During COVID-19 pandemic lockdown we have tracked off GDPR. Meanwhile authorities were not sitting with arms folded but managed to impose numerous fines.
- The Belgian data protection authority imposed a fine of EUR 1, 000 on a non-profit organization for sending out direct marketing messages, despite the fact that data subjects had exercised their right to erasure and objection.
- Social Media Provider. The Belgian data protection authority imposed a fine of EUR 50, 000 on the company for sending out invitations to contacts uploaded by its users without their consent or any other legal basis.
- Posti Group Oyj . The Deputy Data Protection Ombudsman (‘the Deputy Ombudsman’) fined Posti EUR 100, 000 for transparency violations, that affected 161,000 customers in 2019. In particular, the decision relates to complaints alleging that data subjects received direct marketing from the company although they had requested that their postal data be deleted. Investigations also revealed that the data protection information provided by the company was not transparent enough.
- Kymen Vesi Oy. The Deputy Data Protection Ombudsman fined Kymen Vesi Oy EUR 16,000 for GDPR violations, particularly for Kymen Vesi’s processing of the location data of its employees by tracking vehicles with a vehicle information system without completing a DPIA before such processing had taken place.
- Taksi Helsinki. The Office of the Data Protection Ombudsman’s sanctions board imposed an administrative fine of EUR 72, 000 on Taksi Helsinki Oy for non-compliance with general data processing principles before adopting a camera surveillance system that recorded audio and video in its taxis.
- Unknown Company. The Deputy Data Protection Ombudsman imposed a fine of EUR 12, 500 for processing its employee data without sufficient legal basis.
- The child and family agency become the first organization in the State fined EUR 75, 000 for a breach of the GDPR, in particular the investigation revealed three cases where information about children had been wrongly disclosed to unauthorized parties.
- JobTeam A/S DKK. Danish Data Protection Authority (Datatilsynet) imposed a fine of EUR 6, 700 for its failure to comply with GDPR. In particular, company deleted personal data covered by a subject access request (‘SAR’) during the period after the SAR was made, and before responding to the SAR.
- Health and Medical Board of the Region of Örebro County. The Swedish data protection authority (‘Datainspektionen’) imposed a fine of EUR 11,200 for violations of the GDPR by illegally publishing the sensitive personal data of a patient without a sufficient legal basis.
- Banca Comercială Română SA. The National Supervisory Authority for Personal Data Processing (‘ANSPDCP’) imposed a fine of EUR 5,000 for Insufficient technical and organizational measures to ensure information security. Additionally it was revealed the company was collecting and transmitting the copies of customers’ identification documents via WhatsApp.
- Iberdrola Clientes. AEPD fined EUR 50,000 for GDPR violations. The company was asked to provide the AEPD with specific information in relation to a complaint. However, the company had not replied to the data protection authorities request within a certain time frame.
- Unknown Organization. Dutch Supervisory Authority for Data Protection (AP) fined EUR 725, 000 The вata protection authority (‘Datainspektionen’) imposed a fine of EUR 11,200 for Insufficient legal basis for data processing. In particular the organization had required its staff to have their fingerprints scanned to record attendance.
- National Government Service Centre (NGSC.) The Swedish Data Protection Authority imposed an administrative fine of EUR 18,700 euro for failing to notify affected parties as well as the Data Protection Authority about a personal data breach in due time.
- Proximus SA. The Belgian Data Protection Authority issued EUR 50,000 fine for DPO appointment violation. The company’s data protection officer was not sufficiently involved in the processing of personal data breaches and the company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company’s DPO was not able to work independently.
- Estee Lauder Romania. Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) issued a fine of EUR 3,000 for GDPR violations, namely for illegally disclosing and collecting personal data, including the names, surnames, telephone numbers, dates of birth, and health information of data subjects, without obtaining their consent or relying upon another legal basis for processing.
