Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€5,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000,000 on FRANCE TRAVAIL. The controller suffered a successful cyber attack due to insufficient technical and organisational measures, resulting in the leak of personal and special category data concerning 38,820,828 individuals. The attack was carried out using the 'social engineering' method, meaning that the attacker obtained goods or information by exploiting the trust, ignorance or credulity of third parties.

€18,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposd a fine of EUR 18,500 on the Komendanta Miejskiego Policji w Krakowie. The controller published personal data, including health data, of a data subject that had been involved in a police investigation, which was not necessary for the purpose of the publication.

€232,379 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 232,379 on the Polish Postal Service. The controller appointed a person as DPO who also held a managerial position with authority over security and classified information protection issues. However, the controller failed to conduct an analysis to ensure the DPO's independence. Furthermore, the controller was unable to ensure that the DPO could fulfil their role without any conflicts of interest.

Slovak Data Protection Office

Personal data have been unlawfully published on the website of a city within the framework of fulfilling its disclosure obligation under the Freedom of Information Act. However, the Data Protection Authority stated that the City had published the personal data in violation of the law and without the consent of the person concerned.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on the Commune di Nave. The controller has installed an automatic licence plate recognition system which processes data on when a car passes a specific control point. This data is stored for seven days, after which it is automatically deleted. The system is also connected to the Motor Vehicle Registry and automatically verifies the passing vehicle's insurance coverage, periodic inspection and environmental class. This data processing occurred witho

€175,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 175,000 on Arnhem and Nijmegen University of Applied Sciences. The controller suffered a data breach due to insufficient technical and organisational measures.

€1,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 1,000 on Roverbella Comprehensive School. The controller has sent an email containing a reminder about the vaccination of pupils under the age of 16, along with an undisclosed list of recipients.

€12,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 12,000 on the Commune di Tuscania. The controller had been using video surveillance and licence plate recognition within its territory for the purposes of territorial security and supervising separate waste collection at recycling centers. However, the controller did not put up any relevant signs containing the privacy policy or warning signs. The controller also failed to enter into data processing agreements with processors handling data on its behalf,

€4,750 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 4750 on the Powiatowego Inspektora Sanitarnego w Policach. The controller failed to implement adequate technical and organisational measures to ensure data security, which resulted in a data breach due to an employee loosing an unencrypted usb flash drive with personal health data and data regarding administrative proceedings.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on the Comuni di Orte. The controller implemented video surveillance on its territory in a manner that did not comply with the basic principles of data processing.

€750 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 750 on the ASOCIACIÓN ESCUELA NACIONAL DE EQUITACIÓN. The controller failed to certify compliance with the corrective measures imposed by the DPA, resulting in the DPA issuing a fine.

€300,000 fine - Data State Inspectorate (DSI)

The Latvian DPA has imposed a fine of EUR 300,000 on SIA 'ZZ Dats'. The entity that was fined was the data processor for almost all local governments in Latvia. It failed to implement adequate technical and organisational measures to ensure data security, resulting in a data breach. The entity appealed the decision to the Riga City Court.

€2,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2,000 on the Comune di Avola. The controller failed to communicate the DPO's contact details to the DPA.

€15,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 15,000 on the Ordine degli Avvocati di Latina. The controller published a document relating to criminal proceedings that included personal data. There was no legal basis for publishing the personal data contained within it.

€4,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 4,000 on the 'Statista Aldo Moro' Higher Education Institute in Fara Sabina. The controller published a protocol of disciplinary proceedings on its institutional website which included the personal data of the individual concerned.

€5,000 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.

€1,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 1,000 on the Mayor of the Municipality of Calvi Risorta. The controller published citizens' health data during the Covid-19 pandemic without a sufficient legal basis.

€10,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA has imposed a fine of EUR 10,000 on the Municipality of Moschato–Tavros. The controller installed a video surveillance system in a depot to protect municipal vehicles. However, the controller failed to ensure, during the design phase, that the cameras only processed the necessary data. They also failed to adequately inform their employees and record the processing activities.

€32,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 32,000 on the Provincia Autonoma di Bolzan. The controller implemented video surveillance with automated licence plate recognition capabilities for vehicles, with the aim of guiding policies on mobility and infrastructure and preventing and investigating crimes. However, the controller did not comply with the basic principles of the GDPR, nor did they adequately comply with the DPA.

€3,960 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 3,960 on the Commune di Pazzano. The controller failed to comply with a order of the DPA.

€6,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 6,000 on the Municipality of Buccino. The controller published pictures of minors and people with mental health conditions in multiple Facebook posts without a sufficient legal basis. The controller also failed to adequately communicate the contact details of the DPO.

