Enforcement

Een boete van 400.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft Verisure Italy s.r.l. een boete van 400.000 euro opgelegd. De verantwoordelijke partij was actief met direct marketingactiviteiten. De verantwoordelijke partij heeft nagelaten te waarborgen dat de toestemming die door de betrokkenen was verstrekt, geldig was. Bovendien heeft de verantwoordelijke partij nagelaten om adequate bewaartermijnen voor de verwerkte gegevens in te stellen. Ten slotte heeft de verantwoordelijke partij niet adequaat gereageerd op de verzoeken van de betrokkenen om hun rechten uit te oefenen, en heeft zij hen niet voldoende geïnformeerd over de verwerking van hun gegevens.

€400,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 400,000 on Verisure Italy s.r.l. The controller had been active in direkt marketing activities. The controller failed to ensure that the consent provided by data subjects was valid. Additionally, the controller failed to implement adequate retention periods for the processed data. Lastly, the controller failed to adequately respond to data subjects' requests to exercise their rights, and failed to adequately inform them regarding the processing of their

€200,900 fine - Danish Data Protection Authority (Datatilsynet)

The Danish DPA has imposed a fine of EUR 200,900 on ILVA A/S. The controller failed to implement data deletion deadlines. This led to an infringement of the principle of storage limitation.

Een boete van 200.900 euro - De Deense Autoriteit voor Gegevensbescherming (Datatilsynet).

De Deense autoriteit voor gegevensbescherming heeft ILVA A/S een boete van 200.900 euro opgelegd. De verantwoordelijke partij heeft nagelaten om de deadlines voor het verwijderen van gegevens na te leven. Dit heeft geleid tot een schending van het beginsel van opslagbeperking.

Een boete van 50.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan Magna PT S.p.A. Medewerkers van de verantwoordelijke organisatie werden na hun terugkeer van een periode van ziekte of ziekenhuisopname onderworpen aan "terugkeergesprekken". Deze gesprekken hadden onvoldoende juridische basis, met name met betrekking tot de verwerking van gezondheidsgegevens. Bovendien heeft de verantwoordelijke organisatie de betrokkenen niet voldoende geïnformeerd over de verwerking. Verder heeft de verantwoordelijke organisatie nagelaten om de hoeveelheid verwerkte gegevens te minimaliseren en de bewaartermijn te beperken.

€50,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine on Magna PT S.p.A. Employees of the controllers were subjected to 'return to work interviews' after returning from an absence due to illness or hospitalisation. These interviews lacked a sufficient legal basis, particularly with regard to the processing of health data. Additionally, the controller failed to adequately inform the data subjects regarding the processing. Furthermore, the controller failed to minimise the amount of data processed and the retention

€21,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 21,000 on Menarini Silicon Biosystems SpA. The controller is conducting oncological research and has developed a software that is able to classify human cells. The controller used pseudonymised health data from an American company which is part of the same group. The controller failed to ensure, that data subjects received adequate information and to ensure adequate data storage limitation. The controller also failed to demonstrate compliance with the ge

Een boete van 5.000 euro - van de Italiaanse Autoriteit voor Gegevensbescherming (Garante).

De Italiaanse autoriteit voor gegevensbescherming (DPA) heeft een boete van 5.000 euro opgelegd aan de organisatie "Patronage and Assistance for Citizens and Agriculture Board". De verantwoordelijke partij heeft persoonsgegevens van een betrokkene opgeslagen voor een periode die de wettelijke bewaartermijn, zoals vastgesteld in de nationale wetgeving, overschrijdt.

€21,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed fine on SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. The controller offers fitness courses which are recorded and published. The consent obtained for the processing does not meet the legal standards. Additionally the controller does not limit the retention period of the data.. The original fine of EUR 36,000 was reduced to EUR 21,600 due to immediate payment and admission of responsibility by the controller.

Een boete van 21.600 euro - opgelegd door de Spaanse autoriteit voor gegevensbescherming (AEPD).

