What is it
The GDPR FINES DATABASE is a service provided by INPLP: It is a comprehensive database of fines imposed by data protection authorities for GDPR violations around the the European Union and beyond.
Who reports
The content and reports of GDPR fines can be provided by anyone, but will be quality checked before publication. The main contributors (called rapporteurs) are IT law-firms from all over the world.
How to use
The GDPR Fines Database can be used without any cost. Search by country, company, infringement article or reason and use the links to get to additional information about the fine.
Rapporteurs
99 AVOCATS ASSOCIES
Monaco
Bukovinsky & Chlipala
Slovakia
Traple Konarski Podrecki & Partners
Poland
BELEN ARRIBAS SANCHEZ
Spain
e|s|b Adwokaci i Radcowie Prawni
Poland
Spirit Legal
Germany
SimpLEGAL
Hungary
Dentons Paz Horowitz
Ecuador
Fontes Tarso Ribeiro
Fontes Tarso Ribeiro
BTG Legal
India
Seyfarth Shaw
Seyfarth Shaw
Arthur Cox LLP
Ireland
Legal IT Abogad@s
Panama
BGBG
Mexico
William Fry
William Fry
Aguilar Castillo Love
Costa Rica
HEKA LAW FIRM
Ecuador
Ozdagistanli Ekici Attorney Partnership
Turkey
Peck Advogados
Brazil
Gerrish Legal SARL
France
Stephenson Harwood LLP
United Kingdom
Marval O’Farrell Mairal
Argentina
Živković Samardžić
Republic of Serbia
advores Advokater & Rechtsanwälte
Denmark
Time.Lex
Belgium
RP Legal & Tax
Italy
OYAT
France
ECIJA GPA
Ecuador
Sourcing International
Njord Law
Denmark
PwC Legal
Estonia
Time.lex
Belgium
Lexing
France
Malta IT Law
Malta
Wolf Theiss
Romania
Gjessing Reimers
Norway
R&P Legal
Italy
JK Group
Slovenia
Nielsen Legal
Czech Republic
EuroLawyer
Austria
C-Lex
Italy
Giaccardi & Brezzo Advocats
Monaco
BCH Chlipala
Slovakia
Zeya
Greece
Derra, Meyer & Partner
Germany
Abreu Advogados
Portugal
Cordemeyer & Slager
Tassos Papadopoulos & Associates
Andersen Tax & Legal
Gun+Partners
Stankovic & Partners
Boris Guljas
Fox Rothschild
AHW Law
OBLP
de la cruz beranek
TKP
Molitor
Matsuda & Partners
Japan
Dimitrov, Petrov & Co.
Bulgaria
Alliance Law Firm
Nigeria
Setterwalls
Sweden
Bona Fide
North Macedonia
ECIX
Spain
Pinsent Masons
United Kingdom and Hong Kong
ALV
Brazil
Gowling WLG
Canada
Naschitz, Brandes, Amir & Co., Advocates
Israel
Bermúdez & Esguerra Abogados (BEA)
Colombia
Hart Muirhead Fatta
Jamaica
Niubox
Peru
Arochi & Lindner, S.C.
Mexico
and many more...
Preview of fines
The database contains a total of
311 GDPR fines across the EU and beyond
that have been submitted so far by rapporteurs.
