Regulatory actions, fines, warnings, and enforcement decisions
€500 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 500 on VOX ESPAÑA. The controller, a political party, posted a picture of of a receipt on its Facebook page. The picture of the recipt included the full name, signature and personal ID number of a natural person. The controller had no legal basis to publish this personal data.
€75,474 fine - Slovenian Supervisory Authority (Informacijski pooblaščenec)
The Slovenian DPA has imposed a fine of EUR 75,474 on a legal entity. Without a sufficient legal basis, the controller installed software on an employee's work computer which allowed them to monitor all of the employee's activity on that computer, including private activity. The software also allowed the controller to monitor private communications via Facebook or email, as well as audio conversations. The entity was fined EUR 71,474, and the person responsible was fined EUR 4,000.
Een boete van €1.000 - De Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).
De Roemeense autoriteit voor gegevensbescherming (DPA) heeft een boete van 1.000 euro opgelegd aan Compania de Apa Oltenia S.A. De verantwoordelijke partij heeft nagelaten om adequate technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen, wat heeft geresulteerd in het uitlekken van persoonlijke gegevens op sociale media.
€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 1,000 on Compania de Apa Oltenia S.A. The controller failed to implement adequate technical and organisational measures to ensure data security, resulting in personal data beeing leaked on social media.
80 euro boete - Oostenrijkse Autoriteit voor Gegevensbescherming (dsb).
De Oostenrijkse gegevensbeschermingsautoriteit heeft een journalist een boete van 80 euro opgelegd. De verantwoordelijke partij heeft onnodige persoonlijke gegevens van een betrokkene op sociale media gepubliceerd, waaronder hun adres.
€80 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 80 on a Journalist. The controller published unnecessary private data about a data subject on social media, including their address.
Een boete van 6.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse gegevensbeschermingsautoriteit (DPA) heeft de gemeente Buccino een boete van 6.000 euro opgelegd. De verantwoordelijke partij heeft foto's van minderjarigen en mensen met psychische problemen in meerdere Facebook-posts gepubliceerd zonder een voldoende juridische basis. Bovendien heeft de verantwoordelijke partij de contactgegevens van de functionaris voor gegevensbescherming niet voldoende duidelijk gemaakt.
€6,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 6,000 on the Municipality of Buccino. The controller published pictures of minors and people with mental health conditions in multiple Facebook posts without a sufficient legal basis. The controller also failed to adequately communicate the contact details of the DPO.
€1,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 1,000 on the MP Dumitru Viorel Focșa. The controller published a post on social media containing personal data of a third person. The controller did not have a sufficient legal basis.
Een boete van €1.000 - De Roemeense nationale toezichthoudende autoriteit voor de verwerking van persoonsgegevens (ANSPDCP).
De Roemeense autoriteit voor gegevensbescherming (DPA) heeft een boete van 1.000 euro opgelegd aan parlementslid Dumitru Viorel Focșa. De verantwoordelijke partij heeft een bericht op sociale media gepubliceerd dat persoonlijke gegevens van een derde persoon bevatte. De verantwoordelijke partij had geen voldoende juridische basis voor deze publicatie.
€420,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 420,000 on Autostrade per l’Italia S.p.A. The controller used data from a worker's social media profiles obtained by other workers and a third party in a disciplinary proceeding. The controller did not have a legal basis to use this data.
Een boete van 420.000 euro - opgelegd door de Italiaanse Autoriteit voor Gegevensbescherming (Garante).
De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft Autostrade per l’Italia S.p.A. een boete van 420.000 euro opgelegd. De verantwoordelijke partij heeft gegevens uit de sociale media-profielen van een werknemer gebruikt, gegevens die door andere werknemers en een derde partij waren verzameld, in een tuchtprocedure. De verantwoordelijke partij had geen wettelijke basis om deze gegevens te gebruiken.
€2,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 2,000 on INDEPENDENTS DE VALLROMANES. The controller, a political party, posted a court decision on its social media, which included personal data which was not necessary for the purpose of this social media post, infringing on the principle of data minimization.
