The database contains a total of
311 GDPR fines across the EU and beyond
that have been submitted so far by rapporteurs.
| Country & Fine Details | Infringement Articles | Reason Overview | Reason Details | Link |
|---|---|---|---|---|
|
Country:
Organization: Owners associations Militari R Sector: Private Sector Amount: 2.000 € Date: 01.10.2020 INPLP Partner: Wolf Theiss Rechtsanwälte GmbH & Co KG |
Art. 83 (5) | Failure to implement the corrective measure |
A data subject comlpained that the association did not respond to his/her request. The authority fined the company for not implementing the corrective measures imposed by the authority, specifically for not responding to the request of the authority. |
Link |
|
Country: Austria
Organization: A medical ambulatory, whose corporate purpose includes in particular the diagnosis and therapy of allergic diseases Sector: Private Sector Amount: 50.000 € Date: 30.08.2019 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
Art. 7 GDPR, Art. 13, 14 GDPR, Art. 35 GDPR, Art. 37 GDPR | Monetary fine because of several infringements |
The medical ambulatory had violated the obligation to appoint a data protection officer. It obliged the personas concerned to give their unlawful consent and did not correctly comply with the duty to provide information on several points. Finally, the allergy outpatient clinic did not fulfil its duty to examine the need to carry out data protection impact assessments to the necessary extent. Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB") |
Link |
|
Country: Austria
Organization: Austrian Post AG (Österreichische Post AG) Mail service provider Sector: Private Sector Amount: 18.000.000 € Date: 29.10.2019 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
Art. 5 GDPR, Art. 6 GDPR | Monetary fine because of the inadequate legal basis for data processing |
The Austrian Post AG had generated profiles of a large number of Austrians. These generated profiles contained information about various personal data including in particular their possible party affinities, personal prefences and habits, which were later sold to political parties and companies. The provider had claimed that the profiles were merely statistical predictions and had no personal reference. The DPA rejected this allegation and determined that this was in breach of the GDPR. Further violations of the data protection law were also found in connection to data on parcel deliveries and data on the frequency of movement of persons used for direct marketing. In connection with this case, a civil court judgement has already been handed down on claims for damages in the amount of 800 €. The data subject whos party affinitiy was processed, had not given a consent to the processing and was not informed about the data processing by the controller (LG Feldkirch, Urteil v. 07.08.2019 - Az.: 57 Cg 30/19b). The decision is not yet final and the provider has appealed the decision. Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB") |
Link |
|
Country: Austria
Organization: Kebab restaurant Sector: Private Sector Amount: 1.800 € - reduced to 1.500 € by the Federal Administrative Court Date: 25.11.2019 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
Art. 5 (1) a) and c); Art. 6 (1) GDPR; § 50b (2) and § 50d (1) DSG 2000 / § 13 (3) and (5) DSG | Monetary fine because of lack of insufficient legal basis for data processing, lack of video surveillance indication and excessive storage duration |
The video surveillance covered public areas (especially a public street) and a neigbouring gas station. It was therefore not appropriate to the purpose of the processing and was not limited to the necessary extent. Apart form that the video surveillace was not appropriately indicated. Furhtermore, there was no deletion of the personal data recorded by the video surveillance within 72 hours and no separate protocol in this respect. The storage period was unreasonably long. The Federal Administrative Court confirmed the content of the DPA's decision, but reduced the amount of the fine by EUR 300 because the defendant reduced the storage period to the permissible level and sufficiently indicated the video surveillance, both while the proceedings were still in progress (BVwG Erkenntnis v. 25.11.2019, W211 2210458-1). Authority: Federal Administrative Court (Bundesverwaltungsgericht "BvwG") Additional Information:UPDATE: The Federal Administrative Court has confirmed the decision of the data protection authority in principle. |
Link |
|
Country: Austria
Organization: Private car owner Sector: Private Sector Amount: 300 € Date: 27.09.2018 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
Art. 5 (1) a) GDPR, Art. 6 GDPR; § 50d (1) DSG 2000 / § 13 (5) DSG | Monetary fine because of lack of insufficient legal basis for data processing, lack of video surveillance indication |
The private car owner had used two dash cams which covered public areas in front of and behind the vehicle in particular the public road traffic. The dash cams was insufficient for the purposes and not limited to the necessary extent. Furthermore, there was no deletion of the record data within the required time limits, no logging of the processing operations related to video surveillance and it was not marked as video surveillance. The dash cams were used illegaly. Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB") |
Link |
|
Country: Austria
Organization: Private person Sector: Private sector Amount: 150 € Date: 19.10.2020 INPLP Partner: aringer herbst winklbauer rechtsanwälte |
