What is it
The GDPR FINES DATABASE is a service provided by INPLP: It is a comprehensive database of fines imposed by data protection authorities for GDPR violations around the the European Union and beyond.
Who reports
The content and reports of GDPR fines can be provided by anyone, but will be quality checked before publication. The main contributors (called rapporteurs) are IT law-firms from all over the world.
How to use
The GDPR Fines Database can be used without any cost. Search by country, company, infringement article or reason and use the links to get to additional information about the fine.
Rapporteurs

99 AVOCATS ASSOCIES
Monaco

Bukovinsky & Chlipala
Slovakia

Traple Konarski Podrecki & Partners
Poland

BELEN ARRIBAS SANCHEZ
Spain

e|s|b Adwokaci i Radcowie Prawni
Poland

Spirit Legal
Germany

SimpLEGAL
Hungary

Dentons Paz Horowitz
Ecuador

Fontes Tarso Ribeiro
Fontes Tarso Ribeiro

BTG Legal
India

Seyfarth Shaw
Seyfarth Shaw

Arthur Cox LLP
Ireland

Legal IT Abogad@s
Panama

BGBG
Mexico

William Fry
William Fry

Aguilar Castillo Love
Costa Rica

HEKA LAW FIRM
Ecuador

Ozdagistanli Ekici Attorney Partnership
Turkey

Peck Advogados
Brazil

Gerrish Legal SARL
France

Stephenson Harwood LLP
United Kingdom

Marval O’Farrell Mairal
Argentina

Živković Samardžić
Republic of Serbia

advores Advokater & Rechtsanwälte
Denmark

Time.Lex
Belgium

RP Legal & Tax
Italy

OYAT
France

ECIJA GPA
Ecuador

Sourcing International

Njord Law
Denmark

PwC Legal
Estonia

Time.lex
Belgium

Lexing
France

Malta IT Law
Malta

Wolf Theiss
Romania

Gjessing Reimers
Norway

R&P Legal
Italy

JK Group
Slovenia

Nielsen Legal
Czech Republic

EuroLawyer
Austria

C-Lex
Italy

Giaccardi & Brezzo Advocats
Monaco

BCH Chlipala
Slovakia

Zeya
Greece

Derra, Meyer & Partner
Germany

Abreu Advogados
Portugal

Cordemeyer & Slager

Tassos Papadopoulos & Associates

Andersen Tax & Legal

Gun+Partners

Stankovic & Partners

Boris Guljas

Fox Rothschild

AHW Law

OBLP

de la cruz beranek

TKP

Molitor

Matsuda & Partners
Japan

Dimitrov, Petrov & Co.
Bulgaria

Alliance Law Firm
Nigeria

Setterwalls
Sweden

Bona Fide
North Macedonia

ECIX
Spain

Pinsent Masons
United Kingdom and Hong Kong

ALV
Brazil

Gowling WLG
Canada

Naschitz, Brandes, Amir & Co., Advocates
Israel

Bermúdez & Esguerra Abogados (BEA)
Colombia

Hart Muirhead Fatta
Jamaica

Niubox
Peru

Arochi & Lindner, S.C.
Mexico

Dottir Attorneys Ltd
Finnland

Urbano Vitalino Advogados
Brazil
and many more...
Preview of fines
The database contains a total of
311 GDPR fines across the EU and beyond
that have been submitted so far by rapporteurs.
Country & Fine Details | Infringement Articles | Reason Overview | Reason Details | Link |
---|---|---|---|---|
Country: Czech Republic
Organization: UniCredit Bank Czech Republic and Slovakia, a.s. Amount: CZK 80 000 Date: 2019 INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o. |
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 6 (1) GDPR | Insufficient legal basis for data processing |
The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded. Authority: Czech Data Protection Auhtority (UOOU) |
Link |
Country: Denmark
Organization: IDdesign A / S Sector: Furniture Amount: 200.850 € Date: 03.06.2019 INPLP Partner: NJORD Advokatpartnerselskab |
Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Failure to comply with the principle of storage limitation - Proposed fine |
October 2018: The Danish Data Protection Authority completed a planned inspection visit to a furniture company. The inspection focused on the limitation of storage according to Article 5(1)(e) GDPR. The company implemented a new computer system in several of its furniture stores in Denmark. In three of the stores however, the old system was still being used, which meant that information on approximately 385,000 customer names, addresses, telephone numbers, e-mail addresses and purchasing history was processed. The furniture company had not assessed the need for data storage and had not set any retention periods. Consequently, the personal data was never deleted from the old system. The company had set a deadline for the anonymisation of customer information, which was set to 912 days (corresponding to the guarantee period). However, the deadline for anonymisation had not yet been implemented because the data controller had not sufficiently documented his procedures for deleting the personal data. The Danish Data Protection Authority reported the company to the police and proposed a fine of DKK 1.5 million (approx. EUR 201,000) for non-compliance with the principle of storage limitation, cf. Art. 5(1)(e), as the company had stored the personal data of approx. 385,000 customers for longer than the Danish Data Protection Authority considered necessary. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), fines are imposed by the courts. Authority: Danish Data Protection Authority (Datatilsynet) |
