GDPR Fines Database - List of fines

The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded.

Authority: Czech Data Protection Auhtority (UOOU)

October 2018: The Danish Data Protection Authority completed a planned inspection visit to a furniture company. The inspection focused on the limitation of storage according to Article 5(1)(e) GDPR. The company implemented a new computer system in several of its furniture stores in Denmark. In three of the stores however, the old system was still being used, which meant that information on approximately 385,000 customer names, addresses, telephone numbers, e-mail addresses and purchasing history was processed. The furniture company had not assessed the need for data storage and had not set any retention periods. Consequently, the personal data was never deleted from the old system. The company had set a deadline for the anonymisation of customer information, which was set to 912 days (corresponding to the guarantee period). However, the deadline for anonymisation had not yet been implemented because the data controller had not sufficiently documented his procedures for deleting the personal data. The Danish Data Protection Authority reported the company to the police and proposed a fine of DKK 1.5 million (approx. EUR 201,000) for non-compliance with the principle of storage limitation, cf. Art. 5(1)(e), as the company had stored the personal data of approx. 385,000 customers for longer than the Danish Data Protection Authority considered necessary. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), fines are imposed by the courts.

Authority: Danish Data Protection Authority (Datatilsynet)

In October 2018, the Danish Data Protection Authority notified the police about a taxi company and proposed a fine (of DKK 1.2 million) for non-compliance with the principle of data minimisation. According to the taxi company, the stored personal data of customers should be anonymised after two years. However, the company deleted the names of its passengers from all its records after two years, while the passengers' telephone numbers were deleted only after five years. Information on the consumer behaviour of the customers, the pick-up and return points, could therefore be attributed to a private person up to five years after a taxi tariff. The taxi company had registered information on 8,873,333 personally identifiable taxi tariffs that were older than two years. The taxi company argued that the storage of its customers' telephone numbers was important in regards to the access to the company's database and for business development. The Danish Data Protection Authority reported the taxi company to the police and proposed a fine of DKK 1.2 million (approx. EUR 160,000). The Danish Data Protection Authority stated that business development was not a legitimate reason to keep personal data for such a long period of time. The Danish Data Protection Authority concluded that a data controller may not set a deadline for deletion that is three years longer than necessary, simply because the company's system makes it difficult to comply. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), penalties are imposed by the courts.

Authority: Danish Data Protection Agency (Datatilsynet)

The fined company has requested the consent of its employees for the processing of their personal data, for the transfer of their personal data to third parties (including customers) and for the use of video surveillance in the workplace. The Greek Data Protection Authority found that PWC BS was in breach of the following provisions: - Article 5(1)(a) (lawfulness) for unlawfully processing workers' data on the basis of consent which does not constitute an inappropriate legal basis for such processing activities and, in any event, the consent was not valid because it was not given voluntarily, -Article 5(1)(a) (fairness and transparency) and Article 6(1)(a), in order to give the false impression to data subjects in dependent employment that the basis of the processing was consent, although this should not be the case -Article 5(2) in the event that compliance cannot be proved and the burden of proof is transferred to the data subject

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link 2

Article 11 of Law 3471/2006 mandates that every telecoms provider maintains a “subscriber directory” with the numbers of all the data subjects who wish to not receive unsolicited marketing calls. Consequently, companies that wish to make direct marketing calls should exclude these numbers from their lists. Due to a system error, OTE had failed to successfuly communicate the entire directory to the marketing companies resulting in many data subjects who had opted out of the marketing to receive unsolicited promotional calls. Following a series of complaints by individuals, the Hellenic DPA decided to impose an administrative fine due to the high number of data subjects affected (approximately 16.000) and the long duration of the violation (approximately 3 years).

Authority: HELLENIC DATA PROTECTION AUTHORITY

Following complaints from the data subjects, the Greek data protection authority investigated whether OTE had sufficient technical and organisational measures to comply with the requests of the data subjects not to receive promotional material from OTE. The organisation had an 'unsubscribe' link in the e-mail sent to customers and on its website. However, due to a technical error, even when the data subjects clicked on the 'Unsubscribe' button, their contact details were not removed from the register and they received the promotional material. As OTE did not have the organisational and security measures necessary to identify and solve the technical problem, so that it could exist for a long period of time (since 2013) and affected a large number of people (approximately 8,000), the data protection authority imposed an administrative penalty.

Authority: HELLENIC DATA PROTECTION AUTHORITY

The Rousseau platform, created by the Italian political party "Movimento 5 Stelle" (“5 Stelle”), where registered users were able to designate, among others, candidates for the EU parliamentary election, had suffered a data breach during the summer 2017, that led the Italian data protection authority ("Italian DPA") to require to 5 Stelle the implementation of a number of security measures, in addition to the obligation to update the privacy information notice, in order to guarantee transparency to the data processing activities performed. While the update of the privacy information notice was timely completed, the Italian DPA found the lack of implementation of the security measures provided by GDPR. In particular, the Italian DPA ascertained that the tracking of log files was not active for all the sections of the Rousseau Platform; the managing of said website, moreover, was allowed through a system administrator account shared among 5 people, a circumstance that implied the impossibility for the data controller to monitor the activities done by each person involved in said processing and that was qualified as very serious and unacceptable, considering the possibility for such persons to access to special categories of personal data, such as those on political opinion. Finally, also the security measures aimed at anonymizing the activities performed through the e-voting system were considered not to be adequate.

Authority: Italian Data Protection Authority

Due to the lack of necessary security measures on the Lands Authority's website, it was reported by a local newspaper that over 10 gigabytes of personal data were rendered accessible via a Google search. It was reported that the data contained sensitive correspondence between individuals and the Authority itself. In Malta, if a public authority or public body is found to be in breach of data protection laws, the Data Protection Commissioner can impose an administrative fine of up to EUR 25 000 for every violation, in addition to a daily fine of EUR 25 for as long as the violation subsists. In this case the Lands Authority did not Appeal the IDPC's decision.

Authority: Office of the Information and Data Protection Commissioner (IDPC)

No information available

No information available

The public hospital violated the principle of data minimization by granting access to an excessive amount of data and violated the obligation to take appropriate organizational and technical measures.

Authority: Portuguese Data Protection Authority (CNPD)

Violation of the right of access to the personal data of the data subject. Especially, the denial by the data subject of the right of access to recorded telephone conversations

Authority: Portuguese Data Protection Authority (CNPD)

Inadequate fulfilment of information obligations, due to the inexistence of signalization regarding the use of CCTV systems.

Authority: Portuguese Data Protection Authority (CNPD)

Insufficient fulfilment of information obligations due to the lack of signalling regarding the use of CCTV systems.

Authority: Portuguese Data Protection Authority (CNPD)

Sending unsolicited e-mails for direct marketing and/or advertising purposes without prior consent

Authority: Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados "CNPD")

The Austrian Post AG had generated profiles of a large number of Austrians. These generated profiles contained information about various personal data including in particular their possible party affinities, personal prefences and habits, which were later sold to political parties and companies. The provider had claimed that the profiles were merely statistical predictions and had no personal reference. The DPA rejected this allegation and determined that this was in breach of the GDPR. Further violations of the data protection law were also found in connection to data on parcel deliveries and data on the frequency of movement of persons used for direct marketing. In connection with this case, a civil court judgement has already been handed down on claims for damages in the amount of 800 €. The data subject whos party affinitiy was processed, had not given a consent to the processing and was not informed about the data processing by the controller (LG Feldkirch, Urteil v. 07.08.2019 - Az.: 57 Cg 30/19b). The decision is not yet final and the provider has appealed the decision.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

The medical ambulatory had violated the obligation to appoint a data protection officer. It obliged the personas concerned to give their unlawful consent and did not correctly comply with the duty to provide information on several points. Finally, the allergy outpatient clinic did not fulfil its duty to examine the need to carry out data protection impact assessments to the necessary extent.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

The patient complained to the Commissioner about the lack of protection of personal data. The complainant did not have access to her medical file from the Archbishop Makarios III Hospital because the file could not be found by the data controller. Following the investigation of the case, the Data Protection Authority imposed an administrative fine of €5,000 on the Archbishop Makarios III Hospital for the loss of a medical file.

Authority: Hospital/Heath Industry

A newspaper was fined 10,000 euros for publishing the names and pictures of three police investigators in both electronic and physical form. The Cypriot data protection commissioner believed that it would have been sufficient to publish only the initials of the police officers or photos where the three officers could not be identified, for example by using blurred faces.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Following the publication of the photographs of three (3) of five (5) complainants in three (3) of the four (4) publications in news articles, the Commissioner ruled that there was a violation of the principle of data minimisation and that it was excessive in relation to the objective pursued, since the news could be published even without the photographs of the complainants. The publication of photographs does not serve the public interest in information and is not considered necessary under the principle of data minimisation. Furthermore, it does not convey any additional valuable public information. As the subject is of journalistic interest, the complainants' family business is still entitled to carry out public works, even after the criminal conviction of one of them on a relevant matter.

Authority: News outlet/Publishing

During the media coverage of an abduction incident of two minor children from their school a complaint was filed with the DPA against Sigma Live Ltd, for showing the complainant in a video originally screened on SIGMA TV channel, and which was subsequently posted on www.sigmalive.com as well as on the official Sigma Live YouTube account. The complainant was the person who helped identify the perpetrator and the abducted students, and despite expressing a desire to maintain their anonymity, the video in question did not blur the complainant’s face which was clearly visible and was shown and characterized as the "informant" who helped solve the case.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

The DPA received 8 complaints from people claiming to have received SMS messages from Altius Insurance Ltd. without their consent and without prior business relationship with the insurance company. The company reported that the phone numbers used for the broadcast were randomly generated by a software tool. The Commissioner for Personal Data Protection has pointed out that the telephone numbers, even if randomly selected, constitute personal data as soon as their telephone number holder is easily identifiable.

Authoriy: Office of the Commissioner for Personal Data Protection Cyprus

Six people complained to the DPA because they received promotional e-mails without their consent and/or despite explicit requests not to receive promotional e-mails from the Skroutz.com.cy website. Five of the complainants had asked to stop receiving messages about the use of "unsubscribe" and/or e-mail to the website moderator, without success. The webmaster provided evidence that one of the complainants had purchased products from the website. However, there was no clear information on how the addresses of the other complainants were obtained. He (webmaster) claimed that the reason why the complainants continued to receive messages despite the request to unsubscribe was because of the change in the email messaging platform.

Authority: Website

Four complainants alleged that the Democratic Party had sent them SMS messages as well as telephone harassment. When the complaints were investigated, it emerged that they were only telephone harassment. The two complainants had a legitimate interest in the use of their personal data since they were members of the political party in question (Article 6(1)(f)). In the case of the other two complainants, the political party had failed to demonstrate the consent of the data subjects under Article 6(1)(a).

Authority: Political Party

Two complainants alleged that a certain person had sent them greetings. As regards the first complainant, the accused had previously been warned and had promised that, although he was on his personal contact list, he would not receive any further greetings. Nevertheless, the first complainant had again received a message. In the second case, it was established that the complainant had no personal contact/relationship with the accused person and had nevertheless received a greeting message. The complainant's telephone numbers came into the possession of the accused person for another purpose and were also used to send greetings.

Authority: Unknown

The complainant claimed that a certain auctioneer had called them and offered them the possibility to find a buyer for a property for which they had already initiated an auction under the legislation. This auctioneer was not the designated auctioneer.

Authority: Auctions

Employees in the municipality, noticed that a list of their personal data (such as names, jobs and pay slips) had been leaked and distributed both in public places (e.g. café) and in places used by municipal officials (e.g. warehouses, canteens, etc.). The leak had a negative impact on the complainants, as the disclosure of their data and especially their pay slips was gossiped and despised/mocked by the villagers and others The City Council's act of handing over the list to an administrator of the Water Department for its own use amounts to further processing, which does not correspond to the original purpose of the list, which was that the City Council discussed in one of its meetings the workers who were to be transferred to the Nicosia Water Department.

Authority: Municipality

The complainant alleged that her doctor had published and/or shared her personal data on Instagram without her consent. After investigating the complaint, the DPA found that the publication was not in line with the purpose of the consent given by the complainant, since her identity had been fully disclosed.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

From 2007 to November 2018, 19 nursing homes operated by the Municipality of Oslo stored patient data outside the patient journal system in the form of work lists describing the medical needs of the residents (i.e. patient data). The violation of the Data Protection Act was reported to the Municipality of Oslo by the data controller. The fine was calculated according to the practice of the former Norwegian Personal Data Act.

Authority: Norwegian Data Protection Authority (Datatilsynet)

The municipality had taken minor security precautions to protect its computer systems. As a result, personal data of more than 35,000 people became publicly available. At a few schools, everyone could access information about the staff, students and employees of the school. Furthermore, the municipality had received warnings about the weakness of its security measures before, but did nothing about it.

Authority: Norwegian Data Protection Authority (Datatilsynet)

The Dutch Haga Hospital failed to meet the requirement of two factor authentication and regularly revies their patient files. As a result, it has not taken adequate appropriate measures as referred to in Article 32, first paragraph, of the General Data Protection Regulation (GDPR). About 200 employees had unauthorized access to the medical records of a Dutch celebrity and, moreover, personal information concerning this celebrity was leaked to the press.

The AP has also decided to impose a penalty order on the Haga Hospital, which relates to the rectify this continuing violation. If Haga Hospital has not improved security before 2 October 2019, the hospital will have to pay 100,000 euros every two weeks, with a maximum of 300,000 euros.

autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/haga_rapport_def.pdf

After examining the complete file, in particular the proposer's proposal and the parties' observations, the Office found that DP, as the controller processing the personal data of the persons concerned by monitoring them by audio or video recording in public transport vehicles, infringed Article 15 section 1 and section 3 by failing to comply with the proposer's request as a data subject applied by e-mail on 18.06.2018 and repeatedly on 14.07.201 regarding the application of the right of access to his personal data, thereby violating the proposer's right of access to personal data.

The Office states that the amount of the fine is affected by the fact that the infringement was found in only one data subject, the Office did not find a repeated violation of GDPR provisions by another data subject in relation to the processing of passenger's personal data by audio or video recording. DP cooperated with the office, which is in the position of the supervisory body. Taking into account these circumstances, which the Office assessed individually and in their mutual relationship, the Office imposed a fine of EUR 1000 on the DP operator. In the light of all the circumstances of the case, the Office considers the fine to be appropriate, both in terms of punitive and preventive.

Having examined the documents submitted by the data controller and on the basis of the facts established during the procedure, the Authority concluded that the procedure did not reveal any infringement of the protection of personal data allegedly based on the fact that the company FERPLAST SLOVAKIA, l.l.c. provided its employees with a medical certificate of medical fitness for work with a professional title which does not entitle them to know personal data to the extent that it was disputed, and the Office therefore closed the procedure.

The company FERPLAST SLOVAKIA s.r.o. suspected that as an employer of an xy employee, it had violated the protection of the employee's personal health data by providing the data contained in the medical evaluation of health fitness to the employees of FERPLAST SLOVAKIA s.r.o. with a job title that does not entitle them to know this information. After examination of the documents submitted by the data controller (instruction protocol of the entitled person, employment contract, medical opinion), the Office found that the employees had legitimate reasons to acquaint themselves with the personal data within the scope of the medical opinion in question.

