Regulatory actions, fines, warnings, and enforcement decisions
€9,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.
€5,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.
€870 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.
€1,100 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.
€6,900 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.
€940,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller
€210 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.
€18,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.
€326,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.
€800,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the
€36,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
€5,900 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
€2,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.
€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.
€11,100 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 11,100 on a housing cooperative. The controller had disclosed personal data of a member of the cooperative to an unauthorized person. The incident was recorded in an internal register of violations, however the controller failed to inform the DPA and the data subject of the incident in a timely manner.
€40,000 fine - Hellenic Data Protection Authority (HDPA)
The Hellenic DPA has imposed a fine of EUR 40,000 on Vodafone. An individual had filed a complaint with the DPA because, following a request for access to records of conversations with a Vodafone call center, Vodafone had provided them with another customer's conversations. Vodafone in addition failed to report this incident to the DPA in a timely manner.
€321 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 321 on a housing association. The controller had suffered a data breach involving the theft of documents, including a copy of a notarial deed. During its investigation, the DPA found that the controller had both failed to report the data breach to the DPA in a timely manner and to notify the data subjects affected by the incident. Further, the DPA found that the controller had not adequately checked if the processor provided sufficient guarantees to imple
€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has fined Dent Estet Clinic SA (dental practice) EUR 1,000. An employed dentist at the practice had published medical information of a patient, such as photos and X-rays, in an article on a medical blog. However, the dentist failed to obtain the patient's consent before publishing the medical data. Although the patient had informed the clinic, it failed to notify the DPA of the data breach in a timely manner.
€9,000 fine - Data Protection Authority of Sachsen-Anhalt
The DPA of Sachsen-Anhalt has imposed a fine of EUR 9,000 on Magdeburg University Hospital. The clinic had failed to report to the DPA a data breach involving a former employee having unlawfully disclosed personal data from the clinic's systems to third parties.
€2,120 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 2,120 on the University Hospital of the Medical University of Warsaw. The university hospital had suffered a data breach in which a patient had received a referral from a doctor that contained, among other things, personal data (name, address, etc.) of another patient. The DPA found that neither the doctor nor the hospital informed the patient or the DPA about the data breach.
€12,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 12,450 on the public cartography institute Głównego Geodetę Kraju. The institute had suffered a data breach in which numerous land register numbers were visible on the institute's website for more than 48 hours. The land register number allows a number of owners' data to be determined, including their first and last names, the names of their parents and the address of the property. The institute had failed to report the breach to the DPA, with the result
€1,600 fine - Spanish Data Protection Authority (aepd)
The spanish DPA has fined URQUÍA & BAS, CORREDURÍA DE SEGUROS S.L.for failing to report a data breach to the DPA in a timely manner. The original fine of EUR 2,000 was reduced to EUR 1,200 due to voluntary payment and admission of responsibility.
€3,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Esselmann Technika Pojazdowa Sp. z o.o. Sp. k. EUR 3,500. The controller had suffered a data breach during which a certificate of employment containing personal data of an employee got lost. The controller failed to report this data breach to the DPA and thus violated Art. 33 GDPR.
€117,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 118,000 for failing to notify data subjects of a data breach. A former employee of the bank managed to gain unauthorized access to a database for electronic services. Among other things, this allowed numerous Santander customers' data to be accessed. Due to the high risk for the data of the data subjects, the bank would have been obliged to inform them of the data breach. However, the bank deliberately refrained from doing so and continued
Data Protection Authority of Bremen
The DPA from Bremen has fined a company for failing to inform the DPA pursuant to Art. 33 GDPR that an employee's business email account had been hacked.
€78,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) has imposed a fine of EUR 78,000 on Bank Millennium S.A.. The UODO had become aware of a data protection breach following a complaint against the bank. It turned out that correspondence sent by the bank through a courier service containing personal data such as first name, last name, PESEL number, home address, account numbers and identification numbers of customers, had been lost. In this regard, the UODO found that the bank had failed to report the incident to the DPA and
€3,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) has imposed a fine of EUR 3,000 on the Fundację Promocji Mediacji i Edukacji Prawnej Lex Nostra Foundation for the promotion of mediation and legal education. The controller had not immediately informed the DPA and the data subjects about a personal data breach. Several folders containing personal data had been stolen from the controller in early 2020. These included the names, addresses and telephone numbers, and in 3 to 4 cases also the PESEL numbers (Polish identificatio
€35,300 fine - Polish National Personal Data Protection Office (UODO)
The controller had sent an email to that contained personal data of a customer to the wrong recipient. The leaked data included data such as the name, postal address of the data subject and insurance details. In this context the controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours.
