Enforcement

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Zoetermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Tilburg. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped u

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Ede. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up me

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Gooise Meren. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism step

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Hilversum. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Huizen. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Eindhoven. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Haarlemmermeer. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism st

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Delft. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism stepped up

€25,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 25,000 on the Municipality of Veenendaal. The controller, one of ten municipalities that were fined, processed data regarding the Islamic community in its municipality using a force field analysis, for which it employed an external processor. This processing took place at a time of heightened societal concern about Islamic extremism and terrorism. During this period, the Dutch government and the National Coordinator for Security and Counterterrorism steppe

18.500 euro boete - Poolse nationale autoriteit voor de bescherming van persoonlijke gegevens (UODO).

De Poolse gegevensbeschermingsautoriteit heeft een boete van 18.500 euro opgelegd aan de regionale politie van Krakau. De autoriteit heeft persoonlijke gegevens, waaronder medische gegevens, van een betrokkene gepubliceerd die betrokken was bij een politieonderzoek. Deze publicatie was niet noodzakelijk voor het beoogde doel.

De Kroatische gegevensbeschermingsautoriteit (DPA) heeft een telecombedrijf een boete van 20.000 euro opgelegd. Een betrokkene had een klacht ingediend bij de DPA, waarin hij beweerde dat het bedrijf nog steeds zijn persoonlijke gegevens verwerkte, terwijl hij al meer dan tien jaar geen klant van het bedrijf was. Tijdens het onderzoek stelde de DPA vast dat het bedrijf de gegevens nog steeds bewaarde vanwege een vermeende schuld. Hoewel die schuld niet meer bestond, had het bedrijf de gegevens van de betrokkene niet verwijderd.

Een boete van 960 euro - van het Poolse nationale bureau voor de bescherming van persoonlijke gegevens (UODO).

Een boete van 4.500.000 euro - opgelegd door de Kroatische Autoriteit voor Gegevensbescherming (AZOP).

Na een onderzoek door de autoriteit, heeft AZOP een telecombedrijf een boete van 4,5 miljoen euro opgelegd vanwege meerdere overtredingen van de AVG. De verantwoordelijke partij heeft klantgegevens overgedragen aan een verwerker in de Republiek Servië (een dochteronderneming die software onderhoudt). Deze overdrachten vonden plaats op basis van standaardcontractuele clausules (SCC's) vanaf 16 april 2020 tot uiterlijk 27 december 2022; daarna zijn de overdrachten doorgegaan zonder SCC's of equivalente waarborgen, ondanks dat Servië niet als voldoende beschermd land wordt beschouwd.

Een boete van 32.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 32.000 euro opgelegd aan de Provincia Autonoma di Bolzano. De verantwoordelijke partij heeft een videobewakingssysteem geïmplementeerd met automatische kentekenherkenning voor voertuigen, met als doel beleid te ontwikkelen op het gebied van mobiliteit en infrastructuur, en om misdrijven te voorkomen en te onderzoeken. Echter, de verantwoordelijke partij heeft niet voldaan aan de basisprincipes van de AVG, en heeft ook niet voldoende voldaan aan de eisen van de DPA.

Een boete van 2.000 euro - Hellenic Data Protection Authority (HDPA).

De Griekse Autoriteit Persoonsgegevens heeft een boete van 2.000 euro opgelegd aan het bedrijf PAVLOS BIKOS SOLE PROPRIETORSHIP DENTAL PRIVATE CAPITAL COMPANY. Het bedrijf was een gegevensverwerker in zaaknummer ETid: 2880. Tijdens het onderzoek naar deze zaak heeft de gegevensverwerker niet voldoende meegewerkt met de toezichthoudende autoriteit.

€12,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has imposed a fine of EUR 12,000 on Data Diggers Market Research SRL. The controller processed personal data without sufficient legal basis. The controller also failed to provide data subjects with necessary information regarding the data processing. Lastly the controller failed to adequatly react to an request by data subjects to exercise their rights.

Een boete van €12.000 - van de Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).

De Roemeense autoriteit voor gegevensbescherming (DPA) heeft een boete van 12.000 euro opgelegd aan Data Diggers Market Research SRL. De verantwoordelijke partij heeft persoonsgegevens verwerkt zonder voldoende wettelijke basis. Bovendien heeft de verantwoordelijke partij de betrokkenen niet voorzien van de noodzakelijke informatie over de gegevensverwerking. Ten slotte heeft de verantwoordelijke partij niet adequaat gereageerd op verzoeken van betrokkenen om hun rechten uit te oefenen.