Company FERPLAST SLOVAKIA s.r.o. was suspected that, as an employer of an xy employee, has violated the protection of personal health data of emplpyee by making the data contained in the medical assessment of health fitness available to employees of FERPLAST SLOVAKIA s.r.o. with a job title that does not entitle them to know this information. After examining the documents submitted by the controller (record of the instruction of the authorized entity, employment contract, medical opinion), the Office found that the employees had legitimate reasons for familiarizing themselves with the personal data within the scope of the medical opinion in question.

The Office for the Protection of Personal Data dealt with a complaint against the Ministry of the Interior of the Slovak Republic for an alleged violation of the legislation on the protection of personal data, which was to be committed by the publication of the decision of the Regional Court of Senica, which was made public by public notice. This decision was also published 15 days after its publication, and the personal data of the person concerned were processed without authorisation (without legal basis). The Ministry of the Interior of the Slovak Republic cooperated with the Office and remedied the deficiencies voluntarily; the Office did not consider it necessary to impose remedial measures on the controller.

Service by public notice shall be effected by posting the document on the official notice board of the administrative body for a period of 15 days, as provided by law. At the same time, the administrative body is obliged to publish the document simultaneously in another customary manner, while the controller has chosen to publish it on the website as well. The Office is of the opinion that the publication of a decision containing the personal data of the data subject on the website of the controller after a period longer than that specified (15 days) constitutes a breach of Section 9(1). 1 of Law No 122/2013.

Service by public notice is made by posting the document on the official board of the administrative body for a period of 15 days stipulated by law. At the same time, the administrative body is obliged to publish the document at the same time in another usual way, while the controller hase chosen to publish it also on the website The Office considers that the publication of a decision containing the personal data of the data subject on the controller's website after a period longer than the specified period (15 days) constitutes a breach of § 9 par. 1 of Act no. 122/2013.

The applicant signed a petition addressed to the municipal council of the municipality Veľká Lomnica. The applicant's personal data from the petition and the personal data of other residents were published on the official notice board and on the Municipality's website. The Office considered that the Municipality Veľká Lomnica had violated the law by unlawfully disclosing this information from its information system of the petitioner and other persons, although Act No. 85/1990 does not provide for the purpose of disclosing the personal data of the petition's supporters, nor does it provide for a list of the personal data of the petition's supporters that may be disclosed. The Office has not imposed any measures on the operator to remedy the deficiencies found, since the personal data in question are no longer published.

In the present proceedings, the Office did not agree with the Controller's view that he was obliged under Law No 85/1990 to publish the result of the application as he did. The Office stated that the obligation to publish the result of the application does not affect the obligation arising from a special regulation and thus the obligation under Law No 122/2013 on the protection of personal data. For this reason, the provisions of Law No 85/1990 do not constitute a legal basis that would allow the operator to disclose the personal data of the supporters of the petition contrary to the requirements of Law No 122/2013. Similarly, the Office considered that the right to invite other persons to support the petition by signature and to provide signatures for that purpose in publicly accessible places does not imply the power of an authority to which the petition is addressed to disclose information about the persons supporting it.

In the present proceedings the Office did not agree with the controller's opinion that he was within the meaning of Act no. 85/1990 obliged to publish the result of the petition as he did. The Office stated that the obligation to disclose the outcome of the petition is without prejudice to the obligation under a special regulation, and therefore the obligation under Act no. 122/2013 on personal data protection. For this reason provisions of Act no. 85/1990 does not constitute a legal basis which would allow the operator to disclose personal data of supporters of the petition contrary to the requirements of Act 122/2013. Similarly, the Office was of the opinion, that from the right to invite others to support the petition by signing it and to that end issue signatures in places accessible to the public, it is not possible to infer the authority of a public authority, to whom the petition was delivered, to disclose information about the persons supporting it.

Proceedings on presumed violation of the GDPR provisions, which happened because the data controller, the Municipality of Bratislava - Ružinov, delivered to an electronic mailbox of Owl & Crow Association Limited, l.l.c., a decision containing personal data in the scope of surname, first name, address, information about the fact that and with what content he made a request for information, although the applicant was not entitled to deliver the decision in question.

The decision of the Controller, Bratislava - Municipality of Ružinov, in the proceedings on free access to information was delivered by the Operator to the electronic mailbox of Owl & Crow Association Limited, l.l.c., to which the applicant in the position of managing partner had access. As there were two managing directors in this company, and therefore two natural persons as statutory bodies, this procedure infringed Article 5(1)(f) of the GDPR, as the personal data were not processed in a manner that ensured adequate security and were subject to unauthorised processing. In the course of the proceedings, the Office also examined whether it was appropriate to impose a fine for the established breach of the GDPR. The Office concluded that it would not impose a fine, in particular in view of the seriousness and number of persons concerned.

The decision of the controller, Bratislava - city district of Ružinov, in proceedings on free access to information was delivered by the operator to the electronic mailbox of Owl & Crow Association Limited, l.l.c., to which had access the applicant for disclosure of information in the position of managing partner. Since there were two directors and thus two natural persons as the statutory body in that company, those proceedings infringed Article 5 section 1 letter f of the GDPR, since the personal data were not processed in a manner guaranteeing adequate security and were exposed to unauthorized processing. In the proceedings, the Office also assessed whether it is appropriate to impose a fine for the violation of GDPR found. Office concluded that, having regard in particular to the gravity and the number of persons concerned, Office won't impose a fine.

The data were not adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimisation'). Furthermore the data were not kept in a form which enables identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').

Authority: Czech Data Protection Auhtority (UOOU)

One company employee failed to ensure adequate security of processing, resulting in over 735,000 customers losing their personal data.

Authority: The Office for Personal Data Protection

The Danish Data Protection Agency has the authority and right to carry out data protection audits and inspections without a court order, including the right to demand access to all necessary premises where personal data are processed. The Danish Data Protection Authority carries out a number of planned inspections every year. During the past 1.5 years, the main subjects of the audits and inspections have been as follows: 2018: - Legal bases for processing of personal data, including the consent of the data subject - Deletion of personal data - Use of data processing equipment by the municipalities - Appointment of data protection officers - establishment of records of processing activities - The rights of the data subjects 2019: - Security measures of public authorities and private companies - Encryption of e-mails by private companies - The data subject's right of access to personal data processed by public authorities and private undertakings - Aggregation and compilation of personal data for resale by private companies - Data processors and data processing agreements - Daily monitoring - Data protection in relation to employees - Automated decision making and profiling The Danish Data Protection Authority has reported two companies to the Danish police and proposed two fines. The first proposed fine was a fine of DKK 1.2 million (approx. EUR 160,000) for a company's failure to take action to make personal data anonymous (e.g. timely deletion of personal data). The second was a fine of DKK 1.5 million (approx. EUR 201,000) for the company's failure to comply with the principle of storage limitation.

Authority: Danish Data Protection Authority (Datatilsynet)

2018: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2018/jun/planlagte-tilsyn-indtil-udgangen-af-2018/

First half of 2019: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jan/planlagte-tilsyn-i-foerste-halvaar-af-2019/

Second Half of 2019: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jul/planlagte-tilsyn-for-andet-halvaar-af-2019/

The senior manager of a shipping company filed a complaint with the Hellenic DPA alleging that such company (i) had not properly informed him of his data protection rights and refused to provide access to his personal data stored in his business computer, including corporate emails and files, and (ii) has unlawfully installed cameras at the company's premises. The case related to an investigation initiated by the company to the corporate emails and documents stored in the business computer of the senior manager and to extracts recorded by the company's CCTV following reasonable suspicion that the senior manager embezzled company's funds. When the senior manager asked to have access to his personal data stored in his business computer, the company refused to satisfy his right without providing adequate justification and did not inform him of the right to lodge a complaint with the Hellenic DPA. Also, it was found that the company had placed cameras, some of which were hidden, without any warning signs and notices, as required. The Hellenic DPA held that the conducting of an investigation on the business computer of the manager was conducted in accordance with the GDPR, since the investigation was limited to specific data relating only to one employee, and was based on the overriding legitimate interest of the company to protect its assets. The Hellenic DPA concluded that, although the investigation was lawful, the company had unlawfully refused to satisfy the right of access of the senior manager and operated the CCTV in violation of the GDPR and the regulatory framework.

Authority: HELLENIC DATA PROTECTION AUTHORITY

A marine bunkering company created a back-up of a database server which contained personal data. The personal data in question related to a branch's employees (e.g. documents, company profiles, email communications) as well as third parties whose offices were located in the same building and were informally using the same server. The fined company had also not implemented any policies/procedures for compliance with data protection legislation. The Hellenic DPA held that the company was responsible to implement measures of logical and technical distinction of the files it needed to back-up and to adequately inform all employees of the further processing and the reasons thereof. By indiscriminately cloning the server it violated the principles of transparency, data minimization, data integrity and accountability. It was given 3 months to implement the appropriate policies and procedures and render itself fully compliant.

Authority: HELLENIC DATA PROTECTION AUTHORITY

The investigation of the Italian DPA showed that, although the unlawful processing operations were carried out by data processors (agents and sellers) who acted in partial violation of the instructions given by ENI, the technical and organizational measures adopted by ENI were not adequate to the nature, context, purposes and risks of the processing, thus violating the principle of "accountability" imposed by GDPR. Several gaps emerged in the privacy policies implemented by ENI, that appeared to be deficient and ineffective, especially in terms of guaranteeing the accuracy of the data processed, the security of the processing and the control of the actions carried out by ENI’s data processors.

Authority: Italian Data Protection Authority

The key point of this decision is based on the absence of the data subjects’ consent. Infact, in doing its telemarketing and teleselling activities, Eni didn’t match in a proper way its database with the “Opt-out Register”; it considered as prevalent the general consent given by data subjects to third parties for marketing purposes (lists providers), rather than the refusal to give consent, for the same kind of data processing, expressed by the same data subjects to ENI itself. According to the Italian DPA, these unlawful data processing operations were carried out as ENI did not take and implement technical and organizational measures, suitable for recording and update the users’ willness not to receive marketing communications.

Authority: Italian Data Protection Authority

The video surveillance covered public areas (especially a public street) and a neigbouring gas station. It was therefore not appropriate to the purpose of the processing and was not limited to the necessary extent. Apart form that the video surveillace was not appropriately indicated. Furhtermore, there was no deletion of the personal data recorded by the video surveillance within 72 hours and no separate protocol in this respect. The storage period was unreasonably long. The Federal Administrative Court confirmed the content of the DPA's decision, but reduced the amount of the fine by EUR 300 because the defendant reduced the storage period to the permissible level and sufficiently indicated the video surveillance, both while the proceedings were still in progress (BVwG Erkenntnis v. 25.11.2019, W211 2210458-1).

Authority: Federal Administrative Court (Bundesverwaltungsgericht "BvwG")

UPDATE: The Federal Administrative Court has confirmed the decision of the data protection authority in principle.

The fine was imposed on a private individual who used a video surveillance, which covered areas intended for general use by the residents of the residential complex (parking spaces, sidewalks, courtyard, garden and acess to building) and garden areas of an adjacent property. The video surveillance was not limited to areas which are under the exclusive control of the controller. The surveillance recorded the hallway and the entering and leaving of the apartments by the residents, thereby intervening in the very personal areas of life of the data subjects without their consent. It was therefore not proportionate to the purpose and not limited to a necessary extend. In addition the video surveillance were also not displayed properly.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

The private car owner had used two dash cams which covered public areas in front of and behind the vehicle in particular the public road traffic. The dash cams was insufficient for the purposes and not limited to the necessary extent. Furthermore, there was no deletion of the record data within the required time limits, no logging of the processing operations related to video surveillance and it was not marked as video surveillance. The dash cams were used illegaly.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

The video surveillance system covered public areas in front of the entrance of the sports betting company. The video surveillance system was not limited to the necessary extent. In addition, the storage period was unreasonably long and there was no logging of the processing operations related to video surveillance. Furthermore, the monitored area was not marked as video surveillance. Surveillance of the public area in this way, i.e. to a large extent by private persons, is not permitted. The controller has lodged an appeal against this decision with the Federal Administrative Court.

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

UPDATE: The Federal Administrative Court has closed the proceedings.

A soccer coach monitored his female players secretly for years while they were taking a shower. The defandant appealed against the decision of the DPA

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

UPDATE: The penal decision is now legally binding.

The data controller could not grant a patient access to his or her own personal information because the file could not be identified. The patient complained to the Commissioner about this and the hospital was fined 5,000 euros.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

As UWV (the Dutch service provider for employee insurance - "Uitvoeringsinstituut Werknemersverzekeringen") did not use multi-factor authentication when accessing the online employer portal, security was insufficient. Employers and occupational health and safety services were able to access personal health data of employees in an absence system. A fine of EUR 900,000 was imposed if UWV did not provide proper multi-factor authentication by 31 October 2019. This date was postponed by the Dutch DPA to 1 March 2020 at the request of UWV.

Authority: Dutch Supervisory Authority for Data Protection (AP)

It has been determined that health data is processed unlawfully on the newspaper.

Authority: Turkish Data Protection Authority (KVKK)

There was illegal used of bank customers' data through the illegal access and use of its employees, and the DPA held that the bank has not taken adequate measures to protect personal data and also was in breach of its notification obligation.

Authority: Turkish Data Protection Authority (KVKK)

It has been determined that use of public data for commercial purposes (to sell insurance services) not paralell with its professional data which is made public, was found unlawful.

Authority: Turkish Data Protection Authority (KVKK)

It has been determined that the use of personal data of teh data subject is not based on a legal reasoningç

Authority: Turkish Data Protection Authority (KVKK)

It has been determined by the KVKK that an airline company had processed sensitive personal data by taking a copy of national ID (which includes the blood type and religion information) and therefore decided to issue a penalty based on the lack of legal basis of such processing activity. The KVKK also ordered to stop the processing and destroy or anonymyse the data.

Authority: Turkish Data Protection Authority (KVKK)

A complaint was submitted to the DPA stating that a data subject request has been declined after data subject has refused providing ID confirmation documents. The KVKK has stated in its decision that such demand can only be conducted by a public notary or with a e-signed document and ordered the company to act in compliance with the Regulation on Application to Data Controllers.

Authority: Turkish Data Protection Authority (KVKK)

The decision is based on the data breach caused by an error in the "View As" system of Facebook. The data breach has lasted for 14 days and included sensitive personal data. It affected 280.959 people in Turkey. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA in the compulsory deadline.

Authority: Turkish Data Protection Authority (KVKK)

A complaint was issued to the KVKK regarding unlawful utilisation of personal data. It is stated in the decision that the bank employee has accessed to the personal data of customers and used it out of the scope of the processing. The KVKK has issued a penalty based the lack of technical and organisational measures.