€30,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) fined Enea S.A. EUR 30,000 for the controller's failure to report a personal data breach, in violation of Art. 33 (1) GDPR. The DPA received information about a personal data breach from a person who had become an unauthorized recipient of personal data. The breach consisted of sending an email with an unencrypted, non-password protected attachment that contained personal data of several hundred individuals. The sender of the email was an employee of the sanctioned controll
€19,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) imposed a fine of EUR 19,000 on a hospital operator. A former employee had unlawfully copied the personal data of 100 patients from the hospital's computer network. The leaked data included the social security number, name, date of birth, address and telephone number of the data subjects. Although the controller considered the potential risk to the data subjects to be high, she had not informed the data subjects about the incident. The DPA then requested the controller to i
€5,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) imposed a fine of PLN 25,000 (EUR 5,500) on the Medical University of Silesia. In the course of exams held in the form of videoconferences at the end of May 2020, identification of students took place. Once the exam was completed, the recordings of the exams were available not only to the examinees, but also to other people with access to the system. In addition, any outsider could access the records of the examinations and the data of the examined students presented during
€18,930 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA (UODO) fined Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. EUR 18,930 for a breach of Art. 33 (1) GDPR and Art. 34 (1) GDPR. In May 2020, the DPA received a notification from a third party about a personal data breach involving an insurance agent acting as a processing agent for Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A. who sent an insurance policy to an unauthorized addressee by email. The document contained personal data concerning, among others, surnames, first name
€450,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach. The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while
€475,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA (Autoriteit Persoonsgegevens) has fined Booking.com EUR 475,000 for not reporting a data breach to the DPA in a timely manner. In December 2018, criminals gained access to the data of 4,109 people who had booked a hotel room through the booking site. That included their names, addresses and phone numbers, as well as details about their booking. The criminals also accessed the credit card data of 283 people and managed to access the credit card's security code in 97 cases. Furthermo
€18,850 fine - Polish National Personal Data Protection Office (UODO)
An insurance agent hired by the controller had sent an email to unauthorized third parties in regard to insurance policies that contained personal data of two of the company's customers after they had mistakenly provided false email addresses. The leaked data included data such as the names, email adresses and postal addresses of the data subjects. The controller had not informed either the Polish DPA nor the data subjects about the data breach in a timely manner within 72 hours. The controller
€15,000 fine - Cypriot Data Protection Commissioner
The data subject made a claim for access to information according to Art. 15 GDPR, which could not be answered, since the insurance contract of the data subject could not be found and has been lost. This constituted a violation of the rights of the data subject under Art. 15 GDPR as well as a violation of the obligations to protect personal data according to Art. 5 (1) f) GDPR and Art. 32 GDPR. In addition, the Data Breach Notification Obligations pursuant to Art. 33 f. GDPR have also been viola
€3,600 fine - Spanish Data Protection Authority (aepd)
Although the company had taken steps to remedy a data breach, it had not informed the AEPD sufficiently. As a result, the AEPD imposed a fine of EUR 4,800, which was reduced to EUR 3,600 due to voluntary payment.
€40,000 fine - Data Protection Authority of Ireland
The organization sent a letter with abuse allegations to a third party who then uploaded it to social networks.
€7,500 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA (AP) fined the Overijssel local branch of the PVV party EUR 7,500 for failing to notify the AP of a personal data breach, in violation of Art. 33 GDPR. An email regarding the convening of a meeting had been sent via an open distribution list due to a human error. Since the total of 101 recipients were addressed as 'Friends of the PVV' in the email, the political beliefs of the data subjects were thus disclosed to all addressees.
€18,700 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The DPA's decision shows that it took almost five months for the company to notify the data subjects of a data breach and almost three months for the DPA to receive a notification of a data breach concerning an security lack of IT systems of the company.
€7,400 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
A military hospital did not meet the reporting deadline for data breaches. Another part of the fine relates to a lack of technical and organisational measures.
€15,150 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
The data controller did not fulfil its data breach notification obligations when a flash memory with personal data was lost.
€286 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
The employee of the Directorate sent by mistake 9 letters to the wrong recipient, which contained personal data of 18 data subjects (including data of children, criminal data and data related to the private life of the data subjects). The recipient informed the Directorate by telephone 5 days after the posting that it received certain letters by mistake. The Directorate notified NAIH on the data breach only weeks later.
€61,500 fine - Lithuanian Data Protection Authority (VDAI)
During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller. In addition, it became known that from 09 - 10 July 2018 payment data were publicly available on the internet due to inadequate technical and organisational measures. 9,000 payments with 12 banks from different countries were affected. According to the supervisory authority, a data breach notification pursua