Link |
Country: Denmark
Organization: Taxa 4x35 Sector: Taxi business Amount: DKK 1,2 million Date: 18.03.2019 INPLP Partner: NJORD Advokatpartnerselskab |
Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR | Non-compliance with general data processing principles and principles of data minimisation - Proposed fine |
In October 2018, the Danish Data Protection Authority notified the police about a taxi company and proposed a fine (of DKK 1.2 million) for non-compliance with the principle of data minimisation. According to the taxi company, the stored personal data of customers should be anonymised after two years. However, the company deleted the names of its passengers from all its records after two years, while the passengers' telephone numbers were deleted only after five years. Information on the consumer behaviour of the customers, the pick-up and return points, could therefore be attributed to a private person up to five years after a taxi tariff. The taxi company had registered information on 8,873,333 personally identifiable taxi tariffs that were older than two years. The taxi company argued that the storage of its customers' telephone numbers was important in regards to the access to the company's database and for business development. The Danish Data Protection Authority reported the taxi company to the police and proposed a fine of DKK 1.2 million (approx. EUR 160,000). The Danish Data Protection Authority stated that business development was not a legitimate reason to keep personal data for such a long period of time. The Danish Data Protection Authority concluded that a data controller may not set a deadline for deletion that is three years longer than necessary, simply because the company's system makes it difficult to comply. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), penalties are imposed by the courts. Authority: Danish Data Protection Agency (Datatilsynet) |
Link |
Country: Greece
Organization: PriceWaterhouseCoopers Business Solutions SA (PWC BS) Sector: Private / Business Consultancy Amount: 150.000 € Date: 26.07.2019 INPLP Partner: Zepos & Yannopoulos |
Article 5 par. 1(a) Article 5 par. 2 Article 6 par. 1(a) | Unlawful and non-transparent processing of employees' personal data and failure to demonstrate compliance |
The fined company has requested the consent of its employees for the processing of their personal data, for the transfer of their personal data to third parties (including customers) and for the use of video surveillance in the workplace. The Greek Data Protection Authority found that PWC BS was in breach of the following provisions: - Article 5(1)(a) (lawfulness) for unlawfully processing workers' data on the basis of consent which does not constitute an inappropriate legal basis for such processing activities and, in any event, the consent was not valid because it was not given voluntarily, -Article 5(1)(a) (fairness and transparency) and Article 6(1)(a), in order to give the false impression to data subjects in dependent employment that the basis of the processing was consent, although this should not be the case -Article 5(2) in the event that compliance cannot be proved and the burden of proof is transferred to the data subject Authority: HELLENIC DATA PROTECTION AUTHORITY Additional Information: |
Link |
Country: Greece
Organization: Hellenic Telecommunications Organization S.A. (OTE) Sector: Private / Telecommunications Amount: 200.000 € Date: 13.09.2019 INPLP Partner: Zepos & Yannopoulos |
Article 25 par. 3 Article 5 par. 1(d) (also non-GDPR): Article 11 of Greek Law 3471/2006 (implementing ePrivacy Directive) | Violation of data protection by design and the principle of data accuracy |
Article 11 of Law 3471/2006 mandates that every telecoms provider maintains a “subscriber directory” with the numbers of all the data subjects who wish to not receive unsolicited marketing calls. Consequently, companies that wish to make direct marketing calls should exclude these numbers from their lists. Due to a system error, OTE had failed to successfuly communicate the entire directory to the marketing companies resulting in many data subjects who had opted out of the marketing to receive unsolicited promotional calls. Following a series of complaints by individuals, the Hellenic DPA decided to impose an administrative fine due to the high number of data subjects affected (approximately 16.000) and the long duration of the violation (approximately 3 years). Authority: HELLENIC DATA PROTECTION AUTHORITY |
Link |