Authority: Turkish Data Protection Authority (KVKK)

It has been determined after a complaint that an education company has sent multiple SMS to people without any legal basis for such data processing. The KVKK states that such action requires explicit consent and therefore decides to issue a penalty based on failure to comply with the DPL regulations underlining that the institution did also not pay attention to the Communique sent by KVKK.

Authority: Turkish Data Protection Authority (KVKK)

A database was leaked to Internet by mistake from a betting company website. The data breach has not been detected by the company and therefore the number of people affected by it remain unknown. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the affected data subjects in the shortest time possible.

Authority: Turkish Data Protection Authority (KVKK)

A database of the company has been leaked after a cyberattack. The details of the breach could not have been totally determined since the company failed to detect and analyse the breach. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA and the affected data subjects in the compulsory deadline.

Authority: Turkish Data Protection Authority (KVKK)

The decision analyses whether the branch and liason offices of company based abroad shall register to the Data Controller Registry (VERBIS). KVKK has stated that if the branch offices and liason offices meet the criteria of the registry duty, they shall also, aside from the main company, register to the Data Controller Registry.

Authority: Turkish Data Protection Authority (KVKK)

It has been determined by the KVKK that Dubmash Inc was subject to a data breach affecting 679.269 people in Turkey. Data servers of Dubmash Inc was accessed by unidentified people on Internet and it is detected that personal data of people up to 162 million have been illegally sold. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA and the people affected by the data breach.

Authority: Turkish Data Protection Authority (KVKK)

A complaint was submitted to DPA regarding unlawful data processing of a data subject. The KVKK has determined that company processes data without a legal basis and therefore issued a penalty based on non-compliance with general data processing principles and insufficient legal basis.

Authority: Turkish Data Protection Authority (KVKK)

The data controller has published application and exam results on a public page. A data subject has requested from data controller to remove the relevant personal data. The university did not respond to the application. KVKK has ordered the university to conduct a disciplinary proceeding and update the methods used in the publication of such data in a way that complies with the DPL regulations.

Authority: Turkish Data Protection Authority (KVKK)

The KVKK has stated that personal data occurded from the mail traffic conducted by Gmail is stored abroad in different parts of the world and users of such services shall meet the criteria of crossborder data transfers of DPL.

Authority: Turkish Data Protection Authority (KVKK)

The KVKK has determined in its decision that the company has repeatedly sent the same SMS within the scope of the explicit consent to the data subject. It's considered to be non-compliant with the general data processing principles in terms of abuse of rights. That's why the KVKK has issued a penalty based on the lack of technical and organisational measures.

Authority: Turkish Data Protection Authority (KVKK)

The KVKK has stated in its decision that data controller shall not send any commercial purposed emails to data subjects without their explicit consent. That's why the KVKK has issued a penalty based on the lack of technical and organisational measures which allowed employees to send such emails.

Authority: Turkish Data Protection Authority (KVKK)

The KVKK analyses the possibility of biometric data processing conditions for gyms in its decision. Relavant GDPR regulations and Turkish DPL regulations are evaluated in the decision. KVKK forbids the processing of such data underlining the principle of proportionality even though data subjects provide their explicit consents. A fine was issued based on the lack of technical and organisational measures. KVKK finally orders all data controllers to either destroy or anonymyse the relevant biometric data in terms of controlling the entrance and exit information of users.

Authority: Turkish Data Protection Authority (KVKK)

A complaint was submitted to the DPA regarding a misdirected SMS. The KVKK has decided to issue a penalty based on the duty of data controller to prevent unlawful data processing.

Authority: Turkish Data Protection Authority (KVKK)

A fine of 1.000.000,00 TL was issued as a result of a data breach affecting 67.519 people in Turkey by Clickbus. A malware has been detected in the server of Clickbus, leaking personal data of people wihch lasted for 2 months. The KVKK has issued a penalty based the lack of technical and organisational measure and the delay of notification to the DPA for nearly 45 days.

Authority: Turkish Data Protection Authority (KVKK)

A fine of 1.450.000,00 TL was issued as a result of a data breach possibly affecting 1.24 million people in Turkey by Marriott International Inc. The breach was caused because of an unlawful access to database of Starwood Hotels for nearly 4 years, leaking personal data including financial information of data subjects. The KVKK has issued a penalty based on lack of technical and organisational measure and the delay of notification to the DPA for nearly 3 months.

Authority: Turkish Data Protection Authority (KVKK)

A fine of 550.000,00 TL was issued as a result of a data breach possibly affecting 1286 people in Turkey by Cathay Pasific. The breach was induced by a cyber attack and lasted for 2 months leaking important personal data such as Passport Numbers of Turkish citizens. The KVKK has issued a penalty based on the lack of technical and organisational measure and the delay of notification to the DPA for nearly 5 months.

Authority: Turkish Data Protection Authority (KVKK)

A state bank so-called T.C. Ziraat Bankası A.Ş did not respond to a data subject request. Data subject has issued a complaint. KVKK has decided to order the Bank to comply with the Turkish DPL.

Authority: Turkish Data Protection Authority (KVKK)

Data breach, which has been on press under the name "Photohraph API" has been announced on 14.12.2018. Facebook has discovered an photograph API error that enabled third parties to access the photos of Facebook users. It has been stated that third parties may have had access to thereof for 12 days. The Authority found Facebook in failure to implement sufficient measures to ensure information security and to fulfil information obligations, since the Authority has not been notified and the individuals were started to be notified on 17.12.2018, although the breach was discovered on 19.09.2019.

Authority: Turkish Data Protection Authority (KVKK)

The KVKK has decided that car plate numbers and other relevant data can be process by oil stations under the scope of the legitimate interest cause. KVKK also instructs the company to inform the data subjects in accordance with the legislation.

Authority: Turkish Data Protection Authority (KVKK)

A complaint was issued to KVKK regarding unlawful gathering of explicit consent by SMS (not clear enough and missing the required conditions) and the ambiguity of Information Notice. The KVKK has decided to order the company to update the Information Notice and requested from the company to anonymization of personal data collected before the DPL.

Authority: Turkish Data Protection Authority (KVKK)

A complaint was issued to KVKK regarding the unlawful gathering of personal data by a real person. The KVKK has decided that the act is subject to Turkish Criminical Code and therefore no penalty was issued.

Authority: Turkish Data Protection Authority (KVKK)

KVKK states in its decision that data leaks&breaches subject to Turkish Criminal Code shall only be evaluated by judiciary authorities and therefore decides not to rule on the issue.

Healt data that belong to a patient who uses drugs under medical supervision have been exposed to third parties by the pharmacy that provides the drugs, based on no grounds for processing. The Authority has decided that the action of the pharmacy violates the conditions specified under the law, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A request has been submitted to a bank to destroy relevant personal data. KVKK rules here that banks shall keep the data for 10 years based on the relevant regulations on the sector and therefore decides that bank do not have to destroy the data.

Authority: Turkish Data Protection Authority (KVKK)

KVKK States in its decision that the Law No. 6698 shall not apply to personal data of legal entities and therefore decides that data leaks&breaches subject to such activities are not in the scope of the law.

Authority: Turkish Data Protection Authority (KVKK)

The data subject has made an application to the Data Controller, requesting the Data Controller to delete its personal data. However received no sufficient responses. The Data Controller has been granted a term of 30 days to notify the data subject pertaining to the transactions that will be performed, however it has been detected that the Data Control failed to comply with this obligation. Therefore, the Authority has established administrative transaction against the Data Controller, pursuant to Article 18 of the Law.

Authority: Turkish Data Protection Authority (KVKK)

The document signed by the data subject for occupational purposes has been shared by unidentified third parties on internet. It has been decided that although the data subject has been subject to data breach, unknown parties cannot be identified as data controller, and therefore the Authority decided that there were no transactions to be performed by the Authority.

Turkish Data Protection Authority (KVKK)

A real person has asked from the Authority to remove a newspaper column including their name, on grounds of data breach. The Authority has deemed the column a reflection of freedom of expression and dismissed the request, since the subject is found to be falling under the freedom of press. No details are specified pertaining to the content of the column.

Authority: Turkish Data Protection Authority (KVKK)

The doctors at a hospital have disclosed the health report of a patient to a broad mass by means of sharing it on the internet and on social media platforms. The Authority ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has shared the personal data, gathered at a work application, of one of its data subjects with the other applicants with no legal basis. The Authority has decided that the same rule must apply when an enterprise composed of multiple companies share the data on the same platform, and it ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has notified the Authority in 17 months and the related individuals in 10 months, regarding a data breach. The Authority founded the said term exceeding the limits of "the shortest course of time possible", which is specified under the Law. The Authority ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has imposed the explicit consent as a condition of the agreement due to membership and the service. The Authority found the Data Controller in breach with the principle of being bounded and limited by law and good faith when processing the data, and deemed it abuse of right.

Authority: Turkish Data Protection Authority (KVKK)

The Court has requested the data pertaining to an individual from a Data Controller, and the Data Controller has transfered more personal data than required. The Authority decided that the Data Controller failed to ensure the security of the personal data, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

The data subject has made an application to the Data Controller pertaining to its rights in scope of Article 11 of the Data Protection Law No. 6698. However, the Data Controller has not responded within the due course of time. The Authority has granted 30 days for response, and stated that the Data Controller will be subject to administrative fine othersiwse.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has abstained from fulfilling the requests made by inactive customers, demanding from the Data Controller to delete their personal data. The Authority has instructed the Data Controller, by suggesting that it must not process the data of the inactive customers, in breach with the general principles, other than the purpose of storage, since it is obliged to store the data for 10 years.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has submitted a document including the personal data of one of its customers, to another individual that bears the same name as the customer. Also, one the Data Controller's employees has performed query on the data for personal purposes, without the consent of the data subject. The Authority has pointed out a vulnerability in the system, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has requested the customer to provide a document including personal data, which are not necessary for the transaction that is demanded by the customer. The Authority has deemed the request of the Data Controller in contradiction with good faith, and decided that it does not comply with the purpose, and eventually ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A Data Controller has submitted contract samples to the employees of a company by means of e-mail. where it has written the names and home addresses of the individuals who are in charge of managing the processes on behalf of the company as correspondance address, instead of the company's address. The Authority decided that the Data Controller has failed in ensuring information security, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

A data subject requested the Data Controller to delete and destroy its data, since the data has become available to third party accessing. The response it received from the company has been found insufficient. The Authority ruled administrative fine on the company that failed to provide sufficient measures to ensure the data, and granted it a term of 30 days to notify the customer pertaining to the transactions made regarding the matter.

Authority: Turkish Data Protection Authority (KVKK)

It has been detected that the Data Controller has made membership mandatory for the applicants at the course of a job application, and during the membership application, the applicants have been provided with only one box to click for both acknowledging that they have read the information text, and for accepting that they give consent for data processing. The Authority decided to give instruction to the Data Protection to separate the options. from each other.

Authority: Turkish Data Protection Authority (KVKK)

A public officer has requested the Data Controller, which is a public institution, to destroy the data pertaining to an investigation case that has been conducted on the data subject. The Institution has rejected the request. The Authority decided that the term pertaining to the storage of personal files of public officers has not been expired pursuant to the legislation, and therefore has not ruled any fines.

Authority: Turkish Data Protection Authority (KVKK)

Futura Internationale was fined for cold calling after several complainants had received cold calling although they had told the caller directly and by mail that they did not want it. The CNIL's on-site investigation at Futura Internationale revealed that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about clients and their health, and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.

Authority: French Data Protection Authority (CNIL)

A large number of customer accounts, customer documents (including copies of driving licences, vehicle registrations, bank statements and documents) to determine whether a person's driving licence had been withdrawn and other personal data were easily accessible online. The CNIL criticised password management (unauthorised access was possible without any authentication).

Authority: French Data Protection Authority (CNIL)

An investigation by the CNIL revealed that the documents registered by the company's clients in their personal accounts were accessible to other people by changing the numbers at the end of the URL addresses displayed in the browser. The CNIL imposed a fine of 180,000 euros on the company for having taken inadequate security measures. In determining the amount of the fine, the CNIL took particular account of the sensitivity of the data and documents concerned (identity cards, information relating to the offences, bank details, etc.) and the number of persons concerned.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Between 2013 and 2017, the CNIL received complaints from several employees of a company filmed at their workplace. The CNIL drew the company's attention to the rules to be observed when installing cameras in the workplace, in particular that employees must not be constantly filmed and that information on data processing must be provided. No satisfactory measures were taken during the period stipulated. As a result, the CNIL conducted a second audit in October 2018, which confirmed that the employer continued to breach data protection laws when recording employees using video surveillance. In setting the amount of the fine, the CNLIN took into account the size (9 employees) and the financial situation of the company, which had a negative net result in 2017 (turnover of EUR 885,739 in 2017 and a negative net result of EUR 110,844), in order to retain a dissuasive but proportionate administrative penalty.

Authority: French Data Protection Authority (CNIL)

The CNIL based the penalty on two grounds: lack of security measures and excessive data retention. Details of the two reasons: The user documents uploaded by the tenant candidates (including identity cards, health cards, tax assessment notices, certificates from the Family Allowance Fund, divorce decrees, bank statements) were accessible online without any authentication procedure. Although the vulnerability had been known to the company since March 2018, it was not resolved until September 2018. Furthermore, the company kept the documents submitted by the candidates longer than necessary. The CNIL took into account, among other things, the seriousness of the breach (lack of diligence in remedying the vulnerability and the fact that the documents contained intimate aspects of users' lives), the size of the company and its financial situation.

Authority: French Data Protection Authority (CNIL)

Following complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net", a fine of 50 million euros was imposed. The complaints were filed on 25 and 28 May 2018, immediately after the entry into force of the GDPR. The complaints concerned the creation of a Google account when configuring a mobile phone with the Android operating system. Reasons for the high fine: lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The consents obtained were not "specific" and not "unequivocal" (Art. 4 No. 11 GDPR).

