Regulatory actions, fines, warnings, and enforcement decisions
€284,450 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of GBP 247,590 (EUR 284,450) on MediaLab.AI, Inc.The controller of the image-sharing and hosting platform Imgur failed to implement age verification. This resulted in the controller processing children's data without sufficient legal basis, as the consent given was not provided by the children's parents or carers.
€565,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 565,500 on Sportadmin i Skandinavien AB. The controller suffered a sucessfull cyber attack, resulting in personal and special category data of 2,126,075 individuals, including minors, beeing published in the darknet. The attack happend due to an succesfull SQL injection on one of the controllers websites, which had not been protected against this kind of attack, granting the attacker access to the controllers server, allowing him to exfiltrate said data.
1.500.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).
De Franse autoriteit voor gegevensbescherming heeft AMERICAN EXPRESS CARTE FRANCE een boete van 1.500.000 euro opgelegd. De verantwoordelijke partij gebruikte een buitensporig aantal cookies op haar website en heeft de betrokkenen niet voldoende geïnformeerd over deze cookies.
Een boete van 15.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft de gemeente Curtarolo een boete van 15.000 euro opgelegd. De verantwoordelijke partij heeft beelden van bewakingscamera's gebruikt in een tuchtprocedure tegen een werknemer, en heeft ook andere werknemers opgedragen om deze werknemer te bespioneren, foto's en video's van hem te maken.
€6,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 6,000 on the Municipality of Buccino. The controller published pictures of minors and people with mental health conditions in multiple Facebook posts without a sufficient legal basis. The controller also failed to adequately communicate the contact details of the DPO.
Een boete van 6.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse gegevensbeschermingsautoriteit (DPA) heeft de gemeente Buccino een boete van 6.000 euro opgelegd. De verantwoordelijke partij heeft foto's van minderjarigen en mensen met psychische problemen in meerdere Facebook-posts gepubliceerd zonder een voldoende juridische basis. Bovendien heeft de verantwoordelijke partij de contactgegevens van de functionaris voor gegevensbescherming niet voldoende duidelijk gemaakt.
Een boete van 3.000.000 euro - De Estische Autoriteit voor Gegevensbescherming (AKI).
De Estische autoriteit voor gegevensbescherming heeft Allium UPI een boete van 3.000.000 euro opgelegd. De verantwoordelijke partij heeft nagelaten voldoende technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen. Dit heeft geleid tot een datalek waarbij de persoonlijke gegevens van 750.000 personen betrokken waren, waaronder kinderen en andere kwetsbare groepen.
€3,000,000 fine - Estonian Data Protection Authority (AKI)
The Estonian DPA has imposed a fine of EUR 3,000,000 on Allium UPI. The controller failed to implement adequate technical and organisational measures to ensure data security. This resulted in a data breach involving the personal data of 750,000 individuals, including children and other vulnerable groups.
€1,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,000 on the club BALONCESTO TELDE. The controller published an image of a minor without the consent of the minors representative.
Een boete van €10.000 - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse gegevensbeschermingsautoriteit heeft een boete van 10.000 euro opgelegd aan de kinderopvang "La Combricola Dei Birichini Di Betty". De verantwoordelijke partij accepteerde alleen nieuwe kinderen als hun ouders akkoord gingen dat er foto's van hen gemaakt konden worden en gebruikt konden worden voor marketingdoeleinden. Dit leidde tot een overmatig aantal foto's van kinderen op internet, wat niet in overeenstemming was met de basisprincipes van de AVG (Algemene Verordening Gegevensbescherming).
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 10,000 on the Nursery School “La Combricola Dei Birichini Di Betty”. The controller only accepted new children if their parents agreed that they could take and use pictures of them for marketing purposes. This resulted in excessive posting of children's pictures on the internet, which did not comply with the GDPR's basic principles.
€15,600 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 15,600 on the L. Zamenhof University Children's Clinical Hospital in Białystok. The controller did not implement sufficient technical and organisational measures to ensure information security, resulting in a ramsomeware attack on its IT systems.
22.000 euro boete - Noorse Toezichtsautoriteit (Datatilsynet).
De Noorse Autoriteit Persoonsgegevens heeft de gemeente Kristiansand een boete van 22.000 euro opgelegd. De instantie biedt een hulplijn voor kinderen die slachtoffer zijn geworden van geweld, misbruik of verwaarlozing. De website van de hulplijn maakt gebruik van trackingpixels, waardoor de aanbieders van die pixels toegang krijgen tot persoonlijke gegevens van de betrokkenen zonder voldoende wettelijke basis.
Een boete van 50.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse gegevensbeschermingsautoriteit heeft de regio Lombardije een boete van 50.000 euro opgelegd. De verantwoordelijke partij heeft de internetactiviteiten van haar werknemers, inclusief privéactiviteiten, gevolgd zonder een voldoende juridische basis.