€251,000,000 fine - Data Protection Authority of Ireland
The Irish Data Protection Commission (DPC) has fined Meta Platforms Ireland Limited EUR 251 million. The fine was imposed for data protection violations related to a data breach that occurred in 2018 and affected 29 million Facebook accounts worldwide, including 3 million in the EU/EEA. Compromised data included names, email addresses, phone numbers, and children's data. The breach resulted from the exploitation of user tokens on the platform by unauthorized third parties. The DPC found that Met
€892,783 fine - Italian Data Protection Authority (Garante)
he Italian DPA has imposed a fine of EUR 892,738 on E.ON Energia spa for unlawfully processing personal data for telemarketing. The investigation was triggered by complaints from two individuals who received unsolicited calls and did not receive responses to their requests to exercise their rights under the GDPR. It was found that when the electricity and gas supplies were activated, consents of data subjects were recorded incorrectly. E.ON failed to take appropriate measures to verify the accur
€310,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined LinkedIn EUR 310 million. This decision is related to an investigation following a complaint in 2018 from the French NGO 'La Quadrature Du Net'. In July 2024, the DPC issued a draft decision under the GDPR cooperation mechanism under Art. 60 GDPR, to which no objections were raised. During its investigation, the DPC found that LinkedIn had no valid legal basis for processing user data for the purposes of behavioral analysis and targeted advertising. The DPC found th
€698,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 698,000 on Apohem AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers who had consented to marketing cookies to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organi
€3,200,000 fine - Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
The Swedish DPA has imposed a fine of EUR 3.2 million on Apoteket AB. The controller had used so-called meta pixels on its website which, due to incorrect settings, caused personal data of customers to be transmitted to Meta. The controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect pers
€1,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has fined a private individual EUR 1,000. The controller had uploaded images from their video surveillance camera to Instagram showing, amongst others, a minor and members of the national armed forces. During its investigation, the DPA found that the controller had no valid legal basis for uploading these images.
€600 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on a private individual. The individual had shared personal data of a data subject in a Facebook group without their consent. The original fine of EUR 1000 was reduced to EUR 600 due to voluntary payment and admission of responsibility.
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has fined the owner of a plastic surgery clinic EUR 10,000. The controller posted before-and-after pictures of an individual who had undergone surgery at the clinic on social media (Facebook and Instagram) without obtaining the individual’s consent.
€30,500,000 fine - Dutch Supervisory Authority for Data Protection (AP)
The Dutch DPA has fined Clearview Al Inc. EUR 30,500,000. Clearview, a company offering facial recognition services, holds a database of over 30 billion images, including those of Dutch citizens. These images are scraped from publicly available online platforms, such as social media. Clearview uses these images to create biometric profiles, allowing individuals to be identified. During its investigation the DPA found that the personal data contained in the company's database had been processed u
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on ASSOCIACIO OASIS CULTURAL. A discotheque operated by the controller had published videos of dancing minors on a social media account without providing a valid legal basis for the publication.
€5,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 5,000 on HIPERBAZAR YONGFA 2018 SL. A person had filed a complaint with the DPA against the controller. The controller had provided recordings from his video surveillance system showing the data subject to a third party who then published them on Facebook.
€6,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 6,000 on a municipality. The municipality had unlawfully published information on citizens' Covid cases on its Facebook page. The municipality also failed to appoint a data protection officer and provide the authority with their contact details in due time.
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on a private individual for unlawfully using the photo of a minor to create a social media profile.
€6,100,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has fined ENDESA ENERGÍA, S.A.U. EUR 6,1 million due to a security breach resulting in unauthorized access to its systems. The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the Endesa platform, resulting in the compromise of data such as names, first names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers, of millions of individuals. The DPA found that the controller had f
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on a private individual. The person had published on his Facebook profile a video of another person being clearly drunk without their consent.
€20,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has fined JOLY DIGITAL, S.L.U. EUR 20,000. A person had filed a complaint with the DPA because the controller had published an image they had posted on their private Instagram account.