Authority: French Data Protection Authority (CNIL)

The company experienced a data breach involving the personal information of more than 2 million customers over a two-year period because the company failed to reactivate an authentication feature on its website that had been disabled for a trial period. The company was fined for failing to ensure the security of its customers' personal information. The CNIL determined the amount of the fine taking into account the company's rapid reactivity in remedying the security breach and the many measures taken to limit the consequences of the breach.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

In November 2017, the company revealed to the press that in 2016, two individuals succeeded in stealing the personal data of 57 million users of its services by accessing a server on which the personal data is stored using credentials accessible on a software development platform. Following the investigation, the CNIL decided that the company had failed to fulfil its obligations to ensure the security of its users' personal data.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

A CNIL investigation revealed that the company was collecting geolocation data on mobile devices without consent in order to run advertising campaigns on mobile applications. Note: In February 2019, the CNIL closed the solicitation procedure after the Company met the requirements of the solicitation.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

In 2016, hackers were able to access the credentials of a video hosting platform company's administrator account stored on a software development platform, giving them access to information about the users of the video hosting platform. The hacked data included 82.5 million email addresses and 18.3 million encrypted passwords. The company was fined for failing to adequately secure the personal data of customers on its platform.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

The organisation was fined for unlawfully processing the personal data of the tenants. The CNIL considers that the processing of tenants' personal data in order to send a letter criticising a government announcement is unrelated to the original purpose of collecting this data, i.e. managing a property portfolio and applications for social housing.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

June 2017: The investigation by the CNIL showed that changing the path of the URL of the company's website allowed access to documents (tax assessment notices, passports, identity cards, residence permits and pay slips) uploaded by other users. The company was fined under Article 34 of the French Data Protection Act for failing to take adequate measures to ensure the security of users' personal data.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

The CNIL found that the company had not implemented an appropriate method of authenticating customers on its website to allow them to access their invoices. As a result, customers were able to access the documents (which included names, addresses, health records and, in some cases, social security numbers) of another customer. In determining the amount of the fine, the CNIL took into account the sensitivity of the information, the number of clients involved and the fact that more than 334,000 records were compromised in the course of the infringement. Note: A decision of the Conseil d'État (Supreme Administrative Court) of 17 April 2019 reduced the administrative fine to 200,000 euros, as the company reacted quickly to remedy the lack of security of its website.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Investigations by the CNIL in 2017 revealed that the company was collecting personal information from users (including children) via the microphone of connected toys and the applications associated with the toys. The CNIL issued a formal notice against the company for failing to adequately ensure the safety of the device that enables toys to be linked to computers, for failing to inform users properly and for failing to take adequate measures to ensure the safety and confidentiality of the data collected.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for failure to comply with cookie legislation. The website initially provided false information in its privacy policy, which was furthermore unavailable in the website's own languages. The site also used third party analytics cookies ("Google Analytics", "Google Tag Manager" and "Google Adsense") without valid consent via a cookie banner - consent boxes were already ticked.

Authority: Belgian Data Protection Authority (GBA-APD)

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the unauthorized use of personal data (e-mail addresses obtained during previous contacts between a veterinarian and his clients) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 10,000 euros on a merchant who used the national Belgian electronic identity card (eID) to create customer loyalty cards. The chamber ruled that the data on the card was used unlawfully. Moreover, it noted that the eID card was the only way for customers to obtain a loyalty card, so that no free and valid consent was given. Customers were not also informed in detail about the conditions of data processing.

Authority: Belgian Data Protection Authority (GBA-APD)

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

The Controller has excessively processed the employees' personal data by using the video surveillance cameras installed in the offices and changing rooms. Furthermore, the Controller processed biometric data (fingerprints) of the employees, even though other, less intrusive means to protect the privacy of the data subjects could have been used for the same purpose. The controller was also fined for not providing evidence to inform data subjects about the processing of their personal data. Moreover, the supervisory authority established that the controller had processed the personal data of a former employee without a legal basis by continuing to use these data in electronic correspondence for the purpose of carrying out the company's activities after the termination of the employment contract.

The sanctions were imposed on the basis of a complaint claiming that the controller illegally processed the data of the petitioner - the data subject - because the controller could not prove that he had obtained the consent of the data subject to receive communications to his e-mail address. In addition, the data controller did not take the appropriate measures to prevent the transmission of notifications, despite the fact that the data subject had repeatedly exercised his right to object.

Lack of evidence of compliance with the principles of accuracy and confidentiality. Failure to take proper technical and organisational measures to avoid unauthorised disclosure of customers' personal data. Failure to notify the Romanian Data Protection Authority within 72 hours of becoming aware of the breach of personal data security.

Failure to implement relevant technical and organisational measures in relation to personal data processed through a video surveillance system Failure to properly inform the data subjects.

The measures imposed by the data protection authority have not been fulfilled.

Failure to comply with the measures imposed by the Romanian Data Protection Authority.

The measures imposed by the data protection authority have not been fulfilled.

Failure to take appropriate organisational and technical measures to guarantee that all persons acting under his authority and having access to personal data process them only in accordance with internal procedures and at his request This resulted in one employee having unauthorised access to the booking application, whereby the respective employee was able to photograph a list of personal data of 22 passengers and publish it on the Internet.

Failure to implement appropriate technical and organisational measures regarding and to integrate adequate guarantees into the automated data processing system of card payments settlement, affecting a number of 225,525 customers whose payment operations were doubled during the period 8-10.10.2018.

Failure to implement adequate technical and organizational measures to ensure a level of security corresponding to the risk of the processing, which led to the loss of personal data (name, surname, card number, security card, card holder address, personal identification number, serial number and identity card number , IBAN account number, approved credit limit, correspondence address) and the unuathorized access to such data of over 1,100 individuals.

Failure to reply to a data subject's request for deletion of personal data within one month of receipt of the request

Failure to obtain the users' explicit consent under the conditions provided for in the GDPR. During the process of registration on the avocatnet.ro website, the company provided an unfilled box for users to express their request not to receive newsletters by e-mail. If a user has not ticked the box, he/she will automatically become a subscriber to the newsletter of the data controller without express permission.

Failure to take appropriate organisational and technical measures to guarantee that all persons acting under his authority and having access to personal data process these data in accordance with internal procedures. Credit scoring information was exchanged via the WhatsApp platform.

Breach of data security and failure to inform the Romanian data protection authority of the security violation in a timely and unjustified manner. Unauthorized / illegal procession of personal data of customers via the WhatsApp platform.

The data subjects were not notified of the use of their image by the video surveillance system. In addition, the person in charge disclosed the personal identification number of his employees by posting a report on their participation in the training courses on the company notice board.

Failure to take appropriate technical and organisational measures to ensure a level of security adequate to the risks represented by the processing. This has resulted in the unauthorised disclosure and access to personal data of certain individuals carrying out transactions through the website of the controller.

Failure to take measures to guarantee that the data is not disclosed to unauthorised persons. A printed paper list used to control breakfast participation, which includes the personal data of 46 customers who stayed at the data controller's hotel, was photographed by unauthorised persons and disclosed through online publication.

Failure to take adequate security and organisational measures leading to the online disclosure of the identity cards and addresses of 337,042 affected persons.

Processing (modification) of a customer's personal data contained in a contract by a third party without the customer's consent.

Authority: Spanish Data Protection Authority (aepd)

CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The breach affected approximately 11,000 people, including identification data, employment data, data on criminal convictions and health data.

An individual complainant had recently received an SMS from Xfera Móviles to be addressed to a third party, which enabled him to access the account and personal data of this third party via the telephone number and password obtained by SMS on the Xfera Móviles website.

Authority: Spanish Data Protection Authority (aepd)

Telefónica had charged the complainant different fees in relation to the operation of a telephone line that the complainant had never heard of. The reason was that the complainant's bank account was linked to another Telefónica customer, which meant that the charges were debited from the complainant's account. In the AEPD's opinion, this was in violation of the principle of accuracy as required by Article 5(1)(d) GDPR.

Authority: Spanish Data Protection Authority (aepd)

With a view to convening a meeting, the CGT sent personal details of the complainant, including her residential address, family situation, pregnancy status and the date of an active case of abuse and harassment, by e-mail to 400 union members without her permission.

Authority: Spanish Data Protection Authority (aepd)

TODOTECNICOS24H had collected personal data without providing precise details of the data collected in its data protection declaration pursuant to Article 13 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

The company had been collecting personal data without providing detailed information about the data collection in its privacy statement under Article 13 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Jocker Premium Invex had sent postal advertisements and commercial offers to the applicant after registration for a local census. Data such as first name, surname and postal address were only sent to the public administration.

Authority: Spanish Data Protection Authority (aepd)

The plaintiff, whose data had been provided to the company by his authorised subsidiary, was contacted by the company that was offering its services, which he refused. Since Vodafone España continued to offer him services and demanded payment from him, Vodafone España had processed the plaintiff's personal data without his consent.

Authority: Spanish Data Protection Authority (aepd)

Xfera Movile has made use of personal data with no legal basis for the establishment of a telephone contract and has continued the processing of personal data even if the data subject has requested to stop the processing.

Authority: Spanish Data Protection Authority (aepd)

The electricity company Iberdrola Clientes had declined to apply to a person to change electricity supplier, because it claimed that its data would be added to the solvency list. The AEPD then demanded information from Iberdrola Clientes about the option of including the person's data in the solvency list, to which the company did not reply. This failure to cooperate with the AEPD constituted a breach of Article 31 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

The Spanish data protection authority (AEPD) has fined Vueling Airlines 30,000 euros for not providing users with the ability to refuse their cookies and force them to use them when they want to surf its website. In other terms, it was not possible to surf the Vueling site without accepting their cookies. The AEDP imposed a sanction of 30,000 euros, which could be reduced to 18,000 euros for immediate payment.

Authority: Spanish Data Protection Authority (aepd)

One consumer complained that AVON COSMETICS had processed his data illegally without properly verifying his identity, resulting in his data being incorrectly registered in a list of claims, which prevented him from cooperating with his bank. As a result, a third party had used the consumer's personal data fraudulently.

Authority: Spanish Data Protection Authority (aepd)

The company TODOTECNICOS24H collected personal data without specifying how this data was collected.

Authority: Spanish Data Protection Authority (AEPD)

The Spanish data protection authority imposed a fine on a mobile phone company for disclosing to the complainant, via the mobile phone application "My Vodafone", personal data of third parties, consisting of billing data.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

The Company gathered personal information without specific information about the collection of this information.

Authority: Spanish Data Protection Authority (AEPD)

The national football league (LaLiga) was imposed a fine for providing an app that accessed the microphone of the user's mobile phone once a minute to identify pubs that show football matches without having to pay a fee. The AEPD considers that the LaLiga did not provide sufficient information to users of the app about this practice. In addition, the app did not meet the requirements for revoking consent.

Authority: Spanish Data Protection Authority (aepd)

The Spanish data protection authority imposed a fine on a mobile phone operator for reporting the plaintiff's personal data to the credit and equity solvency file in connection with an alleged debt that had already been paid at the time of the report.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

The Spanish DPA imposed a fine on a mobile telephone company for the processing of personal data in order to charge the applicant for a Netflix service which it had not used. However, according to the Spanish data protection authority, the company did not exercise the minimum level of care to verify the identity of the data subject.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

The Spanish DPA imposed a fine on an amusement machine distributor for dismissing an employee on the basis of data collected without permission via a GPS locator installed in his device. This application resulted in the employee staying at home during working hours without working. The employee was not informed about such data collection beforehand.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

The gas company did not have the technical measures necessary to check the identity of the data of the persons involved. A third party claimed that the company had sent its information in relation to a request by e-mail to a third party.

Authority: Spanish Data Protection Authority (AEPD)

The complainant's bank account was debited by ENDESA, whose beneficiary was a third party who had been convicted of criminal offences and had been granted a two-year injunction in respect of the applicant, her residence and her work. Instead, at the request of the plaintiff, ENDESA erroneously deleted her data and inserted the data of the third party. The AEPD found that the disclosure of the applicant's data to the third party constituted a serious breach of the principle of confidentiality.

Authority: Spanish Data Protection Authority (aepd)

The Spanish Telecommunications and Information Agency (SETSI) concluded that Vodafone must refund a customer for costs that were wrongly charged to it. Despite this, Vodafone reported the customer's personal data to a credit rating agency (BADEXCUG). The AEPD found that this conduct violated the principle of accuracy.

Authority: Spanish Data Protection Authority (aepd)

After the applicant allegedly failed to repay a microcredit to an online credit agency, the claim was assigned to the collection agency. The latter then began to send e-mails not only to the e-mail address provided by the applicant, but also to an institutional e-mail address of his workplace, which can be reached by any employee who was never provided by the applicant.

Authority: Spanish Data Protection Authority (aepd)

Although the complainant (a former Vodafone customer) had requested Vodafone to erase his data in 2015 and this request was approved by the company, he continued to receive more than 200 SMS from the company from 2018 onwards. Vodafone stated that this happened because the complainant's mobile phone number was mistakenly used for testing purposes and inadvertently appeared in various customer files of customers other than the complainant. As the company agreed to both the payment and the admission of responsibility, the fine was reduced to EUR 27 thousand in accordance with Spanish administrative law.

Authority: Spanish Data Protection Authority (aepd)

A restaurant attempted to impose disciplinary action on an employee by utilizing images from a cell phone video recorded by another employee in the restaurant for evidential purposes.

Authority: Spanish Data Protection Authority (aepd)

Altough Facebook Ireland had appointed a data proteciton officer for all Facebook companies located in the EU, Facebook Germany GmbH did not notify this appointment to the Hamburg Data Protection Authority. The fine was calculated only on the basis of the turnover of the German branch (EUR 35 million) and not on the basis of Facebooks worldwide turnover. As relevant factors for the calculation were named inter alia that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.

Authority: Data Protection Authority of Hamburg

The Controller provides telecommunication services. The company's customer service team identified the caller simply by name and date of birth. The Federal Data Protection Officer did not consider this identification procedure to be sufficient in accordance with Art. 32 GDPR. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale.

Authority: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

The Internetprovider has not fulfilled its legal obligation under Article 37 GDPR to appoint a data protection although the Federal Data Protection Officer requested to do so. Therefore, the controller was fined.

Authority: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Several violations of the GDPR in relation to patient mix-ups in the admission of the patient result in this fine. The mix-up led to erroneous billing. This revealed structural technical and organizational deficits in patient management.

Authority: Data Protection Authority of Rheinland-Pfalz

In 2017, in the course of an inspection the Berlin Data Protection Authority urgently recommended an adjustment of the archive system. However, in March 2019, the company was still unable to either demonstrate a clean-up of its database or present legal reasons for the continued storage. To remedy the deficiencies the company solely did make preliminary preparations. However, those measures did not suffice to align the storage of personal data with the legal requirements. Therefore, the Berlin Data Protection Authority imposed a fine for an infringement of Article 25 (1) GDPR and Article 5 GDPR during the period between May 2018 and March 2019 was therefore mandatory. (Press Release 711.412.2, November 5th 2019, Berlin Commissioner for Data Protection, www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PR-Translation-Fine_DW.pdf)

Authority: Data Protection Authority of Berlin

A digital publication inadvertently disclosed personal health data relating to several persons due to insufficient data security mechanisms.

Authority: Data Protection Authority of Baden-Wuerttemberg

A company of the finance sector disposed personal data insufficiently.

Authority: Data Protection Authority of Baden-Wuerttemberg

The Berlin Data Protection Authority fined a company between 6,000 and 17,000 euros in 15 specific individual cases for the improper storage of personal data of tenants. (Press release 711.412.2, 5 November 2019, Berlin Commissioner for Data Protection, www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PR-Translation-Fine_DW.pdf)

Authority: Data Protection Authority of Berlin

According to the investigations of the Berlin Data Protection Authority, a company had not erased accounts of former customers in ten cases, although these data subjects had not been active on the company's delivery service platform for years - in one case for about 10 years. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. One data subject, who had expressly objected to the use of his data for advertising purposes, nevertheless received further 15 advertising e-mails from the company. In further five cases, the company did not provide the data subjects with the necessary information or only after the intervention of the Berlin Data Protection Authority.