De Spaanse gegevensbeschermingsautoriteit heeft een boete opgelegd aan SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. De verantwoordelijke biedt fitnesscursussen aan die worden opgenomen en gepubliceerd. De toestemming die is verkregen voor de verwerking voldoet niet aan de wettelijke eisen. Bovendien beperkt de verantwoordelijke de bewaartermijn van de gegevens niet. De oorspronkelijke boete van 36.000 euro is verlaagd tot 21.600 euro vanwege de directe betaling en de erkenning van verantwoordelijkheid door de verantwoordelijke.

€190,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR).

€80,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 80,000 on Selectra S.p.A.. A former employee had lodged a complaint with the DPA on the grounds that the controller was able to access their e-mail inbox even after the termination of the employment relationship. The DPA found that such a long retention period for e-mails (in some cases three years after the termination of the employment relationship) was excessive. The DPA also found that the controller had not provided the data subjects with sufficient

€4,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 4,000 on the medical association 'Ordine dei Medici Chirurghi e degli Odontoiatri'. A patient had filed a complaint with the DPA. During its investigation the DPA fount that the controller had not responded to the data subject's request for access to their personal data in a timely manner. Additionally, the controller failed to provide sufficient information regarding the retention period of their personal data.

€180 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on the operator of a website for storing data of a data subject for an excessively long period of time and contrary to the principle of storage limitation under Art. 5 (1) e) GDPR. The original fine of EUR 300 was reduced to EUR 180 due to the voluntary payment and the acknowledgement of responsibility.

€856,000 fine - Deputy Data Protection Ombudsman

The Finnish DPA has imposed a fine of EUR 856,000 on Verkkokauppa.com Plc for not specifying the retention period of customer account data of e-commerce customers. The DPA also found that in order to make an online purchase, customers were required to create a customer account or register.

€174,640 fine - Belgian Data Protection Authority (APD)

The Belgian DPA has imposed a fine of EUR 174,640 on Black Tiger Belgium. An individual had filed a complaint with the DPA due to the controller's failure to properly comply with their request to exercise their right of access. During its investigation, the DPA further found that the controller had processed personal data in various databases without sufficiently informing the data subjects. The DPA also found that the data retention period of 15 years was excessively long and not necessary. Fin

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Garðabær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes other t

€20,000 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 20,000 on the city of Kópavogur. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the city

€18,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 18,600 on the city of Hafnarfjörður. The city had used the Google Education system without sufficiently complying with data protection regulations. In particular, the city did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the city did not ensure that the student data was not processed for purposes other than those specified by the

€16,600 fine - Icelandic data protection authority ('Persónuvernd')

The Icelandic DPA has imposed a fine of EUR 16,600 on the municipality of Reykjanesbær. The municipality had used the Google Education system without sufficiently complying with data protection regulations. In particular, the municipality did not fulfill its obligations when selecting Google as a processor and the processing agreement with Google did not comply with data protection requirements. Furthermore, the municipality did not ensure that the student data was not processed for purposes oth

€600,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 600,000 on GROUPE CANAL+ for multiple violations of the GDPR. The DPA determined that the data controller failed to demonstrate that it had obtained valid prior consent from individuals for sending electronic promotional messages. Additionally, the DPA found that the data controller did not provide adequate information regarding the retention periods of personal data in its privacy statement. Furthermore, the DPA observed that the data controller's proces

€50,000 fine - Hellenic Data Protection Authority (HDPA)

The Hellenic DPA imposed a fine of EUR 50,000 on the Athens Urban Transport Organization. As part of its investigation, the DPA found that the controller had failed to comply with the principle of data protection by design and by default. It also failed to carry out a data protection impact assessment and to set appropriate retention periods for the storage of personal data.

€20,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 20,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent

€30,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 30,000 on a company engaged in gambling and betting activities due to three identified violations of the GDPR. As noted by AZOP, the controller collected and processed personal data of data subjects, i.e. website visitors through cookies without a valid legal basis, thereby violating Art. 6 (1) GDPR. Furthermore, the controller also failed to provide data subjects with appropriate information or enable data subjects to provide or withdraw consent

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has imposed a fine on ELECTRAWORKS - CEUTA, S.A.. The controller had failed to provide sufficient information about the retention periods of personal data. The original fine of EUR 10,000 was reduced to EUR 6,000 due to voluntary payment and acknowledgement of responsibility.

