data (name, address, etc.) of another patient. The DPA found that neither the doctor nor the hospital informed the patient or the DPA about the data breach.

€12,450 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 12,450 on the public cartography institute Głównego Geodetę Kraju. The institute had suffered a data breach in which numerous land register numbers were visible on the institute's website for more than 48 hours. The land register number allows a number of owners' data to be determined, including their first and last names, the names of their parents and the address of the property. The institute had failed to report the breach to the DPA, with the result

€1,600 fine - Spanish Data Protection Authority (aepd)

The spanish DPA has fined URQUÍA & BAS, CORREDURÍA DE SEGUROS S.L.for failing to report a data breach to the DPA in a timely manner. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility.

€3,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. EUR 3,500. The controller had suffered a data breach during which a certificate of employment containing personal data of an employee got lost. The controller failed to report this data breach to the DPA and thus violated Art. 33 GDPR.

€463,000 fine - Data Protection Authority of Ireland

The Irish DPA has fined the Bank of Ireland EUR 463,000. The bank had reported 22 data breaches to the DPA under Article 33 GDPR. As part of its investigation, the DPA found that the bank had provided false information to the Central Credit Register due to a mix-up of bank customers' account data. This error had the potential to have a negative impact on the creditworthiness of the data subjects. The DPA found that the personal data breach had occurred due to inadequate technical and organizatio

€3,200,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 3.2 million on Cosmote subsidiary OTE Group. Among other things, OTE Group had contributed to Cosmote's security infrastructure. Cosmote had reported a data breach to the DPA under Article 33 of the GDPR. A hacker had been able to penetrate Cosmote's systems due to a lack of security measures and obtained and subsequently leaked data from customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract

€117,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has fined Santander Bank Polska S.A. EUR 118,000 for failing to notify data subjects of a data breach. A former employee of the bank managed to gain unauthorized access to a database for electronic services. Among other things, this allowed numerous Santander customers' data to be accessed. Due to the high risk for the data of the data subjects, the bank would have been obliged to inform them of the data breach. However, the bank deliberately refrained from doing so and continued

Data Protection Authority of Bremen

The DPA from Bremen has fined a company for failing to inform the DPA pursuant to Art. 33 GDPR that an employee's business email account had been hacked.

€75,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 75,000 on the Greek Ministry of Tourism. A data breach had occurred at the authority. According to the DPA, an attempt by a citizen to enter his or her credentials on the authority's online platform resulted in the display of someone else's credentials, including full name, tax number, social security number, postal address, phone number, email address, and fields indicating a disability. The DPA found that the ministry failed to implement adequate tech

€78,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) has imposed a fine of EUR 78,000 on Bank Millennium S.A.. The UODO had become aware of a data protection breach following a complaint against the bank. It turned out that correspondence sent by the bank through a courier service containing personal data such as first name, last name, PESEL number, home address, account numbers and identification numbers of customers, had been lost. In this regard, the UODO found that the bank had failed to report the incident to the DPA and

€3,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identificatio

€35,300 fine - Polish National Personal Data Protection Office (UODO)

The controller had sent an email to that contained personal data of a customer to the wrong recipient. The leaked data included data such as the name, postal address of the data subject and insurance details. In this context the controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours.

€30,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) fined Enea S.A. EUR 30,000 for the controller's failure to report a personal data breach, in violation of Art. 33 (1) GDPR. The DPA received information about a personal data breach from a person who had become an unauthorized recipient of personal data. The breach consisted of sending an email with an unencrypted, non-password protected attachment that contained personal data of several hundred individuals. The sender of the email was an employee of the sanctioned controll

€5,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during

€19,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) imposed a fine of EUR 19,000 on a hospital operator. A former employee had unlawfully copied the personal data of 100 patients from the hospital's computer network. The leaked data included the social security number, name, date of birth, address and telephone number of the data subjects. Although the controller considered the potential risk to the data subjects to be high, she had not informed the data subjects about the incident. The DPA then requested the controller to i

€18,930 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA (UODO) fined Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR. In May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first name