Authority: Data Protection Authority of Berlin

Using his official user ID, but without reference to official duties, a police officer used the Central Traffic Information System of the Federal Motor Transport Authority to query the owner data of the license plate of a person he did not know well. After that, he carried out a query with the Federal Network Agency, in which he queried the personal data and the house and mobile phone numbers stored there. Using this mobile phone number, he contacted the person by telephone. He did that all without official justification or consent from the injured party. Through queries for private purposes and the use of the phone for private contact, the police officer processed personal data on his own responsibility. This violation is not attributable to the police officer's office, as he commited the offence exclusively for private purposes and not in the exercise of his official duties. The prohibition of punishment in Sect. 28 of the respectice Local Data Protection Act (Landesdatenschutzgesetz - LDSG), according to which the sanctions of the GDPR cannot be imposed on public authorities, does therefore not apply in this case.

Authority: Data Protection Authority of Baden-Wuerttemberg

The fine was imposed on a bank which had unlawfully processed "personal data of all former customers". The bank admitted that it kept data on former customers in order to keep a black list, so that it would not provide these persons with a new bank account. Initially, the bank justified this with reference to the German Banking Act to take security measures against customers suspected of money laundering. The Berlin Data Protection Authority held this to be illegal. The Berlin Data Protection Authority argues that only those who are actually suspected of money laundering or who have other valid reasons for refusing a new account may be included in a settlement file. At the moment, it is unclear whether the fine proceesding are legally concluded.

Authority: Data Protection Authority of Berlin

8 The fine was impossed against a private individual who sent lots of e-mails within 3 months in 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences and between 131 and 153 personal mail addresses were identifiable in his mailing list.

Authority: Data Protection Authority of Sachsen-Anhalt

The controller lacked an agreement on data processing with the Spanish service provider. Report according to the following website (no official statement): www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html

Authority: Data Protection Authority

No official statement: www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html

A personal data breach (Art. 4 Subsect. 12 GDPR) was not notified in time (Art. 33 GDPR) and also the affected subjects were not made informed (Art. 34 GDPR).

Authority: Data Protection Authority of Hamburg

After a hacker attack in July, the personal data of approximately 330,000 users, such as passwords and e-mail addresses, became known. The controller has notified this personal data breach (Art. 4 Subsect. 12 GDPR) according to Art. 33 GDPR to the respective data protection authority and also cooperated with the data protection authority. Due to the cooperation and the performance of the controller, the fine was only 20.000,00

Authority: Data Protection Authority of Baden-Wuerttemberg

Unlawful disclosure of personal data to third parties via social media.

Authority: Data Protection Authority of Saarland

The public roads administration of Norway is the controller for a system processing and storing personal data from the toll road systems of Norway, i.e. data collected when different identifiable vehicles pass the different public toll stations. This information is then used for billing the owners of the vehicles. Under the Norwegian accounting rules, personal data pertaining to customer invoicing must be stored for 5 years after the end of the accounting year, however the public roads administration had not deleted any personal data from its system upon expiry of the 5 year term, as the data system used for the processing did not have functionality for deletion. The public roads administration had therefore failed to comply with its obligations under the GDPR Article 17 (Right to erasure), as well as having failed to implement functionality in the data solution that would allow such deletion, in violation of the GDPR Article 25 (Data protection by design and by default). The DPA have has been threatened with a fine of NOK 4,000,000. The public roads administration has been given a deadline until 23 March 2020 to give its account, after which the DPA will make a final decision in the case.

The Controller also does not provide the data subject with information on the right to object to the processing of personal data.

The Controller illegally processed the personal data of the persons concerned by means of a camera information system, while at the time of the inspection he did not prove the fulfillment of at least one of the conditions of legal processing according to Art. 6 par. 1 GDPR.

The Controller has kept the camera recordings for longer than the period specified in the security documentation, without proving the need to extend the retention period of the camera recordings.

At the time of the inspection, the Controller did not provide the data subjects with information pursuant to Art.13 GDPR in connection with the camera information system in a sufficiently transparent, comprehensible and easily accessible form, formulated clearly and simply.

The controller in relation to the camera information system does not provide the data subject with information on the right to object to the processing of personal data concerning him, which is carried out on the basis of Art. 6 par. 1 letter e) GDPR.

The controller uses a camera system to capture the premises of the municipal office and public spaces. The purpose of operating a camera information system is to protect public order and security, detect crime, protect company property or the health of people in the monitored areas.

Fine measures:

• perform an analysis in order to determine the retention period of camera recordings in accordance with Art. 5 par. 1 letter e) GDPR
• duly justify the individual retention period of camera recordings and update its internal security policy for the processing of personal data
• to update its information obligation, including the indication of the right to object pursuant to Art. 21 GDPR against the processing of personal data by the controller's camera information system

Violation of the principle of legality under Art. 5 par. 1 letter a) GDPR, which the controller committed by publishing on the website www.srzmsozilina.sk via the Minutes of the controller's committee meeting of 22.11.2018 in the period from 15.12.2018 to 02.01.2019 without the legal basis the personal data of the proposer

The Authority did not impose a fine, instead reprimanded the controller for the breach of the principle of legality.

The Controller published on his website the personal data of the proposer in the scope of name, surname and information that a report was submitted to the proposer, while the proposer did not give consent to such processing

The processor has violated the principle of data confidentiality according to Art. 5 par. 1 letter f) GDPR because he has unlawfully disclosed the personal data of the three persons concerned on 25.03.2019 for approximately 20 minutes on the websites, for example www.realitybemi.sk, www.nehnutelnosti.sk, www.bazar.sk.

The controller has breached the obligation under Art. 33 GDPR to report the breach of personal data protection to the Authority as a supervisory body without undue delay and, if possible, within 72 hours after becoming aware of the above-mentioned disclosure of personal data on the Internet.

• The Authority imposed a fine of 480 € against the processor.
• The Authority imposed a fine of 2100 € against the processor.

The submitter of the complaint within the viewing of the advertisement for the sale of a family house in Volkovce on the website www.bazar.sk discovered at the time of 20:00 on March 25, 2019 in the photo gallery the published part of the proposal for deposit in the real estate cadastre.

That part of thepublished  proposal contained the personal data of the three persons concerned in the scope of name, surname, maiden name, date of birth, birth number, permanent residence address and nationality.

The document in question was automatically published at www.realitybemi.sk and www.nehnutelnosti.sk and others at the time.

The controller violated Art. 12 par. 3 GDPR by failing to comply with the request of the proposer as a data subject submitted by e-mail to otazky@sk.tesco-europe.com on 16.07.2018 regarding the exercise of the right of access to his personal data within the time limit set in the GDPR, without processing the data subject's request within one month of receipt of the request.

• The Controller is obliged to ensure that the requests of data subjects concerning the processing of personal data are processed in accordance with the principles set out in Art. 5 GDPR, within the period under Art. 12 par. 3 GDPR.
• The controller is obliged to ensure that the persons concerned are provided with correct and up-to-date personal data in requests for access to personal data.
• "The Controller has not fulfilled the legal obligation to inform the proposer within one month from the submission of the application about what information controller processes about him.
• The content of the proposer's request was what personal data are being processed about him, what is the list of third countries to which his personal data have been provided and what is the legal basis for the processing of his personal data."

Infringement of the principle of minimization, when at the time of the inspection controller kept the personal data of the data subjects longer than it was necessary in relation to the purpose of processing.

The controller violated the principle of transparency under Art. 5 par. 1 letter a) GDPR, which was committed at the time of control (26.09.2018), so that in the record of processing activities the controller did not specify the legal basis for processing personal data by the camera information system. Controller also did not provide information on monitoring the data subjects at the point of entry into the area monitored by the camera information system.

The controller violated the principle of minimization according to Art. 5 par. 1 letter (e) the GDPR, when at the time of the inspection he kept the personal data of the data subjects for longer than was necessary and necessary for the purpose of the processing.

• That the controller must provide information pursuant to Art. 13 GDPR within 10 days from the date of entry into force of the decision in relation to the data subjects no later than the moment of entry of the data subjects into the monitored premises, otherwise the Authority  the processing of personal data pursuant to Art. 58 par. 2 letter f. GDPR will ban.
• The controller uses a camera system to capture the premises of the municipal office and public spaces. The purpose of operating a camera information system is to protect public order and security, detect crime, protect company property or the health of people in the monitored areas.

In connection with the conclusion of the donation contract between the controller and the data subject, the controller published the birth number without the existence of a legal basis in the minutes of the regular meeting of the Municipal Council in Tesáry held on 03.12.2018, which was on the official board of the controller from 06.12.2018 2018  to 20.12.2018 and on the website of the operator www.tesare.sk from 08.12.2018 at least until 24.07.2019

Social Insurance Agency in Slovakia violated the proposer's right to protection of his personal data by sending personal data of applicants to the extent that includes data related to health, identifiers assigned for individual identification in information systems and data related to economic and social identity, sent to the adress of the holders of social insurance of the EU member states via Slovenská pošta, a.s. always as a Class 2 letter-post item and not as a registered item which provides a higher level of protection of the personal data processed and therefore the controller has not taken appropriate measures to ensure a level of security commensurate with the risk to the rights of data subjects with regard to the scope and content of the personal data processed and the nature of their processing.

The proposer has found that the controller violated the protection of his personal data, in particular by sending sensitive documents concerning his person, in particular the consignment "Application for a foreign invalidity pension", by ordinary (not recommended) consignment, i. without any confirmation of shipment, without a delivery number and without any guarantee that the shipment will be delivered in order and not lost, or misused by a third party.

In the specific case, the consignment was sent to Denmark. The consignment contained a large amount of the insured's personal data, including data on his health, data on the course of employment, income, as well as personal data of family members. This shipment was lost during delivery.

In order for the Controller to take organizational measures to ensure that personal data of applicants for disability pension from social insurance of EU member states, which the operator sends to the relevant social insurance holders by letter via Slovenská pošta, a.s., will be sent as a registered item

Without the existence of a legal basis, the controller published on the website www.horne-plachtince.eu the birth number of the two data subjects, in the form of a scan of the exchange contract for land owned by the controller dated 21.11.2017 (birth number published from 21.11.2017 to 18.01. 2019) and the purchase contract dated 25.09.2019 (birth number published from 25.09.2018 from 20.10.2018)

From the date of validity of the decision, the Controller is obliged to process the personal data of the data subjects by publishing them on the website exclusively in the existence of a legal basis within the meaning of Art. 6 par. 1 GDPR

Aukčný Dom, s.r.o. in the processing of personal data of proposers, violated the principle of legality under Art. 5 par. 1 letter a)  GDPR, that, in the course of his activity as an auctioneer, he processed the personal data of the proposers in position of the controller pursuant to Art. 4 par. 7 GDPR in a way, that as an auctioneer advertising the auction of real estate registered on the title deed no. 1328 published in the time from 02.10.2018 from 10.12.2018 on the website www.aukcnydom.eu photographs of the interior of the auctioned real estate, which include pictorial portraits of the proposers placed in this interior, thus performing the processing of publishing and disseminating personal data of proposers via the Internet, which does not meet any of the conditions of legal processing according to Art. 6 par. 1 GDPR.

On december 2018 Università degli studi di Roma "La Sapienza", notified to the Italian DPA a data breach regarding the disclosure of personal data processed through the platform that the data controller was using for the processing of whistleblowing reports. According to the Italian DPA, the data breach occured as the platform used by the University did not provide sufficient technical measures regarding access control, which would have made it possible to limit access only to authorised parties in possession of authentication credentials and a specific authorisation profile.

In may 2019, the Hospital notified to the Italian DPA a data breach, due to the illegal conduct of some employees who, in absence of the necessary authorization, had had access to the health records of their colleagues who were also patients of the Hospital.The investigations carried out by the Italian DPA showed that the technical and organizational measures adopted by the Hospital to patients’ dossiers were not suitable to ensure adequate protection of patients' personal data and to protect them from unauthorized access, thus leading to an unlawful data processing.
According to the Italian DPA, the violations could have been avoided if the data controller had applied the Guidelines on Health Data published by the Authority in 2015, in which it was established that access to patients’ health data should be allowed only to the personnel directly involved in the patient care process, through personal authorization profile.

The Italian DPA fined R.T.I. after having received a complaint regarding the broadcasting of a documentary about prostitution in Switzerland, in which the identity of the claimant was not sufficiently anonymized.
In determining the amount of the fine, the Italian DPA has taken into account: (i) the seriousness of the infringement, having regard to the particular nature of the data processed, relating to the sexual practices of the data subject and the general context of the documentary; and also (ii) the circumstance that no measures have been taken to ensure the anonymity of the claimant in an proper way, such as the alteration of the voice and the omission of certain specific personal references.

On 24 August 2018, the proposer has found out that the controller was violating the protection of personal data of proposer's son by publishing his photograph, to which the proposer had not given consent. The proposer, on August 24, 2018, by e-mail sent to popakademia@gmail.com, claimed the right of deletion from the controller (proposer has  requested an immediate deletion of the photo). This was repeated several times without the controller's response. Subsequently, on September 27, 2018, the proposer notified the controller by e-mail that the controller had not complied with her multiple requests to remove a photo of her son. On October 5, 2018, the proposer filed a complaint adressed to the Office for Personal Data Protection of the Slovak Republic.

On 16 April 2019, the photograph of the proposer's son was removed within the Facebook network, which also deleted the photograph of the data subject from the official website of the controller, and therefore the Authority did not consider it justified to impose measures to eliminate the identified deficiencies.

Measures:
The controller is obliged to ensure, in accordance with the principle of transparency, that all data subjects from whom it obtains personal data are provided with the necessary information within the scope of Art. 13 GDPR.

In the second half of May 2019, on the notice board at the entrance to the apartment building without a legal basis, the controller stated in the document entitled "Creation and drawing of the operation, maintenance and repair fund (FPÚO) year 2018" stated the proposer's surname in connection with the information "returned stamps for action and refunded court fee", which was subsequently delivered by the controller to 32 owners of flats and non - residential premises.

Taking into account the gravity, duration, number of data subjects (exclusively the proposer), the category of personal data concerned by the breach (ordinary personal data) and the fact that the controller did not obtain any pecuniary benefit, the Authority did not impose a fine.

Measures:
The controller is obliged, in accordance with the principle of legality, to process personal data, in particular to make them available exclusively in the existence of a legal basis within the meaning of Art. 6 par. 1 GDPR.

Until April 27, 2018, in obtaining the consent of the data subjects for the purpose of sending marketing offers of partners of O2 Slovakia, s.r.o. and of sending marketing offers from O2 Slovakia, s.r.o. using operational and location data, controller proceeded with the creation of the order via the controller's website by pre-filling the consents to send the said marketing offers and not allowing the data subjects to actively grant consent, thus limiting the right of the data subjects to decide on processing of their personal data by free and explicit expression of will.

Measure:
The Authority did not impose a corrective measure due to the fact that the controller have removed the pre-filled field with consents to send marketing offers on 27.04.2018.

The controller, in the position of the proposer's employer, asked the doctor for information - a prognosis, when she expects the proposer's incapacity for work to end. The controller received a document containing the proposer's personal data relating to health to the extent of an extract from the medical file, whereby the controller performed an operation to obtain personal data relating to health which did not meet any of the legal processing conditions under Article 6 para. 1 GDPR, neither any processing conditions under Article 9 para. 2 GDPR.