- Telekom Romania Communications SA. Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) fined EUR 3, 000 for insufficient technical and organizational measures to ensure information security. Particularly the company had not taken sufficient technical and organizational measures to ensure the accuracy of personal data transmitted by telephone for the conclusion of contracts. This led to contracts being concluded by telephone on behalf of other data subjects
- SOS Infertility Association. Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) imposed a fine of EUR 2, 000 for non-cooperation with Data Protection Authority. The Association failed to provide the necessary data to the data protection authority after it had unlawfully processed personal data of its clients.
- Enel Energie. ANSPDCP fines EUR 3,000 for GDPR violation. The company has sent an email to a client containing personal data of another client, such as name and surname, address, email address, and client code. Furthermore, ANSPDCP outlined that Enel Energie has not implemented adequate technical and organizational measures to ensure a level of security corresponding to the risk generated by the disclosure of personal data.
- Vodafone Romania. Romania’s National Supervisory Authority sanctioned Vodafone with a fine of EUR 3,000 insufficient technical and organizational measures to ensure information security. The company has sent an email to a customer that contained personal data of another customer due to inadequate technical and organizational measures to ensure information security.
- Dante International. ANSPDCP fines EUR 3,000 for GDPR violation, namely the company sent a commercial e-mail to a client though the client had previously unsubscribed from commercial communications.
- Xfera Moviles S.A. telecommunications firm fined EUR 5, 000 for not providing the data protection authority with the requested information in a timely manner. The request was preceded by a request from a data subject for access to its personal data.
- Oliveros Ustrell, S.L. The Spanish data protection authority (AEPD) fined EUR 6,000 for GDPR violation. The company forwarded an unsigned porting contract to the operator Vodafone. However, the data controller was unable to provide evidence of the order.
- Telefónica. AEPD fined Telefónica EUR 30,000 for insufficient cooperation with supervisory authority
- Centro De Estudio Dirigidos Delta, S. AEPD imposed a fine of EUR 5, 000 for sending a message containing personal data such as first and last name and ID numbers to a third party via WhatsApp without the consent of the data subjects.
- Private Person. On a beach, a private person secretly photographed female bathers. The incident was reported to the AEPD by the local police.
- Amalfi Servicios de Restauracion S.L. AEPD imposed a fine of EUR 6, 000 for video surveillance of public space and thus violation of the principle of data minimization.
- Homeowners Association. AEPD sanctioned EUR 2, 000 for video surveillance of public space and thus violation of the principle of data minimization.
- Gesthotel Activos Balagares. AEPD fined EUR 15, 000 for GDPR violations. The individual claimant stated that he had sent a private letter to the hotel management and union delegates containing information about an episode of harassment he had suffered, describing a specific medical condition.
- Private person. AEPD sanctioned EUR 4, 000 for unlawful usage of video surveillance cameras which also monitored parts of the public space (violation of principle of data minimization.)
- AEPD fined EUR 3, 200 for insufficient declaration of video surveillance.
- Vodafone España, S.A.U. AEPD imposed a fine of EUR 60, 000. The claimant stated he received several SMS from a separate operator indicating the activation of a new contract. The reason for this was that an employee of Vodafone España activated a contract with a third operator on behalf of the data subject. Vodafone could not demonstrate consent or sufficient legitimate interests for this processing of personal data.
- Vodafone España, S.A.U. AEPD imposed 3 fines of EUR 106, 000 total. The company was unable to demonstrate adequate measures to ensure information security, leading to unauthorized access to personal data of a client. The company sent an SMS to the client’s mobile number confirming that a telephone contract with that number had been signed even though the client was not a Vodafone client. The company sent two SMS to the client’s mobile number informing about a rate change in its contract and confirming the purchase of a new mobile phone, resulting in the processing of personal data without the data subjects consent or other legitimate interests of the company.