Art.4 (2) GDPR, Art.5 (1) a) GDPR, Art.6 (1) GDPR, Art.83 (5) a) GDPR | Monetary fine; Lack of legal basis for data processing |
This fine was imposed on a private person who secretly made a video of a woman while she was using the toilet. This so called "upskirting" was long only a violation of the GDPR and is just recently punishable by court in Austria. The penalty imposed was set in regard to the income situation of the perpetrator, the maximum penalty would have been 20,000,- Euros. Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB") |
Link |
|
Country: Austria
Organization: Private Person - Doctor Sector: Private Sector Amount: 600 € Date: 19.10.2020 INPLP Partner: aringer herbst winklbauer rechtsanwälte |
Art.4 (15) GDPR, Art.5 (1) a) GDPR, Art.9 (1) and (2) GDPR, Art.83 (5) a) GDPR | Monetary fine; Lack of legal basis for data processing |
For a period of approximately 4 to 5 months, a doctor published patient data and medical records on his personal Facebook page. The published data included patient names, diagnostic data, medical diagnoses, medication data, hospital admission and discharge data, patients' social security numbers, and the names of the treating doctors. The decision was passed in a simplified procedure in which the imposed fine of 600,- Euros is the maximum penalty. Authority: Austrian Data Protection Authority (DSB) |
Link |
|
Country: Austria
Organization: Private Person - Soccer Coach Sector: Private Sector Amount: 11.000 € Date: 01.07.2018 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
not available - The defandant appealed against the decision of the DSB - the case is yet not legally binding and therefore not published. | Monetary fine because of non-compliance with lawful basis for data processing |
A soccer coach monitored his female players secretly for years while they were taking a shower. The defandant appealed against the decision of the DPA Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB") Additional Information:UPDATE: The penal decision is now legally binding. |
Link |
|
Country: Austria
Organization: Private person. - Owner of a residential unit in an apartment building. Sector: Private Sector Amount: 2.200 € Date: 20.12.2018 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR | Monetary fine because of lack of insufficient legal basis for data processing |
The fine was imposed on a private individual who used a video surveillance, which covered areas intended for general use by the residents of the residential complex (parking spaces, sidewalks, courtyard, garden and acess to building) and garden areas of an adjacent property. The video surveillance was not limited to areas which are under the exclusive control of the controller. The surveillance recorded the hallway and the entering and leaving of the apartments by the residents, thereby intervening in the very personal areas of life of the data subjects without their consent. It was therefore not proportionate to the purpose and not limited to a necessary extend. In addition the video surveillance were also not displayed properly. Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB") |
Link |
|
Country: Austria
Organization: Sports betting company Sector: Public Sector Amount: 4.800 € Date: 12.09.2018 INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte |
Art. 5 (1) a) and c); Art. 6 (1) GDPR; § 50b (1) and (2) and § 50d (1) DSG 2000 / § 13 (2), (3) and (5) DSG | Monetary fine becuase of lack of insufficient legal basis for data processing, lack of video surveillance indication and excessive storage duration |
The video surveillance system covered public areas in front of the entrance of the sports betting company. The video surveillance system was not limited to the necessary extent. In addition, the storage period was unreasonably long and there was no logging of the processing operations related to video surveillance. Furthermore, the monitored area was not marked as video surveillance. Surveillance of the public area in this way, i.e. to a large extent by private persons, is not permitted. The controller has lodged an appeal against this decision with the Federal Administrative Court. Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB") Additional Information:UPDATE: The Federal Administrative Court has closed the proceedings. |
Link |
|
Country: Belgium
Organization: Candidate in local elections Sector: Business Sector Amount: 5.000 € Date: 25.11.2019 INPLP Partner: Time.lex |
Art. 5 (1) b) GDPR, Art. 6 GDPR | Violation of purpose limitation principle, and insufficient legal basis for data processing |
The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the unauthorized use of personal data (e-mail addresses obtained during previous contacts between a veterinarian and his clients) for election campaign purposes. Authority: Belgian Data Protection Authority (GBA-APD) |
Link |
|
Country: Belgium
Organization: Mayor Sector: Business Sector Amount: 2.000 € Date: 28.05.2019 INPLP Partner: Time.lex |
Art. 5 (1) b) GDPR, Art. 6 GDPR | Violation of purpose limitation principle, and insufficient legal basis for data processing |
The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes. Authority: Belgian Data Protection Authority (GBA-APD) |
Link |
|
Country: Belgium
Organization: Mayor Sector: Business Sector Amount: 5.000 € Date: 25.11.2019 INPLP Partner: Time.lex |
Art. 5 (1) b) GDPR, Art. 6 GDPR | Violation of purpose limitation principle, and insufficient legal basis for data processing |
The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes. Authority: Belgian Data Protection Authority (GBA-APD) |
Link |
|
Country: Belgium