The proposer was unable to work from 27.02.2018. In that regard, her employer contacted the proposer's district doctor with a written request for information on when does she expect the proposer's incapacity for work to end.

Measures:
The Authority has reprimanded the Controller that the processing operation which was used for the collection of personal data  related to health of the proposer, violated Art. 5 par. 1 letter a) GDPR
Art. 9 par. 1 GDPR.

The Authority did not impose a measure on the controller to reconcile the processing operation with the GDPR, nor did it impose a fine for violation of the provisions of the GDPR, as the controller after receiving the proposer's medical documentation decided to shred it on 22.10.2018.

The controller violated the principle of confidentiality because in January 2019, the controller was disposing the personal data of the data subjects in paper form (such as photocopies of loan agreements, official documents such as ID card, birth certificate, passport), during liquidation of his store Elektro and the removal of waste to the collection yard in the village of Strečno,  there was unauthorized processing and access to the personal data, which violated the security of the processing of personal data of the data subjects. The controller has not complied with its obligation to report the breach to the Authority without undue delay and, if possible, within 72 hours, in accordance with Article 33 of the GDPR.

On February 5, 2019, the Authority received an e-mail from a person who was to find the accounts of the company FIN, spol. s.r.o. During a quick review of discarded documents, he discovered, among other things, the company's contracts with citizens, while these contracts contained personal data of citizens, their clients, including their birth numbers.

Measures:
The Authority has imposed on the controller a measure pursuant to which the controller is obliged in accordance with Art. 32 The GDPR, to take appropriate organizational measures to determine the procedure for persons acting on his behalf (employees) in checking unnecessary paper documents and disposing of personal data on them, instructing them of the procedure.

The company got a copy of photographic ID of the personal data subject with his/her consent, however did not react to his/her consent withdrawal and continued in processing of his/her personal data.

The operator of an online game was exposed to multiple DDoS attacks which triggered the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As component of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a "backdoor" in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The  Czech Data Protection Authority concluded that the operator did not take proper security measures.

The  Czech Data Protection Authority found that the controller used personal data of his client without his knowledge to open a bank account and that he had therefore not complied with the purpose of the processing.
Furthermore, the controller did not ensure sufficient control of compliance with the relevant internal rules on personal data.

Despite his e-mail request, the data controller did not provide his employee with information on the processing of his personal data.

The data have not been processed in a way that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality'). Furthermore, the controller has not concluded relevant agreements with processors concerning the processing of personal data.

 Despite their requests, the data controller has not provided the data subjects with information on the processing of their personal data.

A person has rented a car and  found out, that the car was tracked by the renting company, using GPS, although no information about the fact that the car is being tracked was provided.
The Czech Data Protection Authority found that no information in the sense of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis in the specific circumstances. The UOOU therefore found a violation of Art. 6 (1) f) GDPR. 5 (1) a) GDPR for which it imposed the fine.

Data have not been processed with an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality').

A former employee of a company requested the deletion of his or her personal information, which was published on the employer's Facebook website and which was still available long after the termination of employment.
The fine was imposed because the employer did not delete the information about the former employee.

The person concerned has not been provided with information on the processing of his/her personal data by the controller, despite his/her request.

The controller as an anergy distributor is obliged to according to Czech law provide Czech Television and Czech Radio with information with whom the controller concluded a contract on providing electricity. This obligation does not concern personal data of customers who are being provided with gas. Upon a complaint of one customer the controller found out that one employee transferred the personal data of its customers from their database to Czech Television and Czech Radio without legal basis for such transferring because the transfer included personal data of customers who are not provided with electricity.

The controller was unlawfully processing  special categories of personal data and birth number as well as did not  ensure an adequate level of security of such personal data.

The controller process personal data of data subject by publishing data from other official registers on the controller's website and it was found out that the controller was processing some of the data without sufficient legal basis for such processing. Furthermore, the controller did not provide the data subjects with information on the processing of their personal data despite their requests.

The Royal Dutch Lawn Tennis Association (KNLTB) provided the sponsors with personal data such as names, gender and addresses, so that they could approach a selection of KNLTB members with tennis related and other offers. One sponsor received personal data from 50,000, the other from more than 300,000 members. These sponsors approached some of those KNLTB members by post or by telephone. In the opinion of the DPA, the KNLTB had no legitimate interest to sell these personal data. The KNLTB argued it did have a legitimate interest to sell personal data of its members. However, the DPA concluded the purely financial interest of the KNLTB was no lawful basis for infringing the basic rights of its members. The members had not given their permission either. The KNLTB lodged an objection to the fine imposed. The objection was decided on by the DPA itself.

autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/samenvatting_onderzoek_knltb.pdf

The processing of biometric personal data deserves specific protection because of this unique identification. By virtue of Article 9 GDPR, the processing of biometric data is therefore prohibited, unless one of the exhaustive listed exceptions to Article 9(2) of the GDPR arise. In this case the controller couldn't demonstrate that its employees have given (explicit) permission for the processing of their fingerprints. Thereby several employees stated that fingerprint scanning was mandatory and that permission is not requested for this, not even in the context of signing the employment contract or by receipt of the employee handbook. Some employees where not informed at all.

Whether identification by means of biometrics is necessary and proportionate for authentication or security purposes does not hold in this case, because there were other less far-reaching ways to make sure that the employees made their workhours.

https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/onderzoek_vingerafdrukken_personeel.pdf

From May 2018, BKR asked a fee for the digital retrieval of personal data. The AP is of the opninion that this is a violation of providing access to your personal data as mentioned in art. 12(5) GDPR. Also, people could only view their data once a year (by post) at no cost. The AP mentioned this is a violation of art. 15 GDPR because of a lack of facilitating the access of your personal data. That is why a fine of 830,000 euros has been imposed.

After the investigation by the AP, BKR has adjusted the method. Since April 2019, people can digitally view their data at BKR for free. From March 2019, BKR has also adjusted the number of times that people can view their personal data by post.

BKR has appealed to the court in this case. As a result, the decision of the AP on the fine to be imposed is not yet final.

An ex-customer of DEI exercised her right to access pursuant to GDPR Article 15 asking for all electronic and physical correspondence she had with DEI since 2015. DEI did not answer and claimed before the authority that there was no correspondence to share. The Hellenic DPA decided that DEI should have replied without undue delay to the query regadless of whether the response was negative and fined DEI.

The complainant's child was undergoing special education sessions at the fined educational organisation. When he requested to know how many sessions and on what dates his chilld had participated to as well as to receive the invoices for said sessions, the educational organisation denied his request to access on grounds that his ex-wife -who has custody of the child- objected to the data being disclosed. The Authority found this limitation unacceptable since each parent that has the parental control has the right to request access to the child's data and this refusal did not fulfil the requirements of Article 15 par. 4 GDPR. The organisaiton was fined EUR 8.000 and it was instructed to disclose the relevant information without undue delay.

The complainant was contacted directly by the college through phone call, in order to be provided offers regarding educational programs for unemployed citizens. When he asked the data controller where they had gotten his data from, he received no conclusive answer. The Hellenic DPA ruled that the college had failed to meet its obligations as regards the right to be informed of the data subject, despite having collected data that should not be publicly available (unemployment status).

The complainants worked at a private construction site next to the residence of the data controller. The latter had installed rotating cameras as part of a CCTV system, which were recording image from the complainant's property. Despite being repeatedly asked to cease the recording, the data controller refused, claiming the CCTV was necessary for the protection of his property and that in any case, due to the distance, the faces of the complainants were not visible in the images. The Hellenic DPA ruled that the data controller was in violation with the principles of transparency and data minimization, as well as the obligations set forth by the DPA's Directive 1/2011 on the use of CCTV. The Hellenic DPA also ruled that the visibility of the complainant's faces was irrelevant because the constant monitoring of an individual constitutes prima facie a violation of their privacy. The data controller was fined EUR 8,000 and was instructed to take the appropriate measures for the lawful operation of his CCTV system.

The controller misprocessed the personal data of a natural person in the context of solving her/his complaint, the response to that complaint being send to an erroneous email address. The supervisory authority concluded that such event was possible due to insufficient security measures implemented by the controller to ensure the accuracy and confidentiality of the processed data.

The controller has not provided the supervisory authority with the information it required for the performance of its tasks. The supervisory authority was informed that the controller disclosed personal data without the consent of the data subject.

The controller has failed to observe the right of data subject to object to processing for direct marketing purposes, and continued to send to the data subject unsolicited commercial communications although he/she has unsubscribed.

Failure to implement adequate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, as well as to ensure that all individuals acting under controller's  authority and who have access to personal data will processes such data with the observance of the internal procedures. This has led to unauthorized  processing of clients'personal data by the  controller's employees  via WhatsApp platform.

The controller has  collected personal data without the consent of the data subject or another legal ground for such processing.

The controller failed to implement appropriate security measures for checking the accuracy of the personal data collected over the telephone (remotely) for contract purposes. This has led to illegal processing of the personal data of the data subject by signing subscription contracts on his/her behalf, using outdated personal data in the pre-existing contract without checking their accuracy.

Failure to implement adequate technical and organizational data in order to secure the processed data. This facilitated a security data breach consisting of publishing by the controller of a document on its Facebook page with a capture from the source code of the website and the password for access to the forms completed by participants in the contest organized by the controller. This situation has led to unauthorized access to the personal data of 436 clients on the controller's website.

Failure to implement adequate technical and organizational measures to ensure that every individual acting under the controller's authority and who has access to personal data will processes such data only at the controller's request and instruction. This has led to unauthorized access and disclosure of personal data of five data subjects.

The national operator of post services was sanctioned for failure to implement appropriate organisational and technical measures (such as pseudo-anonimisation). Personal data (emails and phone numbers of data subjects) could be accesed without authorization  on the company's web site managing the awb status.

The association was sanctioned for publishing the image of a data subject (exctracted from the video surveillance system of the building), at the entrance of the building, without a legal ground.

In the context of an on-line event, log-in  data were sent to wrong email addresses, which lead to disclosure of personal data of other participants.

A data subject comlpained that the association did not respond to his/her request. The authority fined the company for not implementing the corrective measures imposed by the authority, specifically for not responding to the request of the authority.

Megareduceri TV SRL sent unsolicited commercial communication (marketing text messages) to private phone numbers without having the consent of the data subjects. The authority fined the company for not implementing the corrective measures imposed by the authority, specifically for not responding to the request of the authority.

For a period of approximately 4 to 5 months, a doctor published patient data and medical records on his personal Facebook page.

The published data included patient names, diagnostic data, medical diagnoses, medication data, hospital admission and discharge data, patients' social security numbers, and the names of the treating doctors.

The decision was passed in a simplified procedure in which the imposed fine of 600,- Euros is the maximum penalty.

Authority: Austrian Data Protection Authority (DSB)

This fine was imposed on a private person who  secretly made a video of a woman while she was using the toilet. This so called "upskirting" was long only a violation of the GDPR and is just recently punishable by court  in Austria. The penalty imposed was set in regard to the income situation of the perpetrator, the maximum penalty would have been 20,000,- Euros.

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

The Commissioner launched an investigation after a complaint was lodged by the employees’ trade union.

The reasoning behind Bradford's Factor automated system for scoring employees' sick leave was that short, frequent, and unplanned absences lead to a higher disorganising of the company rather than longer absences.

The date and the frequency of a sick leave relating to an individual, insofar as his or her identity is directly or indirectly disclosed, entail the processing of "special categories of personal data", as defined under Article 9(1) of the GDPR. Providing personal data to an automated system, scoring the data using 'Bradford Factor', and profiling individuals based on the results, is considered as processing of personal data; therefore such a processing operation needs to be in line with the principles defined in the GDPR.

The controller carried out an impact assessment of the processing operation, and it was submitted to the Commissioner for consultation during the investigation. The Commissioner was of the opinion that the controller failed to demonstrate through the impact assessment that its legitimate interest prevailed over the interests, rights and freedoms of its employees and consequently the mitigation of the risks was inadequate.
                                                                                                                                                                                                                                                                                                         After assessing all the elements gathered for the purpose of the investigation, the Commissioner decided that such processing operation had no legal basis. Primarily, it had not been established that the legitimate interest of the controller overrides the interests, rights and freedoms of its employees, which would enable the controller to rely on article 6(1)(f) of the GDPR. Likewise, none of the provisions of Article 9(2) of the GDPR would apply in this case, enabling the controller to process health data of employees.

The controller, as the employer, was entitled to supervise the frequency of sick leaves and the validity of sick leaves certificates. However, such a perquisite should not lead to mishandling and should be applied within the limits set by the relevant legislative framework.

In the course of the investigation, the controller claimed, inter alia, that (a) the complainant 's number had been removed but for technical reasons the messaging provider' s system did not update; and that (b) the message provider's system did not provide for the operation of a toll-free number for the automatice termination of messages.After taking into account various mitigating factors, including that no complaint had been lodged with the Commissioner against the same data controller by another data subject, an administrative fine of € 1000 was imposed.

In the course of the investigation, the data controller claimed that the sending of the message was made inadvertently as the previous officer in charge of sending the messages did not inform the administration, therefore the new officer did not have the updated mailing list in front of him.

The Commissioner considered that the controller was obliged to take appropriate technical and organizational measures to ensure that the data subjects' requests were respected, regardless of whether any staff members had changed.

The Commissioner highlighted that the Bank did not comply with its obligations under the GDPR because the loss of the complainant's insurance policy deprived him of his right of access to the insurance contract, making him incapable of checking the correctness and validity of his data and verifying the lawfulness of the processing. Furthermore, the Commissioner noted that the fine was a result of the Bank's failure to notify the Commissioner of the data breach in relation to the loss of the contract within 72 hours from the moment the breach was brought to its knowledge.

The data controller was fined by the Commissioner after a series of complaints from data subjects receiveing unauthorised emails without their consent.

A series of media publications (printed and online press) mentioned the telecommunications company CYTA, the Social Insurance Services of the Ministry of the Ministry of Labour, Welfare and Social Insurance of Cyprus, and the Cyprus Police as data processors (due to their role regarding the mechanised system of the Social Insurance Services) involved in a scandal of leakage and/or violation of personal data of natural persons via this database, leading to the initiation of an investigation by the Office of the Commissioner for Personal Data Protection of Cyprus. The publications suggested that a member of the Police proceeded with searching for, printing and forwarding to a non-authorised recipient/third party of documents from the database.

The Commissioner brought the publications to the Police's knowledge and requested a detailed statement on its behalf regarding the alleged violations. In its statement, the Cyprus Police acknowledged that one of its members, whose professional duties included his ability to have access to the Mechanised Database on vehicle owners, acting beyond the orders of the Police, proceeded with specific searches (within the database), located and printed documents (from the database), and then passed them on to a third party (a retired Police Officer).The Commissioner held that the existing supervising mechanisms of the Police were not operating properly at that time or at least they did not operate as efficiently as they should and, thus, were considered insufficient. The organisational and technical measures that the Police had taken were not effective and they proved themselves insufficient and unable to prevent the non-authorised forwarding of personal data to third-parties. The undertaking of further organisational measures and the frequent undertaking of internal controls of the tracking archives/history was deemed necessary. Thus, the Commissioner concluded that Cyprus Police was responsible for a violation of Article 32 par.1(b) & (d) and par.(4) GDPR, as a result of the acts and/or omissions of the Police, whose member proceeded with a non-authorised forwarding of personal data found within the Police's database of vehicle owners to a third party, thus exceeding their authority and the orders of the Police.                  