21.000 euro boete - Italiaanse Autoriteit voor de bescherming van persoonlijke gegevens (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft Menarini Silicon Biosystems SpA een boete van 21.000 euro opgelegd. De verantwoordelijke organisatie voert oncologisch onderzoek uit en heeft een software ontwikkeld die in staat is om menselijke cellen te classificeren. De verantwoordelijke organisatie heeft gebruik gemaakt van geanonimiseerde gezondheidsgegevens van een Amerikaans bedrijf dat deel uitmaakt van dezelfde groep. De verantwoordelijke organisatie heeft nagelaten ervoor te zorgen dat de betrokkenen voldoende informatie ontvingen en dat er voldoende beperkingen werden aangebracht met betrekking tot de opslag van gegevens. De verantwoordelijke organisatie heeft ook niet aangetoond dat zij voldoet aan de geografische beperkingen.

€21,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 21,000 on Menarini Silicon Biosystems SpA. The controller is conducting oncological research and has developed a software that is able to classify human cells. The controller used pseudonymised health data from an American company which is part of the same group. The controller failed to ensure, that data subjects received adequate information and to ensure adequate data storage limitation. The controller also failed to demonstrate compliance with the ge

Een boete van €7.800 - van het Poolse Nationaal Bureau voor de Bescherming van Persoonlijke Gegevens (UODO).

De Poolse autoriteit voor gegevensbescherming heeft een uitvaartonderneming een boete van 7.800 euro opgelegd. De uitvaartonderneming heeft onvoldoende technische en organisatorische maatregelen genomen om een datalek te voorkomen. De onderneming had documenten met persoonlijke gegevens opgeslagen in onvergrendelde dozen. Bovendien heeft het bedrijf die dozen vervoerd in een open vrachtwagen, waardoor 10 dozen uit de vrachtwagen vielen en op de berm van een weg terechtkwamen. De dozen werden daar door de politie gevonden. De chauffeur merkte het verlies niet op, omdat...

Een boete van 120.000 euro - opgelegd door de Spaanse Autoriteit voor Gegevensbescherming (AEPD).

De Spaanse Autoriteit Persoonsgegevens (DPA) heeft een boete opgelegd aan SERVICIOS ESPECIALES, S.A. De zaak betrof een schending van de AVG tijdens een intern onderzoek naar een arbeidsconflict: het bedrijf deelde een rapport via e-mail met de personeelsvertegenwoordigers en 15 andere werknemers. Dit rapport bevatte de volledige namen, functies en details van de klachten van de betrokken personen. De DPA oordeelde dat deze openbaarmaking een schending vormde van artikel 5 (1) f) van de AVG, omdat het bedrijf de vertrouwelijkheid van de persoonsgegevens niet had gewaarborgd. De oorspronkelijke boete van 200.000 euro is verlaagd tot...

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on CEGEDIM SANTÉ. The company, which provides software for medical practices, had transferred customer data for research purposes. However, the DPA found that this data was not anonymous but only pseudonymized, making re-identification possible.

Data Protection Authority of Hamburg

The DPA of Hamburg has imposed two fines on members of the police for accessing police databases for private research purposes.

€10,000 fine - Data Protection Authority of Hessen

The DPA of Hessen has imposed a fine of EUR 10,000 on a company. The controller used data for marketing purposes without a legal basis. The company obtained the data through internet research.

€1,200 fine - Data Protection Authority of Baden-Wuerttemberg

The DPA of Baden-Wuerttemberg has imposed a fine of EUR 1,200 on a police officer. The officer had accessed data in police databases for private research purposes without a valid legal basis.

€197,000 fine - Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)

The Hungarian DPA has imposed a fine of EUR 197,000 on AMPLIFON Hungary Trade and Service Provider LLC. The DPA had received complaints from several data subjects for having received unsolicited invitations to a hearing screening. During its investigation, the DPA found that the company had contacted the data subjects without first obtaining their consent. The company had received the data from the Ministry of the Interior for market research purposes. The DPA found that the company had processe

€10,000,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) has imposed a fine of EUR 10 million on GOOGLE LLC. Two data subjects had complained to the DPA that Google had disclosed their personal data to third parties without authorization. In the course of the lengthy investigation, the DPA found that Google had passed on personal data of data subjects to the so-called Lumen project. Lumen is a project run by the Berkman Klein Center for Internet & Society at Harvard University. The project began in 2002 for the purpose of collec

€1,200 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has fined a researcher EUR 1,200. The fine was issued in connection with another fine against the NGO EU DisinfoLab. The researcher was employed at the NGO. In 2018, the NGO published an analysis to identify the possible political origin of tweets circulating on a particularly heated controversy in France, the 'Benalla affair.' For the analysis, the organization had processed the data of 55,000 Twitter accounts, of which more than 3,300 had been classified as political. The raw d

€28,500 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board. The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden. The regional board had transmitted sensitive personal data and personal identity n

Data Protection Authority of Berlin

A job center employee had accessed data in the job center database systems for private research purposes

€7,380 fine - Data Protection Authority of Hessen

A police officer had accessed data in police databases for private research purposes over a period of three years.

