Regulatory actions, fines, warnings, and enforcement decisions
Een boete van 2.000 euro - van de Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).
De Roemeense autoriteit voor gegevensbescherming (DPA) heeft een boete van 2.000 euro opgelegd aan Whitedecor SRL. De verantwoordelijke partij had marketingberichten verstuurd naar klanten zonder een voldoende juridische basis.
Een boete van 8.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft de Università degli Studi di Cassino e del Lazio Meridionale een boete van 8.000 euro opgelegd. De verantwoordelijke partij heeft nagelaten om het e-mailadres van een voormalige werknemer binnen een redelijke termijn te verwijderen, en heeft ook niet adequaat gereageerd op het verzoek van de voormalige werknemer om zijn gegevens te laten verwijderen.
Een boete van €1.000 - De Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).
De Roemeense autoriteit voor gegevensbescherming heeft een boete van 1.000 euro opgelegd aan Office Nova Concept SRL. De verantwoordelijke partij heeft niet adequaat gereageerd op een verzoek van een betrokkene om gebruik te maken van zijn rechten.
€40,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA imposed a fine of EUR 20,000 on Interflora Italia S.p.A. The controller, who operates an online shop, used customer data for direct marketing purposes without a sufficient legal basis. The controller also failed to react to the objection of a data subject and only reacted after the data subject filed a complaint with the DPA.
€120,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine against BEEDIGITAL AI, S.A.. A individual had lodged a complaint with the DPA against the controller because they had received advertising from the controller even though they were registered in the advertising objection register. In the course of its investigation, the DPA found that the controller had violated the principle of confidentiality. The original fine of EUR 150,000 was reduced to EUR 120,000 due to voluntary payment.
€310,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined LinkedIn EUR 310 million. This decision is related to an investigation following a complaint in 2018 from the French NGO 'La Quadrature Du Net'. In July 2024, the DPC issued a draft decision under the GDPR cooperation mechanism under Art. 60 GDPR, to which no objections were raised. During its investigation, the DPC found that LinkedIn had no valid legal basis for processing user data for the purposes of behavioral analysis and targeted advertising. The DPC found th
€842,062 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Sky Italia EUR 842,062 for unlawful telemarketing. The investigation revealed that Sky contacted individuals without proper consent, including those registered in advertising opt-out lists and those who had given consent before the GDPR came into force—without reassesing its validity under the updated legal framework. Additionally, the documentation of consents obtained from data providers was deemed inadequate, as Sky stored consent details in modifiable Excel files, f
€1,000,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 1 million on Fastweb S.p.A. due to unauthorized telemarketing, the unlawful storage of customer data after contract termination, and inadequate responses to data deletion requests. Fastweb made marketing calls to individuals listed in the public objection register and used customer data for advertising purposes for up to 24 months after contract termination—without a legal basis. Additionally, affected customers often received delayed responses to their
€6,419,631 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 6.419.631 on Eni Plenitude S.p.A.. The DPA initiated an investigation against the controller due to 107 notifications and 8 complaints from data subjects regarding undesired marketing calls. It found that the controller had repeatedly called data subjects without their consent or registration in the national opt-out register. The DPA also found that a large number of the contracts concluded resulted from the illegal calls. The high number of unauthorized
€50,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has imposed a fine of EUR 600,000 on A.S. Watson Health & Beauty Continental Europe B.V.. The controller had tracked visitors to their drugstore website “Kruidvat.nl” with tracking cookies without their consent. The cookie banner on the website had the boxes for consenting to the placement of tracking software pre-ticked by default. Visitors who nevertheless wanted to reject the cookies could only do so with greater difficulty. This allowed the controller to collect sensitive perso
€100,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 100,000 on Olimpia S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being entered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects' personal is carried out in accordance with data protection regulations throughout the s
€100,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 100,000 on Facile.Energy S.r.l.. During its investigation, the DPA found that data subjects had received advertising calls on behalf of the controller without their consent or despite being registered in objection registers. The DPA concluded that the controller had failed to take appropriate technical and organisational measures to ensure that the processing of data subjects' personal is carried out in accordance with data protection regulations through
€50,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 50,000 on the transport company azienda Trasporto Passeggeri Emilia-Romagna S.p.A.. The controller provided insufficient information on data processing on a form used to conclude a public transport subscription. The form did not allow a distinction between mandatory and optional data (such as cell phone number and email address) and did not clearly inform users of their right to object to processing for direct marketing purposes.
French Data Protection Authority (CNIL)
The French DPA has imposed a fine on a candidate for parliamentary elections. The candidate had sent the data subject election advertising by email despite the data subject's objection.
€60,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 60,000 on Limit Call S.r.l.s. for unauthorized telemarketing. The controller had acquired lists of personal data without checking the legality of the data transfer, e.g. whether the data could also be used for commercial purposes or whether the data subjects had given their consent. In addition, it was not checked whether the telephone numbers called were entered in the public objection register.