Organization: Merchant Sector: Business Sector Amount: 10.000 € Date: 17.09.2019 INPLP Partner: Time.lex |
Art. 5 (1) c) GDPR; Art. 6 GDPR; Art. 12 and 13 GDPR | Violation of proportionalitypprinciple, no legal basis, and violation of transparency obligations |
The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 10,000 euros on a merchant who used the national Belgian electronic identity card (eID) to create customer loyalty cards. The chamber ruled that the data on the card was used unlawfully. Moreover, it noted that the eID card was the only way for customers to obtain a loyalty card, so that no free and valid consent was given. Customers were not also informed in detail about the conditions of data processing. Authority: Belgian Data Protection Authority (GBA-APD) |
Link |
|
Country: Belgium
Organization: Website operator Sector: Public Sector Amount: 15.000 € Date: 17.12.2019 INPLP Partner: Time.lex |
Art. 6 and 7 GDPR, and Art. 12 and 13 GDPR | Insufficient legal basis for data processing (no lawful consent); and violation of transparency obligations |
The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for failure to comply with cookie legislation. The website initially provided false information in its privacy policy, which was furthermore unavailable in the website's own languages. The site also used third party analytics cookies ("Google Analytics", "Google Tag Manager" and "Google Adsense") without valid consent via a cookie banner - consent boxes were already ticked. Authority: Belgian Data Protection Authority (GBA-APD) |
Link |
|
Country: Bulgaria
Organization: Bulgarian Commission for Personal Data Protection Sector: Bulgarian National Revenue Agency Amount: 5.100.000 BGN Date: 28.08.2019 INPLP Partner: Dimitrov, Petrov & Co. |
Art. 32 (1) (b) GDPR | Incompliance with the requirement to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services |
In August 2019 the Bulgarian National Revenue Agency ("NRA") was fined for data breaches notified to the Bulgarian Commission for Personal Data Protection ("CPDP") on 17 July 2019. The inquiry commenced on 22 July 2019. In its decision, the CPDP found that there was an infringement of Article 32 (1) (b) of the GDPR. It established that NRA's failure to implement the necessary technical and organisational measures had resulted in an unauthorised access, disclosure and distribution of personal data of more than 6 000 000 natural persons. The compromised personal data included names, addresses and contact information, as well as data from individuals' annual tax returns, information relating to their personal income tax position, insurance declarations and health insurance premiums, as well as data on tax payments they had completed and on VAT refunds claimed and received. In addition to imposing a fine, the CPDP announced it had ordered the NRA to undertake a number of actions designed to improve its data security practices. |
Link |
|
Country: Bulgaria
Organization: Bulgarian Commission for Personal Data Protection Sector: DSK Bank Amount: 1.000.000 BGN Date: 28.08.2019 INPLP Partner: Dimitrov, Petrov & Co. |
Art. 32 (1) (b) GDPR | Incompliance with the requirement to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services |
In August 2019 DSK Bank was fined for a data breach. In its decision the Commission for Personal Data Protection ("CPDP") established that DSK Bank had infringed Article 32 (1) (b) of the GDPR by not being able to guarantee ongoing confidentiality and security of the systems and servers for processing personal data of individuals, which resulted in third parties having gained unauthorised access to personal data belonging to more than 33,000 customers of the bank. The data was recorded in more than 23,000 credit record files. Among the compromised personal data was data from national ID documents, income and health insurance information, as well as details concerning assessments of individuals' capacity to work. |
Link |
|
Country: Bulgaria
Organization: Bulgarian Commission for Personal Data Protection Sector: Two Bulgarian Electronic Media Amount: 5.000 BGN; 20.000 BGN Date: 2019 INPLP Partner: Dimitrov, Petrov & Co. |
Art 5 (1) (d) GDPR | Incompliance with the requirement to ensure that personal data is accurate (infringement of the "accuracy" principle) |
In 2019 two Bulgarian electronic media were fined for infringements of data protection legislation based on a complaint of a data subject. In its decision the Commission for Personal Data Protection ("CPDP") established that the two electronic media had infringed Article 5 (1) (d) of the GDPR by publishing on their sites articles, containing the photograph of the complainant. The subject of the articles was apprehension of a person accused on murder charges. According to the complaint there was a coincidence in the names of the accused and the complainant, who was not related to the murder, but his photo was published by the media. During the investigation it was proven that the accused and the complinant were not the same person. Therefore, the CPDP imposed an administrative fine of 5000 BGN to one of the electronic media and an administrative fine of 20 000 BGN to the other electronic media as it did not act on removing the personal data. |
Link |
|
Country: Cyprus
Organization: A.G. QUICKSPA LIMITED Sector: QuickSpa services Amount: 1.200 € Date: The decision was within the October-December 2019 period INPLP Partner: Tassos Papadopoulos & Associates LLC |
Article 6(1) | Sending SMS marketing messages without consent. |