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on NANDIVALE, S.L.. The controller had uploaded images on social media of a party at its premises showing minors. The mother of a child had filed a complaint due to the fact that she had not given her consent to the publication of the images. The DPA therefore found that the controller had unlawfully processed the images in the absence of a valid legal basis.
€8,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
The Romanian DPA has imposed a fine of EUR 8,000 on Artima S.A.. The controller had reported a data breach to the DPA. During its investigation, the DPA found that employees of the controller had accessed the video surveillance system and filmed the monitor containing the recorded images with their cell phones. One of the employees then transmitted the images to a third person, who posted the images on Facebook. The DPA found that the controller had failed to implement adequate technical and org
€300,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Rinascente S.p.A. EUR 300,000. The DPA acted on a complaint from a customer who, following an incident with a store employee, had her long-standing loyalty card cancelled and received a new, unsolicited card that contained offensive information about the complainant in her name. The customer complained that their information had been accessed without their consent. During the investigation, the DPA also found that the information on the loyalty card did not specify the
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on ATRESMEDIA CORPORACIÓN DE MEDIOS DE COMUNICACIÓN, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recor
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on CONECTA5 TELECINCO, S.A.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on DIARIO ABC, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any si
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on DISPLAY CONNECTORS, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not ad
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on UNIDAD EDITORIAL INFORMACION GENERAL S.L.U.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of th
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on EL DIARIO DE PRENSA DIGITAL SL.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did
€50,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 50,000 on LA VANGUARDIA EDICIONES, S.L.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did n
€3,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on CASAL DE L'ESPLUGA DE FRANCOLÍ. A club managed by the controller had uploaded pictures of a competition showing minors on social media . The mother of a child had filed a complaint because she had not given her permission for the pictures to be published. The DPA therefore determined that the controller, in the absence of a valid legal basis, had unlawfully processed the images. The original fine of EUR 5000 was reduced to EUR 3000 due to voluntary payment a
€390,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi
€9,600 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,600 on the law firm PIONIER. The law firm mainly represents victims of traffic accidents in proceedings against insurance companies and other entities. In this context, it supports its clients in claims for damages as well as claims for reimbursement of medical treatment costs. During its investigation, the DPA found that the law firm processed personal data, including health data, of potential clients without a valid legal basis. The law firm obtained
€500 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA (AEPD) has imposed a fine of EUR 500 on a private individual. The controller had installed video surveillance cameras which, among other things, also covered the public space and furthermore published the recorded images on Facebook. The DPA considered this to be a violation of the principle of data minimization.
€265,000,000 fine - Data Protection Authority of Ireland
The Irish DPA has fined Meta Platforms Ireland Limited EUR 265 million. The DPA had launched an investigation against Meta in 2021 after media reports indicated that a dataset containing personal data from Facebook had been made available on a hacking platform. The data leak affected up to 533 million users with their data such as phone numbers and email addresses. As part of the investigation, the DPA reviewed and assessed the Facebook Search, Facebook Messenger Contact Importer and Instagram C
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 10,000 on SOPHIE ET VOILA, S.L..The wedding dress company had published a picture of a customer in a wedding dress on its Instagram account without the customer's consent. For this reason, the DPA determined that the processing of the customer's personal data was unlawful.
€405,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram). Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested
€5,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA (AEPD) has fined a bar owner EUR 5,000. The owner had unlawfully shared recordings from the CCTV in the bar via WhatsApp and other social media platforms.
€30,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on RADIO TELEVISION MADRID, S.A.. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim did not add any sig
€30,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on CORPORACIÓN DE RADIO Y TELEVISIÓN ESPAÑOLA S.A. Several media outlets, including the controller had published an audio recording of a multiple rape victim's testimony in court on their websites as well as on Twitter to report on the case. The case had attracted a lot of media attention. During its investigation, the DPA determined that the rape victim's right to privacy outweighed the controller's freedom of information. The audio recordings of the victim di
€10,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has fined a private individual EUR 10,000. The individual had created a humiliating and discriminatory video of three siblings based on their skin color, and shared it on her Instagram profile as well as on WhatsApp.