Additionally, the Comissioner fined the Cyprus Telecommunications Authority ('CYTA') for failing to prevent an employee from leaking the personal data of 249 customers to a third party. In particular, the Commissioner highlighted that the employee's access to customer data should have been revoked following their transfer from the customer services department and that following internal policies and procedures in this regard could have prevented the leak.

Furthermore, the Commissioner fined the Social Insurance department for allowing the police to have access to personal information data and failing to take adequate measures to secure data, despite warnings of the data protection officer.

The complainant used to be a professor at the American College of Greece who was then transferred to a different position of the institution following reports by students that he uploaded hateful and transphobic posts on his public social media accounts. Two students claimed that they felt the learning environment was unsafe for them and they requested that the College's HR department address the situation.

The College elected not to terminate the employment but rather to transfer the complainant to a different non-teaching function. Afterwards, the complainant made repeated requests of access and deletion towards the HR and other administration departments asking to be provided the contents of his employee folder and of the contents of any reports made against him and for such to be deleted. The College requested the consent of the two students who had made the reports in order to provide them to the complainant. One of the students stated that she was afraid of her safety and did not want her name or the contents of the report to be disclosed to the complainant. The other student provided her consent.

The College replied to the complainant after the lapse of the 30 day response period as provided in Article 12 par.3 of the GDPR providing the information requested but only one of the student reports. They also informed the complainant that not all the data could be deleted as it was necessary for the establishment, exercise and defense of legal claims as provided in Article 15 par.3(e) of the GDPR.
The Hellenic DPA ruled that the College violated the complainant's right to access by asking for the consent of the reporting students, as. in the balancing exercise, there is no indication that the students were in immediate danger to their rights and freedoms and their legitimate interest's could not override the complainant's right to defend himself against a possible insult to his personality. Considering that this was a minor violation of the complainant's rights and the College acted in good faith to protect the students' interests, the DPA decided on a minimal fine.

The Controller operates several camera systems, which are located in buses, trolleybuses, but also in bus stops. The controller had a document "personal data protection" published on his  web page, on the basis of which he declared that he collects this data on the basis of Art. 6 par. 1. letter f) GDPR. The legitimate interest should be the protection of property, health and public order, security and the detection of crime. The Slovak Office for Personal Data Protection warned the operator that it is not within its competence to ensure the protection of public order. At the same time, the cameras captured not only the area of ​​stops but also its surroundings (sidewalk, road), while it is possible to recognize the faces of people from the recording. The storage period was 15 days, which was observed at the time of control. The operator integrated the camera announcement into the operating rules and pasted the announcement on each bus door, which the DPA did not consider sufficient. as the responsible person was not mentioned either, the principle of minimizing and the principle of liability was violated.

The controller received a request from the data subject pursuant to Art. 15 GDPR, which he did not complete within the deadline. The controller  argued that the data subject had made his request in extensive communication with the complaints department. The subject of the communication was the application of a complaint, where the data subject exercised his right pursuant to Art. 15 GDPR. The content of each email was information that personal data is processed in accordance with the GDPR Regulation and more detailed information can be found on the website. The controller specified in the internal directive that the data subject is obliged to send the request to the personal data protection department and not to the complaints department. Nevertheless, the  controller responded to the request three days after the deadline for reply. the Office for Personal Data Protection stated that the controller's internal directive cannot restrict the data subject's right to information.

The primary school, as the controller, introduced a project called "happy school" in a non-transparent way in order to promote the school. Primary school  recorded a CD of songs with children from this school, that contained the names and photos of the children. At the same time, the children went on a "tour" with this CD and school made a videos, which they later published on the "youtube" website. The CD was also released and sold in Hungary without consent of the parents. All this was done by the school only with the general written consent of the parents, which is signed by all parents at the beginning of the school year, and only for the purpose of publishing photosand promoting school activities on the school's website. Such consent did not meet the requirements of informed parental consent.

The data subject submitted a request for access to personal data on 11.02.2019, which the company QUALITY s.r.o. as an operator did not provide it within the legal deadline (it provided it on 15.03.2019), which violated the right of the data subject to access personal data. At the same time, the operator has expanded the scope of personal data processing to include marital status and telephone number.

The controller in his catalog with offer for summer holiday had an outdated legal frame which means that all passengers personal data were proceed in violation with current GDPR. At the same time, the consent in the trvale contract to the processing of personal data was crossed in advance, on conclusion passengers did not have opportunity to dissagreed.

The controller breach the regulation  by processing personal data through a camera information system. He violated the privacy of the data subjects without consent. The persons concerned proposed the initiation of personal data protection proceedings, accompanied by a recording of a report television broadcast on "TV Markíza". The controller provide the recording from his camera to this TV and it was  broadcast on 12 September 2019. The controller has a notification about cameras just on his mailbox next to his front door. The controller, stating that the camera system serves just to protect  life, health and property of the controller and his family members. However, the camera system also monitored the public road, also he breach the law  while he kept records beyond the time necessary to fulfill the purpose.

The controller published the birth identificatiobn numbers of 186 applicants for a four-year study on the controller's website in the period from 25.5.2020 to 23.6.2020, without any consent.

In August 2019 the Bulgarian National Revenue Agency ("NRA") was fined for data breaches notified to the Bulgarian Commission for Personal Data Protection ("CPDP") on 17 July 2019. The inquiry commenced on 22 July 2019.

In its decision, the CPDP found that there was an infringement of Article 32 (1) (b) of the GDPR. It established that NRA's failure to implement the necessary technical and organisational measures had resulted in an unauthorised access, disclosure and distribution of personal data of more than 6 000 000 natural persons. The compromised personal data included names, addresses and contact information, as well as data from individuals' annual tax returns, information relating to their personal income tax position, insurance declarations and health insurance premiums, as well as data on tax payments they had completed and on VAT refunds claimed and received. In addition to imposing a fine, the CPDP announced it had ordered the NRA to undertake a number of actions designed to improve its data security practices.

In August 2019 DSK Bank was fined for a data breach. In its decision the Commission for Personal Data Protection ("CPDP") established that DSK Bank had infringed Article 32 (1) (b) of the GDPR by not being able to guarantee ongoing confidentiality and security of the systems and servers for processing personal data of individuals, which resulted in third parties having gained unauthorised access to personal data belonging to more than 33,000 customers of the bank. The data was recorded in more than 23,000 credit record files. Among the compromised personal data was data from national ID documents, income and health insurance information, as well as details concerning assessments of individuals' capacity to work.

In 2019 two Bulgarian electronic media were fined for infringements of data protection legislation based on a complaint of a data subject. In its decision the Commission for Personal Data Protection ("CPDP") established that the two electronic media had infringed Article 5 (1) (d) of the GDPR by publishing on their sites articles, containing the photograph of the complainant. The subject of the articles was apprehension of a person accused on murder charges. According to the complaint there was a coincidence in the names of the accused and the complainant, who was not related to the murder, but his photo was published by the media.  During the investigation it was proven that the accused and the complinant were not the same person. Therefore, the CPDP imposed an administrative fine of 5000 BGN to one of the electronic media and  an administrative fine of 20 000 BGN to the other electronic media as it did not act on removing the personal data.

The Government Office transferred citizen health data without password protection to general practitioners who were not authorised to access such data, which constituted constitutes a personal data breach resulting in a high risk to the rights and freedoms of natural persons. The Hungarian DPA constituted that the emergency situation caused by the Covid-19 outbreak and the related public tasks of authorities do not exempt them from taking appropriate data security measures and from processing personal data lawfully in accordance with the GDPR.

The key points of this provision are several violations carried out by TIM concerning the consent of the data subjects. First of all, TIM processed data for telemarketing or teleselling purposes without having obtained the consent of the data subjects. Moreover, TIM obtained a consent from data subjects which was not in compliance with the GDPR.  With reference to the "TIM Party" program, particularly, it resulted that, in order to subscribe to it, data subjects had to express their consents to receive marketing communications. Additionally, with respect to some TIM apps, it provided only a single flag for the joint acceptance of the "terms of service" and the privacy policy, within which there were references to the processing of data for marketing purposes, geolocation and communication to third parties for their marketing purposes. According to the Italian DPA, the above mentioned processes used to obtain the data subjects’ consent were in contrast with the principles of free expression and specificity provided by art. 4 of GDPR.

Since the end of 2018, the Italian DPA has received a number of complaints and reports concerning the processing of customer data for the activation of sim cards, the processing of data for promotional purposes and the measures adopted for the storage of data in the customers' personal area.
In particular, the Society imposed to the consumers the contextual acceptance of the contractual conditions and the privacy policy, and it requested the consent for promotional purposes, specifically mentioned in the privacy policy, without such processing existing or being envisaged.
Moreover, in the activation of a new sim through physical channels, the Society has set up special machines called 'Simbox', which did not respect the confidentiality of potential customers in the activation's process of such sim.
Finally, the company did not comply with the Italian privacy law that requires the providers of electronic communication services to use, pursuant to Article 32 of the Regulation, specific technical and organisational measures appropriate to the existing risk.

In July 2020, the Italian DPA issued a decision regarding  numerous unlawful data processing operations, mainly related to promotional activities, carried out by Wind. In particular, the providers of the Company did not check whether the call centres, with which they collaborated, had properly collected consent for the processing of customers' personal data; at the same time, the Company did not monitor these activities carried out in its interest by the providers. Moreover, in some cases, customers' data were found to be present in telephone directories despite the request for deletion. These violations led to promotional contacts being received by consumers without their consent. In many cases, the consumers were not even able to exercise their right to withdraw their consent or to object to the processing of their data for marketing purposes.

The Italian DPA found out the violation by Vodafone Italia S.p.A. of the key principles of GDPR such as accountability and data protection by design in addition of the violation of content requirements. More specifically, the Italian DPA discovered the use for marketing purposes of fake telephone numbers or numbers that were not registered with Italian registry under Vodafone’s own spotlight. Additional violations are related to the handling of contact lists purchased from external providers as those lists were obtained by Vodafone partners from other companies without the required users’  free, informed, and specific consent.

The case regards the improper use cof the app for the reservation of appointments and the provision of services carried out by the public administration. The app made it possible, in fact, to acquire and store on the servers of Roma Capitale, for a long period of time, numerous data of the users relating to bookings and of the staff employed in the management of appointments. All the operations were carried out without either the users or the employees having received full information on the processing carried out by the app. The Italian DPA also found inadequate the technical and organisational measures implemented by the Public administration, which had not regulated the relationship with the company providing the app.

RP Legal and Tax

The Hospital breached the GDPR by sending a medical report referring to two data subjects to a third party, due to a material error made by an employee during the enveloping process. The medical report, which was received by email at the third party's residence, contained special categories of personal data of the two data subjects, such as data relating to their health and sex life and information on the health of their family members. For this reason, the hospital did not ensure a sufficient level of integrity and confidentiality and disclosed special categories of data to third parties without an adequate legal basis.

The case concerned the violation of a hospital patient who had explicitly requested the Hospital that no third party, including family members, be informed of her health condition. In particular, a hospital nurse, not being aware of the request, called her on the home number recorded in the hospital register, thus speaking to a family member and revealing him the ward where the patient was admitted. For this reason, the Hospital was held liable for not having implemented sufficient technical and organisational measures to ensure that the patient's wish to be contacted only at a specific telephone number was respected.

The case is related to the the permits for access and parking issued by Roma Capitale through its provider. These permits, to be displayed on the vehicles, were provided with a QR code, which allows anyone, through the use of a generic application for mobile device, to decode the code and to access personal data relating to the holder of the permit or its user, without a proper legas basis. For this reason, Roma Capitale has been found responsible for the failure to adopt technical and organisational measures suitable to guarantee a level of security adequate to the risks, for the illegitimate diffusion of pesonal data and for the failure to stipulate a data processing agreement pursuant to article 28 GDPR with its provider/data processor.

The Italian DPA has revealed important "system" criticalities, due to the complex of processing operations carried out by Fastweb regarding both the entire customer database of the Society and the broader range of potential users of the electronic communications sector. In particular, the providers of the Society did not check whether the call centres, with which they collaborated, had properly collected consent for the processing of customers' personal data; at the same time, the Society did not monitor these activities carried out in its interest by the providers. Moreover, the Society used the data coming from the contact lists, provided to it by external partners, without the latter having acquired the users' free, specific and informed consent to the disclosure of their data. Lastly the security measures of the customer management systems were also found to be inadequate and the data breach wasn’t notified neither to the competent DPA nor to the data subjects.

Consistent with the measures No. 20 of 22 January 2021 and No. 61 of 11 February 2021, the Italian DPA has imposed a provisional limitation on the processing of the personal data of users whose age is incompatible with: 1)   the use of the services (thirteen years); 2) the Italian law for giving consent to the processing of personal data (fourteen years). Morevoeror, the limitation has been imposed also for those users whose age cannot be verified.
In fact, considering the inadequacy of the measures of the Society to exclude, by means of a barrier to the identification, the processing of personal data of these users, the Society has violated the duty of the data controller to implement the principles of accountability and the principle of privacy by design and by default (Articles 24 and 25 of the Regulation).

Following several complaints and reports, the Italian DPA verified that the Socieity had processed personal data for telemarketing activities, which it had not collected directly, but had acquired from other sources. In fact, Iren had obtained lists of personal data from a third company, which in turn had acquired them, in the capacity of independent data controller, from two other companies. The latter companies had obtained the consent of potential customers for telemarketing carried out both by them and by third parties, but this consent did not cover the transfer of customer data from those third parties to other third parties, including Iren.

The Italian DPA's investigations revealed that the Municipality had been using, for about ten years, a system for monitoring and filtering employees' internet browsing, storing this information for netwrok security purposes. Nevertheless, the system, implemented without adequately informing the employees, allowed processing operations that were unnecessary and disproportionate to the purpose of protecting and securing the internal network, carrying out a generalised collection of data relating to connections to websites visited by individual employees, including information related to the private life of the person concerned.

The Italian DPA found several violations commited by the Society, in particular in relation to the algorithms used to manage its riders. For example, the Society had not adequately informed workers about the operation of the system and did not ensure guarantees about the accuracy and fairness of the results of the algorithmic systems used to evaluate the riders. It also failed to ensure procedures to protect the right to obtain human intervention, express one's opinion and challenge decisions taken through the use of the algorithms in question, including the exclusion of some riders from work opportunities. Besides that, the Society did not even communicate the contact details of the DPO to the Italian DPA and did not provide a data protection impact assessment for the data processing activities in relation to its riders.