€30,000 fine - Data Protection Authority of Sweden
The Swedish DPA has imposed a fine of EUR 30,000 on H&M for sending out marketing messages, despite the fact that data subjects had exercised their right to objection. Six data subjects had filed a complaint against the controller with the DPA. The DPA found that the controller did not have sufficient systems and procedures in place to facilitate data subjects exercising their right to object to direct marketing.
€70,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 70,000 on Scionti Selezioni Superiori S.r.l.. The controller had made unsolicited marketing calls, in some cases to individuals who were registered in opt-out registers or had not given their consent. The DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure that the processing of the data subjects' personal data was lawful, for example by checking whether the data subjects were registered in an
€40,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 40,000 on Compara Facile S.r.l.. The controller had made unsolicited marketing calls, in some cases to individuals who were registered in opt-out registers, had not given their consent or had requested the deletion of their data. The DPA found that the controller had failed to implement appropriate technical and organizational measures to ensure that the processing of the data subjects' personal data was lawfu In addition, the controller failed to provid
€2,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 2,000 on a controller for failing to provide data subjects with sufficient information to exercise their right to object.
€150,000 fine - Hellenic Data Protection Authority (HDPA)
The Hellenic DPA has imposed a fine of EUR 150,000 on NOVA TELECOMMUNICATIONS & MEDIA ΜΟΝΟΠΡΟΣΩΠΗ. Α.Ε., imposed a fine of EUR 150,000. A customer had filed a complaint with the DPA. During its investigation, the DPA found that the controller had sent promotional emails several times despite the objection of the data subject. In addition, the controller failed to comply with the data subject's right to access.
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 10,000 on Grizzaffi Management Srl for sending out marketing messages, despite the fact that the data subjects had exercised their right to objection.
€1,200,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) al
€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 1,000 on Tensa Art Design SA. The controller failed to comply with a data subject's right to object.
€7,631,175 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined TIM S.p.A. EUR 7,631,175. The DPA had received numerous complaints about the telecommunications provider, mainly for unauthorized telemarketing activities. The Italian DPA is currently taking stronger action against unauthorized telemarketing. In its investigation against TIM, the DPA found that the controller was contacting individuals for marketing purposes even though they were registered on opt-out lists or had not given their consent for their data to be processed
€3,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 3,000 on Tensa Art Design SRL. An individual had filed a complaint for receiving promotional messages despite having filed an objection to receiving promotional messages and having their personal data processed for marketing purposes. The DPA considered this to be a violation of Art. 21 (3) GDPR.
€600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine a ECOMM MOVADGENCY S.L. for sending out direct marketing messages, despite the fact that the data subjects had exercised their right to objection. The original fine of EUR 1,000 was reduced to EUR 600 due to voluntary payment and admission of responsibility.
€5,500,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac
€390,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi
€4,900,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Edison Energia S.p.A. EUR 4.9 million. Several person had filed complaints with the DPA regarding unlawful marketing activities of the company. During its investigation, the DPA found that the company contacted data subjects by telephone for marketing purposes without their consent. For this purpose, the company used contact lists from third parties, which in many cases, however, did not contain the free, specific, informed and documented consent of the users to the dis
€600,000 fine - French Data Protection Authority (CNIL)
The French DPA has imposed a fine of EUR 600,000 on ÉLECTRICITÉ DE FRANCE (EDF), France's largest electricity supplier. The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF. During its investigation, the DPA found that EDF's privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data. In addition, the DPA found that EDF had not responded to a number
€405,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram). Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested
€600,000 fine - French Data Protection Authority (CNIL)
The French DPA (CNIL) has imposed a fine of EUR 600,000 on ACCOR SA. Both CNIL and other European DPAS had received complaints against ACCOR from several individuals. In the course of its investigation, CNIL found that hotel guests who made a booking directly with the hotel or on one of the hotel group's websites automatically became recipients of an advertising newsletter as the box for consent to receive the newsletter was pre-ticked. In addition, the CNIL found that due to technical problems,
€1,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 1,000 on Colosseo S.r.l.. An individual had filed a complaint with the DPA because the controller had sent him an unsolicited commercial email. Thereafter, the data subject requested the controller to provide access to their personal data, to delete their personal data and the objection to receive future promotional emails. However, the controller did not respond to the data subject's requests.
€10,000 fine - Belgian Data Protection Authority (APD)
The Belgian DPA has imposed a fine of EUR 10,000 on the Belgian national railroad company (Nationale Maatschappij der Belgische Spoorwegen). A Twitter user who had received an e-mail newsletter from the railroad company had filed a complaint with the DPA. According to the Twitter user, the newsletter did not include an option to unsubscribe. During its investigation, the DPA found, first, that that there was no valid legal basis for the processing of personal data through the newsletter. Contrar
€9,700 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has imposed a fine of EUR 9,700 on a company. The DPA had received a complaint from a former employee of the company. Background of the complaint is the fact that after the employee's termination, both professional and private e-mails from the employee's mailbox were automatically forwarded to an e-mail address administrated by the managing director. During its investigation, the DPA found that the controller had automatically forwarded the e-mails without a valid legal basis.