In the course of the investigation, the data controller claimed that the sending of the message was made inadvertently as the previous officer in charge of sending the messages did not inform the administration, therefore the new officer did not have the updated mailing list in front of him. The Commissioner considered that the controller was obliged to take appropriate technical and organizational measures to ensure that the data subjects' requests were respected, regardless of whether any staff members had changed. |
Link |
|
Country: Cyprus
Organization: Altius Insurance Ltd Sector: Insurance Company Amount: 4.000 € Date: 13.03.2019 INPLP Partner: tassos papadopoulos & associates LLC |
Article 6(1)(a) of the GDPR | Unauthorised SMS advertising material sent to non-customers. |
The DPA received 8 complaints from people claiming to have received SMS messages from Altius Insurance Ltd. without their consent and without prior business relationship with the insurance company. The company reported that the phone numbers used for the broadcast were randomly generated by a software tool. The Commissioner for Personal Data Protection has pointed out that the telephone numbers, even if randomly selected, constitute personal data as soon as their telephone number holder is easily identifiable. Authoriy: Office of the Commissioner for Personal Data Protection Cyprus |
Link |
|
Country: Cyprus
Organization: Anonymous individuals Sector: Unknown Amount: 2.000 € Date: July - September 2019 INPLP Partner: tassos papadopoulos & associates LLC |
Articles 6(1)(a) and 5 of the GDPR | Unauthorised processing of personal data for purposes other than those originally intended. Unauthorised sending of messages to individuals. |
Two complainants alleged that a certain person had sent them greetings. As regards the first complainant, the accused had previously been warned and had promised that, although he was on his personal contact list, he would not receive any further greetings. Nevertheless, the first complainant had again received a message. In the second case, it was established that the complainant had no personal contact/relationship with the accused person and had nevertheless received a greeting message. The complainant's telephone numbers came into the possession of the accused person for another purpose and were also used to send greetings. Authority: Unknown |
Link |
|
Country: Cyprus
Organization: Archbishop Makarios III Hospital Sector: Hospital/Heath Industry Amount: 15.000 € Date: 07.11.2018 INPLP Partner: tassos papadopoulos & associates LLC |
Articles 15, 24 and 32 of the GDPR | Loss of patient file by the hospital |
The patient complained to the Commissioner about the lack of protection of personal data. The complainant did not have access to her medical file from the Archbishop Makarios III Hospital because the file could not be found by the data controller. Following the investigation of the case, the Data Protection Authority imposed an administrative fine of €5,000 on the Archbishop Makarios III Hospital for the loss of a medical file. Authority: Hospital/Heath Industry |
Link |
|
Country: Cyprus
Organization: Auctioneer Sector: Auctions Amount: 2.000 € Date: 12.09.2019 INPLP Partner: tassos papadopoulos & associates LLC |
Articles 6(1)(a) and 6(4) of the GDPR | Breach of personal data by auctioneer |
The complainant claimed that a certain auctioneer had called them and offered them the possibility to find a buyer for a property for which they had already initiated an auction under the legislation. This auctioneer was not the designated auctioneer. Authority: Auctions |
Link |
|
Country: Cyprus
Organization: Bank of Cyprus Public Company Ltd Sector: Bank Amount: 15.000 € Date: 27.07.2020 INPLP Partner: Tassos Papadopoulos & Associates LLC |
Articles 5 (1)(f), 5 (2), 15, 32, and 33 | Loss of data and prevention of data subject's right of access |
The Commissioner highlighted that the Bank did not comply with its obligations under the GDPR because the loss of the complainant's insurance policy deprived him of his right of access to the insurance contract, making him incapable of checking the correctness and validity of his data and verifying the lawfulness of the processing. Furthermore, the Commissioner noted that the fine was a result of the Bank's failure to notify the Commissioner of the data breach in relation to the loss of the contract within 72 hours from the moment the breach was brought to its knowledge. |
Link |
|
Country: Cyprus
Organization: Breikot Management Ltd Sector: News outlet/Publishing Amount: 13.000 € Date: 12.04.2019 INPLP Partner: tassos papadopoulos & associates LLC |
Article 5(1)(c) and 6 of the GDPR and Article 29(1) of the local Data Protection Law 125(I)2018 | Publication of photographs of individuals in the printed form of "24h" newspaper |
Following the publication of the photographs of three (3) of five (5) complainants in three (3) of the four (4) publications in news articles, the Commissioner ruled that there was a violation of the principle of data minimisation and that it was excessive in relation to the objective pursued, since the news could be published even without the photographs of the complainants. The publication of photographs does not serve the public interest in information and is not considered necessary under the principle of data minimisation. Furthermore, it does not convey any additional valuable public information. As the subject is of journalistic interest, the complainants' family business is still entitled to carry out public works, even after the criminal conviction of one of them on a relevant matter. Authority: News outlet/Publishing |
Link |