€20,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 20,000 on Cooperativa Sociale Quadrifoglio. The entity that was fined, acting as a data processor, forwarded files containing the personal and health data of children. There was no legal basis for this, and it happened due to insufficient technical and organisational measures to ensure data security.
Een boete van 20.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse gegevensbeschermingsautoriteit heeft een boete van 20.000 euro opgelegd aan Cooperativa Sociale Quadrifoglio. Deze organisatie, die optrad als een gegevensverwerker, heeft bestanden verzonden die de persoonlijke en medische gegevens van kinderen bevatten. Er was geen wettelijke basis voor deze actie, en dit gebeurde vanwege onvoldoende technische en organisatorische maatregelen om de gegevensbeveiliging te waarborgen.
Een boete van 40.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft de gemeente Bologna een boete van 40.000 euro opgelegd. De verantwoordelijke partij heeft een gegevensverwerker (Cooperativa Sociale Quadrifoglio | ETid: 2274) ingeschakeld om gegevens te verwerken, waaronder medische gegevens, van kinderen met een beperking en speciale behoeften. De verantwoordelijke partij heeft nagelaten te waarborgen dat de verwerker voldoende technische en organisatorische maatregelen had genomen om de gegevensbeveiliging te waarborgen, wat heeft geleid tot een datalek.
€5,000,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA imposed a fine of EUR 5,000,000 on Luka Inc. The developer created a chatbot called Replika with a written and voice interface. It is based on a generative AI system, specifically an LLM model, that is constantly fed and improved by user interactions. Replika is intended to be a 'virtual companion' that improves users' moods and emotional well-being by helping them understand their own psyche. Replika can be set up as a friend, therapist, romantic partner, or mentor. The controll
Een boete van 5.000.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse gegevensbeschermingsautoriteit heeft Luka Inc. een boete van 5.000.000 euro opgelegd. Het bedrijf heeft een chatbot genaamd Replika ontwikkeld, met een tekst- en spraakinterface. Deze chatbot is gebaseerd op een generatief AI-systeem, specifiek een LLM-model, dat voortdurend wordt aangevuld en verbeterd door interacties met gebruikers. Replika is bedoeld als een "virtuele metgezel" die de stemming en het emotionele welzijn van gebruikers verbetert door hen te helpen hun eigen psyche te begrijpen. Replika kan worden ingesteld als een vriend, therapeut, romantische partner of mentor. De controle...
€251,000,000 fine - Data Protection Authority of Ireland
The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children's data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Met
€15,000,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 15 million on OpenAI in connection with the operation of the generative AI chatbot “ChatGPT”. The DPA found that OpenAI had violated provisions of the GDPR, inter alia, by failing to notify the DPA of a data breach that occurred in 2023, by using users' personal data to train ChatGPT without providing a valid legal basis for such processing, and by violating the principle of transparency. Additionally, OpenAI did not implement age verification, potential
€3,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA imposed a fine of EUR 3,000 on PLAY FUL KIDS, S.L. due to an incident that occurred during a children's birthday party on the premises of the controller involving guests and employees. Following the event, the guests posted negative reviews on Google. In response, the data controller shared surveillance footage showing minor guests without a valid legal basis via WhatsApp to pressure the guests into withdrawing their reviews.
€26,800 fine - Danish Data Protection Authority (Datatilsynet)
The Danish DPA has imposed a fine of EUR 26,800 on the municipality of Vejen. The municipality had suffered a security incident involving the theft of three unencrypted computers containing information about children. During its investigation, the DPA found that 300 other computers were not encrypted either.
€3,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on 20 AÑOS DE MÚSICA A.I.E.. A person had filed a complaint with the DPA due to the fact that in order for minors to attend concerts organized by the controller, powers of attorney from their legal guardians as well as copies of the identity documents of both the legal guardians and the minors were required. During its investigation, the DPA found that such extensive data collection would not have been necessary and violated the principle of data minimization.
€600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on Club Balonmano Gijón. The sports club had published pictures of minors without the consent of parents. The original fine of EUR 1,000 was reduced to EUR 800 due to immediate payment and admission of responsibility.
€3,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on DQG NORTE A.I.E.. A person had filed a complaint with the DPA due to the fact that in order for minors to attend concerts organized by the controller, powers of attorney from their legal guardians as well as copies of the identity documents of both the legal guardians and the minors were required. During its investigation, the DPA found that such extensive data collection would not have been necessary and violated the principle of data minimization. The DPA
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on ASSOCIACIO OASIS CULTURAL. A discotheque operated by the controller had published videos of dancing minors on a social media account without providing a valid legal basis for the publication.
