Enforcement

€1,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 1,000 on the club BALONCESTO TELDE. The controller published an image of a minor without the consent of the minors representative.

1.000 euro boete - Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming (DPA) heeft de basketbalclub BALONCESTO TELDE een boete van 1.000 euro opgelegd. De verantwoordelijke partij heeft een foto van een minderjarige gepubliceerd zonder toestemming van de wettelijke vertegenwoordiger van de minderjarige.

Een boete van 24.000 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse autoriteit voor gegevensbescherming heeft COLEGIO VIRGEN DE EUROPA, S.L. een boete van 24.000 euro opgelegd. Een medewerker van de verantwoordelijke, een school, heeft foto's gemaakt van minderjarige leerlingen zonder voldoende wettelijke basis en zonder de betrokkenen of hun wettelijke vertegenwoordigers te informeren. De oorspronkelijke boete van 40.000 euro is verlaagd tot 24.000 euro vanwege de onmiddellijke betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke.

Een boete van 120.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse Autoriteit Persoonsgegevens (DPA) heeft een boete opgelegd aan SERVICIOS ESPECIALES, S.A. De zaak betrof een schending van de AVG tijdens een intern onderzoek naar een arbeidsconflict: het bedrijf deelde een rapport via e-mail met de personeelsvertegenwoordigers en 15 andere werknemers. Dit rapport bevatte de volledige namen, functies en details van de klachten van de betrokken personen. De DPA oordeelde dat deze openbaarmaking een schending vormde van artikel 5 (1) f) van de AVG, omdat het bedrijf de vertrouwelijkheid van de persoonsgegevens niet had gewaarborgd. De oorspronkelijke boete van 200.000 euro is verlaagd tot...

€600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on the president of the workers' council of a company following a complaint by a former employee. During their employment, the company carried out a collective redundancy procedure that affected the employee. The council had publicly posted a record of a meeting between the employee representatives and the works council, which contained a list of the employees affected with personal data such as names, ID card numbers, dates of birth, etc. The original fine of

€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u

€20,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 20,000 on Ew Business Machines S.p.A.. The controller had installed a video surveillance system that not only recorded images in real time, but also made audio recordings, capturing employees. Both the company's legal representative and their family had access to these recordings via a smartphone. During its investigation, the DPA found that the employees were not adequately informed about the additional audio monitoring. In addition, the company used an

€13,300 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The Hungarian DPA has imposed a fine of EUR 13,300 on a company. A customer had filed a complaint with the DPA because a conversation, which they had with a sales representative of the controller, had been recorded without them being informed about this. The DPA considered this to be a breach of the controller's information obligations under the GDPR.

€8,000 fine - Cypriot Data Protection Commissioner

The Cypriot DPA has imposed a fine of EUR 8,000 on the Cypriot Ministry of the Interior. The Ministry of Interior had unlawfully transmitted personal data of employees to the House of Representatives.

€2,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine of EUR 2,000 on the Sindicato Intersectorial Trabajadores/as Provincia de Alicante union. The union published the protocols of a works council on their bulletin board and in a WhatsApp group. As a result, the handwritten signatures of all union representatives on the works council were published.

€45,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 45,000 on Senseonics Inc. The company had reported a data breach to the DPA pursuant to Art. 33 GDPR, involving an employee accidentally sending an information campaign by email to a large number of recipients in an open distribution list. This made it possible for all recipients to view the email addresses of the other recipients. The recipients of the e-mails were diabetic patients, making it possible to obtain information about the health status of th

€85,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 85,000 on Otavamedia Oy. The DPA had received eleven complaints regarding Otavamedia between 2018 and 2021. Namely, the complaints primarily concerned the lack of response to inquiries from data subjects. Otavamedia explained that some of the privacy requests had not been fulfilled due to a technical problem with email management. During the incident, messages received in the privacy inquiry email box were not forwarded to customer service representative

€3,400 fine - Czech Data Protection Auhtority (UOOU)

The Czech DPA imposed a fine of EUR 3,400 on a company. The data subject had concluded an energy supply contract with the controller in the past, but then duly terminated it. Nevertheless, the controller assigned the previously terminated contract to a processor (sales representative) in order to contact the data subject to conclude a new contract. The DPA found that the controller had unlawfully transferred the data subject's data to the sales agent, as in the absence of an existing contract it

€1,500,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energía, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. B

€1,500,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being inco

€200,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) imposed a fine of EUR 200,000 on I-DE Redes Eléctricas Inteligentes, S.A.U. The DPA received complaints from Waitum, S.L. and Servicios Aby 2018, S.L. because their customers had received letters from the controller. Both companies had previously transferred their customers' personal data to the controller under a network access agreement entered into with the controller. Under this agreement, the two companies acted as representatives of their respective customers, who we

€525,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA (AP) has imposed a fine of EUR 525,000 on Locatefamily.com. Locatefamily.com is a platform where people can search for the contact information of family members they have lost contact with or other people they would like to get in touch with. The data subjects complained that their contact information (name, address, phone number) was published on the website without their knowledge. The data subjects were not able to request the deletion of their data published on the site easily,

€1,500 fine - Spanish Data Protection Authority (aepd)

Sending of an e-mail to a former party member who had since resigned, with the request to act as an election representative without sufficient legal basis to process the personal data required for this purpose

€40,000 fine - Spanish Data Protection Authority (aepd)

A sales representative failed to carefully check the identity of a claimant so that he could appear in the name of the data subject and order a telephone connection for four telephone lines in his name.

Czech Data Protection Auhtority (UOOU)

The Czech DPA (UOOU) imposed a fine against a company for processing personal data without a sufficent legal basis. Several individuals were contacted by the sales staff of the controller for advertising purposes. The data subjects had used the services of the sales staff in the past (until around 2016) to conclude insurance or financial contracts. However, at that time, the sales staff were working for a different company with which they had concluded an agency contract. The DPA notes that on t

€290 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH dete

€1,430 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The employer restored the mailbox of a director who had left the company a year before and found an email containing a work-related document. The director received no warning that his former inbox would be activated and did not have a chance to copy / delete his private data (passwords and financial information). According to NAIH, an employee or a representative should be present when the employee's data is being accessed, even if the employment has been terminated. Employees should be able to

€11,760 fine - Commission for Personal Data Protection (KZLD)

The pecuniary sanction of EUR 11, 760 was imposed on the commercial representative of telecommunications service provider for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of a contract for mobile services and leasing contracts.

€1,022 fine - Commission for Personal Data Protection (KZLD)

The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.

€5,113 fine - Commission for Personal Data Protection (KZLD)

The pecuniary sanctions of EUR 1, 022 and EUR 5, 113 were imposed on a telecommunications service provider and its commercial representative in Bulgaria for unlawful processing of the personal data of a data subject. The personal data of the data subject was unlawfully processed for the conclusion of service contracts without his knowledge or consent.

€120,000 fine - Norwegian Supervisory Authority (Datatilsynet)

Fine for security vulnerabilities in a mobile messaging app developed for use in an Oslo school. The app allows parents and students to send messages to school staff. Due to insufficient technical and organizational measures to protect information security, unauthorized persons were able to log in as authorized users and gain access to personal data about students, legal representatives and employees. The fine has meanwhile been reduced to EUR 120.000, see link