- Speech and Special Education Centre – Mihou Dimitra. The Hellenic Data Protection Authority (HDPA) imposed a fine of EUR 8,000 for Insufficient fulfilment of data subjects rights. The complainant had requested access to his child’s data and to tax information. This request was rejected by the data controller. In addition, the data controller had violated an order of the data protection authority regarding access to the data. For this, a fine of EUR 8000 was imposed: EUR 3000 for not granting access to the data and EUR 5000 for violating orders of the data protection authority.
- Bank (name not available at the moment.) Croatian Data Protection Authority (AZOP) imposed a fine. for In the period from May 2018 to April 2019, the bank (name not available at the moment) refused to provide its customers with copies of credit documentation (e.g. repayment plan, loan agreement annex, interest rates changes review etc.). The bank insisted with the argument that the documentation is related to repaid loans and represents loan documentation that cannot be subject to the customers’ right of access. During the procedure initiated based on data subject’s complaints, the DPA ordered the bank to enable the right of access and provide copies of the requested loan documentation. When imposing the fine, the DPA took into consideration especially that the bank failed to comply with the ordered measures, that it continued with such practice for almost a year and denied the right of access to more than 2500 of its customers. The amount of the fine is now known at the moment, but as the DPA qualified the breach as “severe”, a high fine is expected.
- Google LLC. Data Protection Authority of Sweden imposed a fine of EUR 7, 000, 000 for GDPR violations.
- Hørsholm Municipality received a privacy fine of EUR 7, 000. A city government employee had his work computer stolen, which contained the personal data of about 1,600 city government employees, including sensitive information and information about social security numbers.
- Gladsaxe Municipality fined EUR 14, 000. A computer, containing personal data that was not protected by encryption, has been stolen, including sensitive information and personal identification numbers of 20,620 city residents.
- National Center of Addiction Medicine (SAA.) Icelandic data protection authority (Persónuvernd) imposed a fine of EUR 20, 600. Former employee of the SAA received boxes of allegedly personal belongings that he had left there, but which also contained patient data, including the health records of 252 former patients and documents with the names of about 3,000 people who had participated in rehabilitation for alcohol and drug abuse.
- Breiðholt Upper Secondary School was sanctioned EUR 9, 000 for personal data breach. A teacher sent an e-mail to his students and their parents with an attachment containing data on their well-being, academic performance and social conditions.
- Vis Consulting Sp. z o.o. telemarketing firm fined EUR 4, 400. The company prevented an inspection by the data protection authority.
- School in Gdansk (Danzig) (fine imposed against town of Gdansk) fined EUR 4, 600 by Polish National Personal Data Protection Office (UODO) for using biometric fingerprint scanners to authenticate students for the payment process in the school canteen. Although the parents had given their written consent to such data processing, the data protection authority considered the processing of the student data to be unlawful, as the consent to data processing was not given voluntarily.
- Liceo Artistico Statale di Napoli fined EUR 4, 000 by Italian Data Protection Authority (Garante) for having unlawfully published health data and other information in the teacher rankings on the Institute’s website. This publication was made in violation of the principles of lawfulness, fairness, transparency, and data minimization
- Liceo Scientifico Nobel di Torre del Greco fined EUR 4, 000 by Italian Data Protection Authority (Garante) for having unlawfully published health data and other information of more than 2000 teachers in the teacher rankings on the Institute’s website. This publication was made in violation of the principles of lawfulness, fairness, transparency, and data minimization.
- Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) imposed a fine of EUR 2, 890, as the personal data of the data subject had been registered and transferred to the Central Credit Information System (CCI) in connection with a loan agreement, without the data subject being a party to the agreement.
- Unknown company was fined EUR 2, 800 by the Hungarian National Authority for Data Protection and the Freedom of Information (NAIH), as the data controller did not complied with its obligation regarding the right of access to video recordings and was also unable to demonstrate that his data processing activities had been in compliance with data protection laws.
- Creditor was fined EUR 870 for sending SMS to a data subject as a reminder for a debt, even when the debt had already been paid.
