What is it
The GDPR FINES DATABASE is a service provided by INPLP: It is a comprehensive database of fines imposed by data protection authorities for GDPR violations around the the European Union and beyond.
The content and reports of GDPR fines can be provided by anyone, but will be quality checked before publication. The main contributors (called rapporteurs) are IT law-firms from all over the world.
How to use
The GDPR Fines Database can be used without any cost. Search by country, company, infringement article or reason and use the links to get to additional information about the fine.
and many more...
Preview of fines
The database contains a total of
251 GDPR fines across the EU and beyond
that have been submitted so far by rapporteurs.
|Country & Fine Details||Infringement Articles||Reason Overview||Reason Details||Link|
Country: Czech Republic
Organization: UniCredit Bank Czech Republic and Slovakia, a.s.
Amount: CZK 80 000
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
|Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 6 (1) GDPR||Insufficient legal basis for data processing||
The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded.
Authority: Czech Data Protection Auhtority (UOOU)
Organization: IDdesign A / S
Amount: 200.850 €
INPLP Partner: NJORD Advokatpartnerselskab
|Art. 5 (1) e) GDPR, Art. 5 (2) GDPR||Failure to comply with the principle of storage limitation - Proposed fine||
October 2018: The Danish Data Protection Authority completed a planned inspection visit to a furniture company. The inspection focused on the limitation of storage according to Article 5(1)(e) GDPR. The company implemented a new computer system in several of its furniture stores in Denmark. In three of the stores however, the old system was still being used, which meant that information on approximately 385,000 customer names, addresses, telephone numbers, e-mail addresses and purchasing history was processed. The furniture company had not assessed the need for data storage and had not set any retention periods. Consequently, the personal data was never deleted from the old system. The company had set a deadline for the anonymisation of customer information, which was set to 912 days (corresponding to the guarantee period). However, the deadline for anonymisation had not yet been implemented because the data controller had not sufficiently documented his procedures for deleting the personal data. The Danish Data Protection Authority reported the company to the police and proposed a fine of DKK 1.5 million (approx. EUR 201,000) for non-compliance with the principle of storage limitation, cf. Art. 5(1)(e), as the company had stored the personal data of approx. 385,000 customers for longer than the Danish Data Protection Authority considered necessary. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), fines are imposed by the courts.
Authority: Danish Data Protection Authority (Datatilsynet)
Organization: Taxa 4x35
Sector: Taxi business
Amount: DKK 1,2 million
INPLP Partner: NJORD Advokatpartnerselskab
|Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR||Non-compliance with general data processing principles and principles of data minimisation - Proposed fine||
In October 2018, the Danish Data Protection Authority notified the police about a taxi company and proposed a fine (of DKK 1.2 million) for non-compliance with the principle of data minimisation. According to the taxi company, the stored personal data of customers should be anonymised after two years. However, the company deleted the names of its passengers from all its records after two years, while the passengers' telephone numbers were deleted only after five years. Information on the consumer behaviour of the customers, the pick-up and return points, could therefore be attributed to a private person up to five years after a taxi tariff. The taxi company had registered information on 8,873,333 personally identifiable taxi tariffs that were older than two years. The taxi company argued that the storage of its customers' telephone numbers was important in regards to the access to the company's database and for business development. The Danish Data Protection Authority reported the taxi company to the police and proposed a fine of DKK 1.2 million (approx. EUR 160,000). The Danish Data Protection Authority stated that business development was not a legitimate reason to keep personal data for such a long period of time. The Danish Data Protection Authority concluded that a data controller may not set a deadline for deletion that is three years longer than necessary, simply because the company's system makes it difficult to comply. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), penalties are imposed by the courts.
Authority: Danish Data Protection Agency (Datatilsynet)
Organization: PriceWaterhouseCoopers Business Solutions SA (PWC BS)
Sector: Private / Business Consultancy
Amount: 150.000 €
INPLP Partner: Zepos & Yannopoulos
|Article 5 par. 1(a) Article 5 par. 2 Article 6 par. 1(a)||Unlawful and non-transparent processing of employees' personal data and failure to demonstrate compliance||
The fined company has requested the consent of its employees for the processing of their personal data, for the transfer of their personal data to third parties (including customers) and for the use of video surveillance in the workplace. The Greek Data Protection Authority found that PWC BS was in breach of the following provisions: - Article 5(1)(a) (lawfulness) for unlawfully processing workers' data on the basis of consent which does not constitute an inappropriate legal basis for such processing activities and, in any event, the consent was not valid because it was not given voluntarily, -Article 5(1)(a) (fairness and transparency) and Article 6(1)(a), in order to give the false impression to data subjects in dependent employment that the basis of the processing was consent, although this should not be the case -Article 5(2) in the event that compliance cannot be proved and the burden of proof is transferred to the data subject
Authority: HELLENIC DATA PROTECTION AUTHORITYAdditional Information:
Organization: Hellenic Telecommunications Organization S.A. (OTE)
Sector: Private / Telecommunications
Amount: 200.000 €
INPLP Partner: Zepos & Yannopoulos
|Article 25 par. 3 Article 5 par. 1(d) (also non-GDPR): Article 11 of Greek Law 3471/2006 (implementing ePrivacy Directive)||Violation of data protection by design and the principle of data accuracy||
Article 11 of Law 3471/2006 mandates that every telecoms provider maintains a “subscriber directory” with the numbers of all the data subjects who wish to not receive unsolicited marketing calls. Consequently, companies that wish to make direct marketing calls should exclude these numbers from their lists. Due to a system error, OTE had failed to successfuly communicate the entire directory to the marketing companies resulting in many data subjects who had opted out of the marketing to receive unsolicited promotional calls. Following a series of complaints by individuals, the Hellenic DPA decided to impose an administrative fine due to the high number of data subjects affected (approximately 16.000) and the long duration of the violation (approximately 3 years).
Authority: HELLENIC DATA PROTECTION AUTHORITY