€100,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 100,000 on Tiscali Italia SpA. The controller had sent advertising messages to more than 160,000 customers within four months, even though they had not given their consent and there was also no other valid legal basis. The DPA also found that the controller had not sufficiently fulfilled its information obligations. For example, there was a lack of information on the retention period for personal data processed for marketing purposes.

€300,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Rinascente S.p.A. EUR 300,000. The DPA acted on a complaint from a customer who, following an incident with a store employee, had her long-standing loyalty card cancelled and received a new, unsolicited card that contained offensive information about the complainant in her name. The customer complained that their information had been accessed without their consent. During the investigation, the DPA also found that the information on the loyalty card did not specify the

€380,000 fine - Croatian Data Protection Authority (azop)

The Croatian DPA (AZOP) has imposed a fine of EUR 380,000 on a sports betting operator. AZOP had received a complaint from a data subject, stating that the controller had obtained a copy of their bank card. During its investigation, AZOP found that the controller had collected personal data (including copies of bank cards) of data subjects without a valid legal basis. In 2022, players had the option to have their winnings paid out not only via their bank account but also via their Visa card. The

€20,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined a company EUR 20,000. The company had suffered a data breach in which personal data of 50,000 data subjects were compromised. During its investigation, the DPA found that the company had failed to implement appropriate technical and organizational measures to protect personal data. These included the lack of adequate access controls and authentication of IT system administrators in the controller's information systems. Also, the DPA found that the company failed to s

€8,000 fine - Lithuanian Data Protection Authority (VDAI)

The Lithuanian DPA has fined a company EUR 8, 000. The controller failed ot properly fulfil the data subject's right to access their personal data processed by the company. The controller partially provided information about the processing of the data subject's personal data, but the data subject was not given the opportunity to verify the legal basis (or bases) for the processing of their personal data, the specific data being processed, the purposes of processing, the retention period, etc.

€3,600 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined the Federation of Sports for People with Intellectual Disabilities of Castilla la Mancha-FECAM. The controller processed medical data from Covid-19 antigen tests of participants in sports competitions without their consent to the processing. In addition, the DPA found that the controller failed to inform the data subjects of the data retention period. The original fine of EUR 6,000 was reduced to EUR 3,600 due to voluntary payment and admission of responsibility.

€600,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 600,000 on ÉLECTRICITÉ DE FRANCE (EDF), France's largest electricity supplier. The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF. During its investigation, the DPA found that EDF's privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data. In addition, the DPA found that EDF had not responded to a number

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximat

€180,000 fine - Portuguese Data Protection Authority (CNPD)

The Portuguese DPA has imposed a fine of EUR 170,000 on Setúbal municipality. The DPA found data protection violations regarding the collection of personal data from Ukrainian refugees. The municipality had asked refugees to fill out a form at the time of their arrival and provide various details on personal data, such as name, date of birth, marital status, etc. The DPA noted, that the municipality had not sufficiently informed the data subjects about the data processing. In addition, the DPA f

€525,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA has fined Techpump Solutions S.L. EUR 525,000. Techpump operates several websites with adult content. The DPA found several violations of data protection law during its investigation. Firstly, the DPA found that, contrary to the specified information in the privacy policy, Techpump shared users' personal data with companies belonging to the same group. In addition, the DPA found that Techpump had not specified a retention period for users' personal data and kept it indefinitely u

€2,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 2 million on Alpha Exploration. Alpha Exploration operates the social network Clubhouse. In the course of its investigation, the DPA found numerous violations of the GDPR. For example, the DPA found that there was a lack of transpanency regarding the use of users' data and their chat contacts. In addition, users of the network were able to store and share audio messages from other users without their consent. Moreover, account information was shared with

€26,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has imposed a fine of EUR 26,000 on Policoro municipality. The municipality had installed a video surveillance system without, however, providing sufficient information about the surveillance. In addition, the DPA found that the municipality had not established a retention period for the video surveillance recordings and kept them for an excessive period of time. In addition, the DPA found that the municipality had not fulfilled its obligations in appointing a data protection off

€1,400 fine - National Commission for Data Protection (CNPD)