- Representative of a local government fined EUR 290. A local representative took a photo of the director of a company fully owned by the local government depicting the director allegedly tearing off an election poster of the opposition in the company of his child. The local representative uploaded the photo to his Facebook page. The child’s image was blurred, yet it was hinted in the post that she was the daughter of the director. The director told the local representative at the scene that he does not consent to the taking of the photo. NAIH determined that the act of the director was not public information and the photo does not prove that the director torn off an election poster. NAIH also underpinned that only the name of the director of the company fully owned by the local government was public information.
- Royal Dutch Tennis Association (KNLTB.) The Dutch Data Protection Authority (Dutch DPA) imposed a fine of EUR 525,000 for sharing the personal data of its members with two of its sponsors in June 2018 on the basis of its own commercial interests.
- AEPD fines Vodafone EUR 48,000 for giving two people the same security access key.
- AEMA Hispánica fined EUR 3,600 for sending the payroll of an employee to another employee and therefore disclosed personal data to an unauthorized party.
- Vodafone España, S.A.U sanctioned EUR 120, 000, being unable to prove to the data protection authority that the data subject had given his consent to the processing of his personal data for the provision of a telephone contract. Furthermore, the decision of the data protection authority emphasised that Vodafone España also had unlawfully disclosed the personal data of the data subject to various credit agencies.
- AEPD fined HM Hospitales EUR 48,000. A complainant argued that at the moment of his admission in the hospital he had to fill a form including a checkbox indicating that, in case he did not tick the same, he agreed to the transfer of his data to third parties. In addition, the form provided by HM was not compliant with the GDPR since consent was obtained through the inaction of the data subject.
- Casa Gracio Operation fined EUR 6 000 for unlawful use of CCTV cameras
- AEPD fined Mymoviles Europea EUR 1,500. The company did not publish a privacy statement on its website and its legal notice did not sufficiently identify itself.
- AEPD fined Grupo Valsor Y Losan EUR 2,500, as the controller disclosed personal data to a third party in a property purchase agreement (breach of principles of integrity and confidentiality of personal data.)
- Colegio Arenales Carabanchel (School) fined EUR 3, 000 for transferring pictures (and therefore personal data) to third parties, who published them without legal basis.
- Iberdola Clientes, an electricity company, fined EUR 80, 000. They terminated the data subject’s contract without its consent, concluded three new contracts with the data subject, processed his personal data unlawfully and transferred the plaintiff’s personal data to a third party without legal basis. In addition to this fine the AEPD also imposed another fine in the amount of EUR 50.000 under the old Spanish Data Protection Law.
- Vodafone España, S.A.U. fined EUR 42, 000. The complainant had access to third party data in his personal Vodafone profile.
- Xfera Moviles S.A. fined EUR 30, 000. The AEPD found that a third party had access to the name, telephone number and address of another customer.
- Cafetería Nagasaki fined EUR 1, 500, since it did not comply with its obligations under the GDPR, as it placed its surveillance cameras in such a way as to monitor the public space outside its premises, which disproportionately affected pedestrians.
- Xfera Moviles S.A. fined EUR 60, 000, since it had unlawfully processed data, including bank details, customer address, and names, following a fraudulent misrepresentation of the complainant’s wishes.
- Vodafone España, S.A.U fined EUR 75, 000, as it had signed a contract for the transfer of a telephone subscription with a third party without the data subject’s knowledge or consent and that, as a result, he, the data subject, had received an e-mail from the third party for a purchase made by him.
- Vodafone España, S.A.U fined EUR 60, 000. Data subject argued that he had received an e-mail which contained the billing of a telephone line that the data subject had never requested,
- Vodafone España, S.A.U fined EUR 50, 000. Data subject argued that Vodafone España had sent invoices containing his personal data, such as name, identity card and address, to his neighbor.
- Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal fined EUR 20, 000, as they continued to send e-mails to the data subject, despite the data subject had requested the withdrawal of his consent
- Vodafone España, S.A.U fined EUR 75, 000. A former customer of the company, continued to receive invoice notifications, although at that time there was neither a contractual relationship nor any payment overdue from the expired contractual relationship.
- Banco Bilbao Vizcaya Argentaria S.L. fined EUR 6, 700, as they repeatedly sent advertising messages to a data subject, although the data subject had objected to the processing of his data.
- AEPD fined Quesería Artenal Ameco EUR 5,000, since they processed personal data of customers without required consent.
- AEPD fined Automoción EUR 800, because one of its employees uploaded a colleague’s photo, name, telephone number, as well as a sexual description to an erotic website without her consent.
- Datatilsynet fined Coop Finnmark SA EUR 36, 800 for the distribution of camera surveillance footage.
- Datatilsynet issued EUR 73, 600 fine to municipality of Rælingen after health information about children with physical and mental disabilities had been processed in the Showbie digital learning platform.
- The fine of EUR 2,600 was imposed on T.K. EOOD for unlawful processing of personal data of data subject I.S. by failure to adopt technical and organizational measures to ensure the information security.
- The fine of EUR 2, 600 was imposed on L.E. EOOD for unlawful processing of personal data of data subject I.S. without the knowing and the consent of the data subject and also without a valid contractual relationship between L.E. EOOD and I.S.
- Garante fined Comune di Urago d’Oglio EUR 4,000. An individual complainant argued that the local council published on its institutional website documentation such as the text of a judgment containing the individual’s personal data, including health information.
- RTI – Reti Televisive Italiane s.p.a. fined EUR 20, 000. The television station broadcasted a documentary about prostitution in Switzerland, in which the persons interviewed were not made sufficiently anonymous.
- ANSPDCP fined Vodafone Romania EUR 3,000, as they mistakenly processed the personal data of an individual in order to resolve his complaint, subsequently sent to an incorrect e-mail address, not having taken sufficient security measures against the illegal processing of the data.
- Garante fined Azienda Ospedaliera Universitaria EUR 30,000 for the access to employee health data that had been made with the credentials of a doctor, and that a trainee and a radiologist had accessed the health records of their colleagues
- Garante fines Sapienza Università EUR 30,000, as they made the identification data of two persons, who had reported possible unlawful conduct to the university, accessible online.
- Italian Garante Fined Telecom Company 27.8 Million Euros for Unlawful Marketing Practices.
- Garante fines city of Francavilla Fontana EUR 10,000, as the community published on its website information about a court trial, including personal data such as health data about a data subject.
- AEPD fines Zhang Bordeta EYR 3, 600 for unlawful use of CCTV cameras
- Vodafone España, S.A.U. fined EUR 3, 000 and EUR 44, 000 for insufficient cooperation with supervisory authority. Furthermore the company had sent a contract with personal data, including the applicant’s name, address and telephone number, to the wrong recipient.
- EDP ENERGIA, S.A.U., energy company, fined EUR 75, 000, as the company processed personal data such as first and last name, tax number, address and mobile phone number without the consent of the data subject.
- EDP Comercializadora S.A., energy company, fined EUR 75, 000. The company processed personal data in connection with a gas contract without the consent of the applicant.
- Asociacion de Medicos Democratas fined EUR 10, 000, as it processed personal data of its members, despite having been warned by the AEPD that it carried out the processing without the consent of the data subjects.
- Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance fined EUR 9, 000 for granting the police access to personal data and failing to take adequate measures to secure the data.
- eShop for Sports (M.L. PRO.FIT SOLUTIONS LTD) fined EUR 1, 000 for sending SMS marketing messages without consent.
- Allseas Marine S.A. fined EUR 15, 000. The DPA found that the closed-circuit video-surveillance system had been installed and operated illegally.
- The fine of EUR 5,113 was imposed on a utility company for unlawful processing of the personal data of the data subject