€300 fine - Data Protection Authority of Hessen

A police officer had accessed data in police databases for private research purposes in order to obtain information about their ex-partner's new partner.

Data Protection Authority of Berlin

A job center employee had accessed data in the civil register for private research purposes.

€800 fine - Data Protection Authority of Hessen

A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague.

€180,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has imposed a fine of EUR 180,000 on the payment institution SLIMPAY. In 2015, SLIMPAY conducted an internal research project in which it processed personal data in its databases. When the research project ended in July 2016, the data remained stored on a server, without any security measures and freely accessible on the Internet. The data breach affected about 12 million people. During its investigation, the CNIL found that the company had failed to implement appropriate t

€67,900 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA (Datatilsynet) has fined the Region of Syddanmark EUR 67,900 for failing to comply with its obligation as a data controller to implement adequate security measures. The matter came to the attention of the DPA when a citizen complained to the authority in 2020 about the lack of security in the processing of personal data of the citizen's child by the region, and shortly thereafter the region reported the matter to the authority as a personal data breach. The Region of Syddanmark ha

Data Protection Authority of Berlin

A police officer had accessed data in a police database for private research purposes. The police officer accused in a criminal case intended to use the information from the police database to prepare for his testimony in court.

Data Protection Authority of Brandenburg

A police officer had accessed data in a police database for private research purposes. The police officer queried the investigation process of a friend against the background of a judicial hearing. Via WhatsApp, he shared what information he had become aware of through his unauthorized retrievals. For this reason, the DPA of Brandenburg imposed a fine for a violation of § 32 (1) BbgDSG. The Brandenburg Data Protection Act (BbgDSG) sets out the supplementary regulations necessary to adapt the GDP

Data Protection Authority of Berlin

A police officer had accessed data in a police database for private research purposes. The police officer had queried the new partner of a friend's ex-wife because he feared that well-being of the common child might be in endangered by the new partner.

Data Protection Authority of Berlin

A police officer had accessed data in a police database for private research purposes. The police officer queried his stepson's investigative process in order to prepare him for his testimony and to convince the officer in charge of the case of a different crime sequence.

€500 fine - Data Protection Authority of Hessen

A police officer had accessed data in police databases for private research purposes in order to obtain information about a colleague.

€400 fine - Data Protection Authority of Hessen

A police officer had accessed data in police databases for private research purposes. The officer had purchased a notebook for private use on an Internet platform. Since the seller did not agree to negotiations about the method of payment, the officer used a police information system to obtain information about the seller. The police officer then sent several messages to the seller in which he provided him with certain personal data, that he had obtained through his research in the police databa

€1,800 fine - Data Protection Authority of Hessen

A police officer repeatedly had accessed data in a police database for private research purposes.

Data Protection Authority of Berlin

A job center employee had accessed data in social database systems and in the civil register for private research purposes. The employee wanted to prove that two of her colleagues had a relationship with each other and checked the registration addresses of both of them.

€600 fine - Data Protection Authority of Hessen

A police officer had accessed data in police databases for private research purposes in order to obtain information about his ex-wife's new address. He discovered where his ex-wife had moved to in the meantime. The officer then actually went to his ex-girlfriend's new apartment and met her in front of the entrance to the new house. This frightened his ex-wife so much that she reported the incident to the police.

Data Protection Authority of Berlin

A police officer repeatedly had accessed data in a police database for private research purposes.

Data Protection Authority of Berlin

A job center employee had accessed data in social database systems and in the civil register for private research purposes.

€54,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)

The Swedish DPA (Integritetsskyddsmyndigheten) fined Umeå University SEK 550,000 (EUR 54,000) as a result of its failure to apply appropriate technical and organizational measures to protect data. As part of a research project on male rape, the university had stored several police reports on such related incidents in the cloud of a U.S. service provider. The reports contained the names, ID numbers and contact details of the data subjects, as well as information about their health and sex lives,

€48 fine - Estonian Data Protection Authority (AKI)

Acess to personal data in a police database for private research activities.