The DPA of Luxembourg (CNPD) has imposed a fine of EUR 1,400 on a company. The controller had installed location sensors on a number of cars in its fleet. The purpose of this was to protect the company's assets, optimal fleet management and optimize the workflow, among other things. Some of the location data collected by the controller was stored for a year. The DPA states that this was clearly excessive and not necessary for the purposes of the processing. The DPA considered this to be a violat

€7,000 fine - Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)

The Romanian DPA has fined Asociația de Proprietari Aviației Park, operator of a residential facility, EUR 7,000. The controller had processed personal data (surname, first name, ID number and series, destination, arrival time, departure time, remarks) of delivery persons and/or couriers without a valid legal basis. In addition, the DPA found that the controller did not sufficiently inform the data subjects about the processing of their personal data. Furthermore, the DPA found that the controll

€9,000,000 fine - Information Commissioner (ICO)

The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such

€50,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined Palumbo Superyacht Ancona s.r.l. EUR 50,000. The company had blocked an employee's company email account without permission. The employee had reported the incident to the company and asked for the restoration of the e-mail inbox, which contained both private and business e-mails. However, the company did not comply with this request. In the course of its investigation, the DPA found further violations. For example, the company did not respond to a request for informatio

€3,700,000 fine - Dutch Supervisory Authority for Data Protection (AP)

The Dutch DPA has imposed a fine of EUR 3,7 million on the Dutch Tax and Customs Administration. This is the highest fine ever imposed by the Dutch DPA As part of its investigation, the DPA found a number of violations of the GDPR. The Tax and Customs Administration had kept a list for several years on which it recorded indications of fraud. The list contained information on over 270,000 individuals, including minors. The administration had processed personal data such as health, citizenship, an

€20,000,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA has fined U.S.-based Clearview AI EUR 20 million after it was revealed that the company had been applying biometric surveillance techniques on Italian territory. The company owns a database of over 10 billion facial images from around the world. The company offers a search service that allows profiles to be created based on the biometric data extracted from the images. The profiles can be enriched with information associated with these images, such as image tags and geolocation.

€200,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 200,000 on Bocconi University. A student had filed a complaint with the DPA about possible GDPR violations related to the use of a monitoring system during written exams. In the context of the emergency situation triggered by the Covid-19 pandemic, the university had equipped itself with the remote monitoring software Respondus provided by the American company Respondus Inc. to ensure the normal running of the exams, since it was not possible t

€6,000 fine - Spanish Data Protection Authority (aepd)

The Spanish DPA (AEPD) imposed a fine of EUR 6,000 on FurnishYourSpace S.L.. The AEPD had received a complaint from the Berlin DPA via the EU Internal Market Information System about the inadequate design of the controller's privacy notice. Namely, the identity and contact details of the controller were provided in the privacy notice, but under a misleading heading that gave the impression that they were provided for a business purpose. In addition, the purposes of the processing were not clearl

€400,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 400,000 against Atac s.p.a.. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the in the city of Rome. In fact, the company Atac s.p.a., which was contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public t

€800,000 fine - Italian Data Protection Authority (Garante)

The Italian DPA (Garante) has imposed a fine of EUR 800,000 on Roma Capitale. The Garante had launched an investigation following a complaint from an individual who had complained about the new parking meters installed in the city in 2018. In fact, the company Atac s.p.a., which was also contracted by the city to manage the parking lots, had initiated a technical upgrade of the parking meters in order to offer new services (e.g., the payment of fines/fees or the purchase/renewal of public transp

€1,750,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000. The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019. On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns. With regard to the data of prospects, the controller did not comply with the maximum retention period of th

€500,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ. CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers. The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000

€7,200 fine - National Commission for Data Protection (CNPD)

The DPA from Luxembourg (CNPD) has imposed a fine of EUR 7,200 on a company. The company had installed a video surveillance system to protect the company's assets, prevent intrusion by unauthorized persons and prevent accidents. However, the cameras also captured parts of an employee's work area and the smoking area that employees frequently used. Furthermore, the controller had installed location sensors on the cars in its fleet. This was intended to optimize the company's operations. The DPA f