€2,000 fine - Hellenic Data Protection Authority (HDPA)
The Hellenic DPA has imposed a fine of EUR 2,000 on an employer. An employee had filed a complaint due to the employer's failure to comply with the employee's right to object. The employee had objected to continuous monitoring of his online courses offered via zoom. However, the employer had continued the monitoring. In addition, the DPA found that the employer could not provide a sufficient legal basis for processing the data.
€2,000 fine - Hellenic Data Protection Authority (HDPA)
The Hellenic DPA imposed a fine of EUR 2,000 on an employer (owner of a private foreign language school). An employee, who works as a language teacher in the school, had filed a complaint with the DPA against their employer. The reason for this was that the controller continued to constantly monitor the employee during their online courses via the platform 'Zoom', despite their objection. Therefore, the DPA found that the controller had violated its duty to comply with the data subject's right t
€634,000 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)
The Hungarian DPA (NAIH) has fined Budapest Bank Zrt. EUR 634,000. NAIH reports that the bank used an artificial intelligence-driven software solution to automate the evaluation of customers' emotional state. The speech evaluation system determined which customers needed to be recalled based on the customer's mood. The bank operated the application to prevent complaints and to keep customers. The bank did not inform the data subjects, that the processing of their data serves, among other things,
Data Protection Authority of Bremen
The DPA of Bremen has imposed a fine on a medical care center for having scanned a customer's ID card against their will and stored the copy. Once the customer complained, they were threatened with termination of the customer relationship. In assessing the fine, the DPA took into account the fact that the ID card had been scanned against the explicit objection of the data subject.
€50,000 fine - Data Protection Authority of Niedersachsen
The DPA of Niedersachsen has imposed a fine of EUR 50,000 on a company. The company sent out a newsletter by e-mail that could not be unsubscribed from due to technical malfunctions. Since the company had sent newsletters relatively frequently, this led to a significant number of unsolicited emails for some data subjects. Furthermore, the data subjects were also unable to lodge an objection via the company's website. In addition, the DPA found that the company did not sufficiently process some r
€300,000 fine - French Data Protection Authority (CNIL)
The French DPA (CNIL) has imposed a fine of EUR 300,000 on FREEE MOBILE. The CNIL had received numerous complaints regarding the company's failure to comply with data subjects' rights. During its investigation, the CNIL found that the company had failed to respond to data subjects' requests in a timely manner. In addition, the company failed to comply with the data subjects' right to object, as it continued to send advertisements to the data subjects despite them having exercised their right to
€400,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 400,000 on B&T S.p.A. Two data subjects had complained to the DPA about unsolicited SMS advertising. In addition, they stated that it was not possible for them to make use of their right to information and right to object. During the course of the investigation, Garante discovered that B&T had contracted a marketing company to send promotional SMS messages to potential customers. The marketing company had then engaged other providers, which in turn had a
€70,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA (AEPD) has imposed a fine of EUR 70,000 on VODAFONE ESPAÑA, S.A.U.. A data subject had filed a complaint with the DPA for having received promotional emails from Vodafone without having expressly consented to this and without having had a prior contractual relationship. The data subject then objected to receiving future e-mails. Vodafone confirmed the objection. Nonetheless, the data subject received four advertising e-mails a few months later. The fine consists of EUR 50,000 for
€3,296,326 fine - Italian Data Protection Authority (Garante)
The Italian DPA (Garante) has fined Sky Italia S.r.l. EUR 3,296,326 for illegal telemarketing. The DPA's decision followed a complex investigation launched after dozens of reports and complaints from people who claimed that they received unsolicited promotional calls and promotional SMS both from Sky Italia directly and through call centers of other companies. In this regard, the DPA found that the promotional calls were made without adequately informing the users (such as about the origin of th
€225,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp
€6,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller's privacy notice. Namely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearl
€400,000 fine - French Data Protection Authority (CNIL)
The French DPA (CNIL) has fined MONSANTO EUR 400,000. In May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file. For
€8,500 fine - Deputy Data Protection Ombudsman
The Finnish DPA has imposed a fine of EUR 8,500 on a magazine publisher. The DPA received four complaints against the magazine publisher for unsolicited telephone advertising.The controller had carried out direct marketing using an automated calling system, without valid consent from the recipients of the calls. Specifically, the controller had obtained the apparent consent for direct marketing when a customer subscribed to a magazine on its website, for example. The subscriber to the magazine w
€24,800 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA (Datatilsynet) has imposed a fine of EUR 14,800 on a company. The background to the case is a complaint by a former employee who learned that the company's managing director logged into the complainant's email inbox on a daily basis for a period of six weeks after the former employee's employment was terminated. In total, the managing director had access to the account for a period of five months. The process had been justified by business requirements (e.g., processing custome
€2,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA (ANSPDCP) has imposed a fine of EUR 2,000 on Telekom Romania Communications SA. The controller had made an advertising call to the data subject although the latter had exercised his right to object to the processing of his personal data for marketing and advertising purposes by requesting the controller to delete his telephone number and e-mail address from the Telekom database.