€18,600 fine - Icelandic data protection authority ('Persónuvernd')
The Icelandic DPA has imposed a fine of EUR 18,600 on the city of Hafnarfjörður. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the
€16,600 fine - Icelandic data protection authority ('Persónuvernd')
The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Reykjanesbær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes oth
€16,600 fine - Icelandic data protection authority ('Persónuvernd')
The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other t
€20,000 fine - Icelandic data protection authority ('Persónuvernd')
The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city
€13,300 fine - Icelandic data protection authority ('Persónuvernd')
The Icelandic DPA has imposed a fine of EUR 13,300 on the city of Reykjavik. The city had used the Google Education system in schools without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified
€26,500 fine - Data Protection Authority of Sweden
The Swedish DPA has imposed a fine of EUR 26,500 on the Östersund Municipality's Department for Children and Education. The authority had failed to carry out a data protection impact assessment before introducing the digital school platform Google Workspace in 24 schools in the municipality.
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The person had recorded a video of a violent incident involving minors without a valid legal basis.
€345,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC), has imposed a fine of EUR 345 million on TikTok Limited. The DPC conducted an investigation primarily focused on the processing of personal data between July 31, 2020, and December 31, 2020. During their investigation, the DPC found that the profiles of child users were set to public access by default. As a result, the DPC concluded that TikTok had failed to implement appropriate technical and organizational measures to ensure that only necessary personal data was being proc
€25,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 25,000 on Robin Srl. The controller had unlawfully published images of minors that were not sufficiently blurred in the context of reporting on a violent incident.
€6,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on ODRIA COSTAS INTERNACIONAL, S.L. A data subject had filed a complaint with the DPA because the controller had published a picture of their residence on their website, which, however, also showed their underage daughters. The data subject had not consented to the publication of the children's images. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and acknowledgement of responsibility.
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on NANDIVALE, S.L.. The controller had uploaded images on social media of a party at its premises showing minors. The mother of a child had filed a complaint due to the fact that she had not given her consent to the publication of the images. The DPA therefore found that the controller had unlawfully processed the images in the absence of a valid legal basis.
€14,500,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined TikTok EUR 14.5 million. The ICO had found that more than one million British children under the age of 13 were using TikTok without the consent of their parents. The ICO criticized TikTok for failing to implement adequate controls to identify and remove underage children from its platform. Further, the ICO found that TikTok did not provide users of the platform with sufficient and easily understandable information about the collection, use and disclosure of their data
€3,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on CASAL DE L'ESPLUGA DE FRANCOLÍ. A club managed by the controller had uploaded pictures of a competition showing minors on social media . The mother of a child had filed a complaint because she had not given her permission for the pictures to be published. The DPA therefore determined that the controller, in the absence of a valid legal basis, had unlawfully processed the images. The original fine of EUR 5000 was reduced to EUR 3000 due to voluntary payment a
€17,900 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 17,900 on Dalarna Region. The region had sent out invitations for patient visits where the respective healthcare facility, such as a children's hospital, was visible on the envelope window. The DPA found that this visibility allowed unauthorized persons to gain access to patients' personal data. The DPA concluded that the region had failed to implement adequate technical and organizational measures to protect personal data.
Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a four-figure fine on a daycare center that had disposed of documents containing personal data of children and their parents in a publicly accessible waste container.
€525,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has fined Techpump Solutions S.L. EUR 525,000. Techpump operates several websites with adult content. The DPA found several violations of data protection law during its investigation. Firstly, the DPA found that, contrary to the specified information in the privacy policy, Techpump shared users' personal data with companies belonging to the same group. In addition, the DPA found that Techpump had not specified a retention period for users' personal data and kept it indefinitely u
€405,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram). Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested
€2,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 2,000 on a private individual. The individual had taken photos of a group of minors as well as police officers without their consent and later uploaded them to Facebook.
€36,000 fine - Icelandic data protection authority ('Persónuvernd')
The Icelandic DPA has imposed a fine of EUR 36,000 on the City of Reykjavík. The city had used the digital education system 'Seesaw' at several schools. The student system processed, among other things, personal data of minor students such as teacher feedback and information about students' private affairs. During its investigation, the DPA found that the purpose of the processing of the children's data had not been sufficiently clearly defined. In this context, the DPA also found a breach of th
€1,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Educationest s.r.l. EUR 1,000. The daycare center had sent an email to the families of the children in its care, informing them of the pregnancy and the maternity leave of one of the educators. The daycare center had written the e-mail to prevent rumors about the teacher's absence ( e.g. a covid illness) and to protect her. However, the educator had not consented to the disclosure of her pregnancy status. The DPA therefore found that Educationest had unlawfully processe
€3,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, an
€5,000 fine - Data Protection Authority of Ireland
The Irish DPA has imposed a fine of EUR 5,000 on Slane Credit Union Ltd. The controller had notified the DPA of a data breach in 2018. Due to an error in a search engine optimization tool installed on the controller's website, four reports of member inquiries containing personal member data were unintentionally published. The incident affected 76 members, including minors, and their personal data such as names, addresses, gender, birth dates, account numbers, etc. The DPA found that the controll
Data Protection Authority of Berlin
The DPA of Berlin has imposed a fine on a sports photography company. A sports photographer had published over 16,000 photos of minors who had taken part in a swimming competition on the company's freely accessible website. During its investigation, the DPA found that the parents of the minors had not consented to the capturing and publication of the images.