€18,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 18,000 on the Comune di Nichelino. The controller published the sensitive personal data of a former employee, including the decision to terminate their full-time employment, on its website without a sufficient legal basis.

€12,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 12,000 on the Minstry of the Interior. During the Covid-19 pandemic, the controller published a list of employees' with names and vaccination statuses in an internal Telegram group with approximately 260 members.

€230 fine - Information Commissioner (ICO)

The UK DPA has imposed a fine of £ 200 (EUR 230) on a police officer. The controller forwarded sensitive and restricted personal data that he had obtained in the course of his work to his personal email address.

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on the Comune di Venezia. The controller implemented a tourist tax, which includes exceptions for certain groups of visitors. When determining whether a person was entitled to be excluded from the tourist tax, the controller's data processing did not comply with the basic principles of the GDPR.

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on the Order of Nursing Professions of Viterbo. The controller suffered a data leak due to insufficient technical and organisational measures to ensure data security.

€3,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 3,000 on the Comune di Conversano. The controller failed to correctly appoint a DPA.

€4,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 4,000 on Istituto Comprensivo 2 C.D. “G. Modugno” S.M. “G. Galilei” di Monopoli. The controller published a list with the name of pupils with disabilities on its website without a sufficient legal basis.

€10,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 10,000 on the Nursery School “La Combricola Dei Birichini Di Betty”. The controller only accepted new children if their parents agreed that they could take and use pictures of them for marketing purposes. This resulted in excessive posting of children's pictures on the internet, which did not comply with the GDPR's basic principles.

€25,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 25,000 on the Alliance for the Union of Romanians Party. The controller did not implement adeqaute technical and organisational measures to ensure data security, which resulted in a data breach. The controller also processed personal data without a sufficient legal basis.

€3,500 fine - Polish National Personal Data Protection Office (UODO)

The Polish DPA has imposed a fine of EUR 3,500 on the Municipal Social Welfare Center in Aleksandrów. The controller did not implement sufficient technical and organisational measures to ensure information security, resulting in a data breach.

€125,000 fine - Data Protection Authority of Ireland

The Irish DPA has imposed a fine of EUR 125,000 on the City of Dublin Education and Training Board. The controller suffered a data breach due to insufficient technical and organisational measures, concerning around 13,000 data subjects. The controller also failed to inform the DPC and the data subjects without undue delay.

€24,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA imposed a fine of EUR 24,000 on COLEGIO VIRGEN DE EUROPA, S.L. An employee of the controller, a school, took pictures of minor pupils without a sufficient legal basis and without informing the data subjects or their legal guardians. The original fine of EUR 40,000 was reduced to EUR 24,000 due to immediate payment and admission of responsibility by the controller.

€550,000 fine - Data Protection Authority of Ireland

The Irish DPA imposed a fine of EUR 550,000 on the Departement of Social Security. The controller uses the so called SAFE 2 registration process for anyone applying for a Public Services Card. The SAFE 2 registration, which is mandatory, processes biometric data without a sufficient legal basis. The controller also failed to adequately inform data subjects in regards to the processing and to conduct a data protection impact assessment.

€22,000 fine - Norwegian Supervisory Authority (Datatilsynet)

The Norwegian DPA imposed a fine of EUR 22,000 on Kristiansand municipality. The controller offers a helpline for childreen, which had become victims of violence, abuse or neglect. The webiste of the helpline uses tracking pixels resulting in the providers of those pixels gaining acces to personal data of the data subjects without sufficient legal basis.

€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 1,000 on the MP Dumitru Viorel Focșa. The controller published a post on social media containing personal data of a third person. The controller did not have a sufficient legal basis.

€7,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 7,000 on Health Protection Agency of the Metropolitan City of Milan, Workplace Prevention and Safety Service, Milan North. The controller forwarded health data of a data subject to their employer without a sufficient legal basis.

€40,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 40,000 on the Municipality of Bologna. The controller used a data processor (Cooperativa Sociale Quadrifoglio | ETid: 2274) to process data, including health data, of childreen with disabilities and special needs. The controller failed to ensure, that the processor had sufficient technical and organisational measures to ensure data security, resulting in a data leak.

€30,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA imposed a fine of EUR 30,000 on Ordine degli psicologi della Lombardia. The controller suffered a data breach due to insufficient technical and organisational measueres.

€1,200 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 1,200 on the Municipality of San Francesco al Campo. The controller published the personal data of employees on its website, thereby violating the principle of data minimisation.