| Country & Fine Details | Infringement Articles | Reason Overview | Reason Details | Link |
|---|---|---|---|---|
|
Country: Czech Republic
Organization: UniCredit Bank Czech Republic and Slovakia, a.s. Amount: CZK 80 000 Date: 2019 INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o. |
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing |
The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded. Authority: Czech Data Protection Auhtority (UOOU) |
Link |
|
Country: Denmark
Organization: IDdesign A / S Sector: Furniture Amount: 200.850 € Date: 03.06.2019 INPLP Partner: NJORD Advokatpartnerselskab |
Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Failure to comply with the principle of storage limitation - Proposed fine |
October 2018: The Danish Data Protection Authority completed a planned inspection visit to a furniture company. The inspection focused on the limitation of storage according to Article 5(1)(e) GDPR. The company implemented a new computer system in several of its furniture stores in Denmark. In three of the stores however, the old system was still being used, which meant that information on approximately 385,000 customer names, addresses, telephone numbers, e-mail addresses and purchasing history was processed. The furniture company had not assessed the need for data storage and had not set any retention periods. Consequently, the personal data was never deleted from the old system. The company had set a deadline for the anonymisation of customer information, which was set to 912 days (corresponding to the guarantee period). However, the deadline for anonymisation had not yet been implemented because the data controller had not sufficiently documented his procedures for deleting the personal data. The Danish Data Protection Authority reported the company to the police and proposed a fine of DKK 1.5 million (approx. EUR 201,000) for non-compliance with the principle of storage limitation, cf. Art. 5(1)(e), as the company had stored the personal data of approx. 385,000 customers for longer than the Danish Data Protection Authority considered necessary. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), fines are imposed by the courts. Authority: Danish Data Protection Authority (Datatilsynet) |
Link |
|
Country: Denmark
Organization: Taxa 4x35 Sector: Taxi business Amount: DKK 1,2 million Date: 18.03.2019 INPLP Partner: NJORD Advokatpartnerselskab |
Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles and principles of data minimisation - Proposed fine |
In October 2018, the Danish Data Protection Authority notified the police about a taxi company and proposed a fine (of DKK 1.2 million) for non-compliance with the principle of data minimisation. According to the taxi company, the stored personal data of customers should be anonymised after two years. However, the company deleted the names of its passengers from all its records after two years, while the passengers' telephone numbers were deleted only after five years. Information on the consumer behaviour of the customers, the pick-up and return points, could therefore be attributed to a private person up to five years after a taxi tariff. The taxi company had registered information on 8,873,333 personally identifiable taxi tariffs that were older than two years. The taxi company argued that the storage of its customers' telephone numbers was important in regards to the access to the company's database and for business development. The Danish Data Protection Authority reported the taxi company to the police and proposed a fine of DKK 1.2 million (approx. EUR 160,000). The Danish Data Protection Authority stated that business development was not a legitimate reason to keep personal data for such a long period of time. The Danish Data Protection Authority concluded that a data controller may not set a deadline for deletion that is three years longer than necessary, simply because the company's system makes it difficult to comply. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), penalties are imposed by the courts. Authority: Danish Data Protection Agency (Datatilsynet) |
Link |
|
Country: Greece
Organization: PriceWaterhouseCoopers Business Solutions SA (PWC BS) Sector: Private / Business Consultancy Amount: 150.000 € Date: 26.07.2019 INPLP Partner: Zepos & Yannopoulos |
Article 5 par. 1(a) Article 5 par. 2 Article 6 par. 1(a) | Unlawful and non-transparent processing of employees' personal data and failure to demonstrate compliance |
The fined company has requested the consent of its employees for the processing of their personal data, for the transfer of their personal data to third parties (including customers) and for the use of video surveillance in the workplace. The Greek Data Protection Authority found that PWC BS was in breach of the following provisions: - Article 5(1)(a) (lawfulness) for unlawfully processing workers' data on the basis of consent which does not constitute an inappropriate legal basis for such processing activities and, in any event, the consent was not valid because it was not given voluntarily, -Article 5(1)(a) (fairness and transparency) and Article 6(1)(a), in order to give the false impression to data subjects in dependent employment that the basis of the processing was consent, although this should not be the case -Article 5(2) in the event that compliance cannot be proved and the burden of proof is transferred to the data subject Authority: HELLENIC DATA PROTECTION AUTHORITY Additional Information: |
Link |
|
Country: Greece
Organization: Hellenic Telecommunications Organization S.A. (OTE) Sector: Private / Telecommunications Amount: 200.000 € Date: 13.09.2019 INPLP Partner: Zepos & Yannopoulos |
Article 25 par. 3 Article 5 par. 1(d) (also non-GDPR): Article 11 of Greek Law 3471/2006 (implementing ePrivacy Directive) | Violation of data protection by design and the principle of data accuracy |
Article 11 of Law 3471/2006 mandates that every telecoms provider maintains a “subscriber directory” with the numbers of all the data subjects who wish to not receive unsolicited marketing calls. Consequently, companies that wish to make direct marketing calls should exclude these numbers from their lists. Due to a system error, OTE had failed to successfuly communicate the entire directory to the marketing companies resulting in many data subjects who had opted out of the marketing to receive unsolicited promotional calls. Following a series of complaints by individuals, the Hellenic DPA decided to impose an administrative fine due to the high number of data subjects affected (approximately 16.000) and the long duration of the violation (approximately 3 years). Authority: HELLENIC DATA PROTECTION AUTHORITY |
Link |