The Portuguese Data Protection Supervisory has applied a fine of EUR 2.500 to the City Council of Nelas, in light of a series of complaints filled due to the disclosure, on social media, of personal data regarding two people that had been infected with the covid-19 virus on a parish of the municipality. Although the municipality did not mention the specific name or address (indicating only the parish of residence) of the persons concerned, it revealed a circumstance (a trip to a certain country within a specific time interval) that allowed, according to the CNPD, in that small community, to identify to whom the social media post had referred to. 

The Controller who has a legal obligation to certain information relating to its activities within the mandatory publication of contracts published universally applicable identifier - personal identification number of the person concerned.

The Controller violated the principe of fairness and transparency according to art. 5 par. 1 letter a) GDPR by informing data subjects pursuant to art. 14 GDPR on the marketing purpose of processing personal data obtained from a publicly available source - the website of the Office of Geodesy, Cartography and Cadastre of the Slovak Republic, although it has not performed this activity since 25.05.2018. He further the principle of legality by sending marketing offer to the address of the person concerned without a legal basis. Finally, he violated art. 12 par. 1 in conjunction with art. 15 GDPR by non-transparent processing of the data subject's request for access to data because he did not provide relevant information in response to the request.

The controller has failed to inform  the data subject on action taken related to his/her request on the exercise of data subjects's right "to be forgotten", within one month of receipt of the respective request.  Also, the controller has failed to inform the data subject of the extension of the deadline of one month period for providing the data subject with an answer to his/her request, stating the reasons for such delay.

Failure to implement adequate technical and organizational data in order to secure the processed data and to prevent unauthorized access to personal data (e-mail addresses and telephone numbers) on awb.posta-romana.ro (belonging to the controller).  This has led to the breach of confidentiality of personal data of 81 data subjects. 

Illegal data processing through video surveillance system of the  controller, by posting the image of data subjects (processed via video surveillance cameras) on the notice board of the building, in breach of GDPR principles regarding personal data processing.  Failure of the controller to implement adequate technical and organizational data in order to secure the processed data, as well as lack of a complete information of the data subjects regarding their data processed through video surveillance system.

Failure to implement adequate technical and organizational data in order to secure the processed data and to prevent the unauthorized access to personal data has led to the breach of confidentiality of personal data (i.e. e-mail addresses, usernames) of 1300 data subjects (i.e. users of the controller's electronic platform). More specifically, in the context of an online event organised  by the controller, the login data was erroneously transmitted to other e-mail addresses than those used in creating an account on the electronic platform of the controller by the respective users -data subjects.

The controller has failed to respond to the supervisory authority’s requests. The investigation of supervisory authority was triggered by several complaints of data subjects regarding the fact that they received commercial messages sent by the controller promoting the services on the website www.reducerazi.ro, without them having given consent in this regard.

The controller has not provided the supervisory authority with the information it required for the performance of its tasks. The supervisory authority has initiated the investigation based on a complaint of a data subject regarding the failure of the controller to respond to data subject’s request.

Failure to implement adequate technical and organizational data in order to secure the processed data and to prevent the unauthorized access to personal data has led to unauthorized access and disclosure of personal data of customers who have placed orders on the controller’s website.

The controller has not provided the supervisory authority with the information it required for the performance of its tasks.

The controller has failed to respond to requests of data subjects to exercise the right of access and right to erasure. Also, the controller could not prove to the supervisory authority the settlement of the received requests for exercising the rights of access and erasure within the term provided by GDPR.

Failure to implement adequate technical and organizational data in order to secure the processed data and to prevent unauthorized access to personal data (i.e. e-mail addresses, telephone numbers, name, surname, age of minors, delivery address, order number, the total amount of order, ordered products and date of order) on the website of the controller has led to the breach of confidentiality of personal data of 1091 data subjects.  Also, the controller failed to notify the personal data breach to the supervisory authority.

Failure of the controller to observe the principle of integrity and confidentiality of personal data and to implement adequate technical and organizational measures in order to secure the processed data led to disclosure and unauthorized access to personal data (e.g. name and surname, e-mail addresses, behavioural data, personal preferences, transaction value, place of work, position and place of work, work telephone number) of 4 data subjects (one client and three employees of the controller).

The controller has not provided the supervisory authority with the information it required for the performance of its tasks.

The  controller failed to observe the lawfulness, fairness and transparency principle while processing personal data  (i.e. image and voice)  through portable audio - video surveillance means (i.e. "Badge" audio-video surveillance means). The supervisory authority also concluded that the processing of personal data was carried out without a legal obligation on the controller, respectively without having a legal basis to this end.

The  controller failed to observe the lawfulness, fairness and transparency principle while processing personal data  (i.e. image and voice)  through portable audio - video surveillance means (i.e. "Body-Worn" portable audio-video systems). The supervisory authority also concluded that the processing of personal data was carried out without a legal obligation on the controller, respectively without having a legal basis to this end.

Failure of the controller to implement sufficient security measures in order to ensure the confidentiality of personal data has led to the disclosure of personal data (i.e. e-mail address) of 295 data subjects.

The sanction applied by the supervisory authority was triggered by the fact that the controller continued to process the personal data of a data subject – customer (i.e. email address, first and last name, expiration date of the identity card) after the termination of the contractual relationship with the respective customer, non-observing the principles of data processing and without legal basis to justify such data processing. In more detail, the data subject requested the closure of the current account, but due to a system error this request was not considered and the business relationship with the controller was still maintained with the "active" status. The controller sent messages on the e-mail address of the data subject regarding the updating of his/her personal data.

Failure of the controller to implement sufficient security measures in order to ensure the confidentiality of personal data has led to the disclosure of personal data of 270 data subjects.

 Lack of appropriate organisational and technical measures

Failure of the controller to implement appropriate organisational and technical measures to ensure that all individuals acting under the controller’s authority and who have access to personal data will processes such data based only on the controller’s request has led to unauthorised disclosure and access to personal data transmitted to individuals other than the recipients.

Failure of the controller to implement proper technical and organisational measures in order to ensure level of security appropriate to the risk of data processing has led to unauthorized disclosure of personal data (e.g.  customer ID, customer code, name and surname, personal identification number, date of birth, gender, phone number, e-mail address, domicile/residence address, the value of the debts associated with the customer code) of 99,210 data subjects – customers of the controller. Moreover, this failure of the controller has led to unauthorized access to personal data in MyAccount accounts (i.e. the name of the account holder, date of birth, used telephone numbers, home address, email address, subscriber code, contracted services, active extra options on the account, invoice history) of 413 data subjects - customers of the controller.

The controller has excessively processed personal data of its employees through video surveillance cameras installed in the areas designated as locker rooms and spaces for serving the meal. The supervisory authority concluded that such data processing was carried out by the controller with non-observance of data minimisation principle, the purpose of data processing declared by the controller (i.e. protecting the goods of controller, discouraging theft) could be achieved by using less intrusive means for the privacy of employees, and that the consent of employees cannot be deemed to be freely given considering the subordination nature of the employer-employee relationship.

Failure to implement appropriate organisational and technical measures to ensure that all individuals acting under the controller’s authority and who have access to personal data will processes such data based only on the controller’s request, as well as to ensure the protection of processed data against unlawful processing, accidental loss, destruction or damage. This has led to a data security breach that affected personal data of 1058 data subjects.

Failure of the controller to implement sufficient security measures in order to ensure the confidentiality of processed personal data has led to unauthorised disclosure of personal data of an employee of the controller (i.e. name, surname, address, ID number and series, personal identification number, information related to the request regarding the termination of the employment relationship) to third parties, on a social media platform (i.e. Whatsapp).

The sanctions were imposed following a complaint alleging that the controller illegally processed the data of the petitioner - data subject for marketing purposes although the contractual relationship has been terminated and the data subject has withdrawn his consent for the processing of his personal data once the contractual relationship with the controller has ended. Moreover, the controller contacted the data subject by phone, although the data subject has previously exercised the right of opposition.

Illegal data processing and failure to implement adequate technical and organizational data in order to secure the processed data and to prevent unauthorized access to the personal data (i.e. name, surname, parent's name, domicile address, personal identification number, ID number and series, home address, place of travel, purpose of travel, signature) on the website declaratieppr.ro (belonging to the controller). The controller failed to provide the supervisory authority with any evidence showing that it provided information to the data subjects about the processing of their personal data, collected on the website mentioned above.

The sanction imposed by the supervisory authority was triggered by the failure of the controller to observe the transparency and accuracy principles while processing personal data of its client-data subject, such processing being carried out without legal basis under GDPR.  The supervisory authority found during its investigation that the controller unlawfully processed the personal data of the data subject – controller’s client, by erroneously assigning to the respective data subject the quality of guarantor, processing outdated data, and disclosing personal data in notification procedures  carried out through a bailiff, that concerned the arrears of a credit agreement of a legal entity – client of the controller, with which the data subject concerned had no relationship.

The controller has failed to respond to the supervisory authority’s requests. The investigation of supervisory authority was triggered by a complaint of a data subject alleging that the controller publically displayed the payment lists detailing the name and surname of each member of the Association of apartment owners. The petitioner also complained about the posting of a defamatory document in which his personal data (name and surname) were mentioned.

The controller erroneously sent the invoices of some customers to the e-mail addresses of third parties. This led to the unauthorized access to certain personal data of the controller’s customers, such as: name, surname, telephone number, customer code, address. The supervisory authority concluded that the failure of the controller to implement adequate security measures in order to ensure the confidentiality of personal data has led to the unauthorised disclosure of personal data of controller's customers.

The controller has failed to respond to the supervisory authority’s requests. The investigation of supervisory authority was triggered by a complaint of a data subject alleging that the controller illegally processed the personal data (i.e. telephone number), by repeatedly contacting by telephone the respective data subject, without prior consent.

On 11 February 2021 the Dutch Data Protection Authority imposed a fine of EUR 440,000 on Amsterdam hospital OLVG for having no sufficient measures in place to prevent access to medical records by unauthorized personnel and therefore infringing article 32 (1) GDPR.
An investigation was started after the DPA received several complaints of potential violations. The DPA concluded that OLVG systematically failed to adequately safeguard access to medical records and identified violations with regard to (1) authentication and (2) verification of logging.

Two-factor authentication was only implemented to log on from outside of OLVG’s network and personnel could stil have access within the OLVG network by using a username and password, which provided immediate access to all medical records. “Single sign-on” appeared to be enabled making this full access possible. The hospital stated moreover wrongly to be compliant with the applicable NEN standards in its privacy policy.

Hospitals are obliged to check which medical files have been consulted by whom and to check the logging on a regular basis, in order to be able to identify unauthorized access and to take measures accordingly. OLVG did not check and verify the logging often enough to the opinion of the Dutch DPA.
During the investigations of the DPA, OLVG implemented additional security measures, including two-factor authentication within its network and monitoring of logging on a structural basis.

However, the Dutch DPA concluded that OLVG violated Article 32(1) of the GDPR by failing to comply with the requirements for two-factor authentication and regular monitoring of logging for almost a year from May 2018, with a fine of EUR 440,000 as result. OLVG declared not to appeal this decision.

On February 7, 2019, Booking notified the AP of a personal data breach (data breach) done. An unknown third party had gained access to a Booking system by pretending to be an employee of Booking at multiple accommodations. Here are the personal data of several parties involved. Booking.com was informed of the data breach on 13 January 2019, but did not report the breach to the DPA until 7 February, which is 22 days too late: data breaches must be reported within 72 hours where feasible. On 4 February 2019 Booking.com informed the affected customers of the breach. The company also took other measures to limit the damage, such as offering to compensate any losses.

The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of € 600,000 on the Municipal Executive of Enschede.

The Municipal Executive of Enschede has processed personal data of owners/users of mobile devices with Wi-Fi turned on in the city center of Enschede without any legal basis. There are sensors in the city center of Enschede that collect data from those people walking by who have turned on the Wi-Fi on their phone.

The AP concludes that the combination of MAC address and location data and
the combination of pseudonymised MAC address and location data on the sensor from May 25, 2018 to April 30, 2020 and in the short-term and long-term table until January 1, 2019 qualify as personal data within the meaning of the GDPR.

The Dutch Data Protection Authority (AP) imposes a fine of 7,500 euros on the Party for Freedom (PVV) Overijssel. The PVV Overijssel receives this fine because the party has not reported a data breach to the AP. This data breach has leaked people's political views.

The data breach originated via an e-mail about a grassroots meeting. In it, 101 addressees were referred to as 'friends of the PVV'. Due to a mistake by a group employee, the e-mail addresses (and therefore usually the names) of the recipients were visible to everyone who received the invitation. As a result, the political views of the addressees are shared.

In this case according to the principle of proportionality the AP considers the financial capacity of the PVV Overijssel limited and concludes that the PVV Overijssel cannot financially bear the fine of € 525,000. On this basis, the AP sees reason to reduce the fine. The AP considers a fine of € 7,500 appropriate in this case.

The PVV Overijssel does indicate that it has taken measures to prevent such a data breach in the future.

The Dutch Data Protection Authority (AP) has decided to impose Locatefamily.com an administrative fine of € 525,000, because Locatefamily.com does not have fulfilled the obligation to designate a representative in the European Union (EU) in writing in the period from May 25, 2018 to the present. Locatefamily.com therefore has violated Article 27, first paragraph, in conjunction with Article 3, second paragraph, of the GDPR.

The AP also decided to impose a penalty order on Locatefamily.com, in order to undo this continuing violation. Locatefamily.com must comply with the obligation as described in Article 27 of the GDPR and to designate a representative in the EU in writing within twelve weeks after the date of and with due observance of this decision. In the event that Locatefamily.com does not comply with the order within this period, Locatefamily.com forfeits a penalty payment of € 20,000 for every two weeks after the end of the beneficiary period, up to a maximum amount of € 120,000.

The CP&A absenteeism registration contained highly sensitive information about the physical and/or mental health of employees. Such as the names of diseases, specific complaints and indications of pain. Health data are special personal data that require extra protection. With knowledge of a person's physical and emotional state, an employer could make judgments or decisions that have a major impact on an employee. It is not necessary for an employer to process this information for the reintegration of employees. Everyone has the right to keep it to themselves as much as possible. That also applies to employees. However, an employee may feel obliged to provide that information to his employer.

Application of the principle of proportionality may inter alia play in the accumulation of sanctions and the capacity of the responsible data processor. In this case initially the AP sets the fine for violation of Article 9, first paragraph, of the GDPR at € 725,000. And for the violation of Article 32, first paragraph, of the GDPR, the AP sets the fine at € 310,000. CP&A has invoked limited financially capacity. Based on the at that moment known financial knowledge the AP considers the financial capacity of CP&A to be limited, as a result of which the AP is up to the conclusion that CP&A cannot afford the fine of €1,035,000 financially. On this basis, the AP sees reason to reduce the fine. The AP is of the opninion a fine of € 15,000 appropriate in this case.

Application of the principle of proportionality may inter alia play in the accumulation of sanctions and the capacity of the responsible data processor. In this case initially the AP sets the fine for violation of Article 9, first paragraph, of the GDPR at € 725,000. And for the violation of Article 32, first paragraph, of the GDPR, the AP sets the fine at € 310,000. CP&A has invoked limited financially capacity. Based on the at that moment known financial knowledge the AP considers the financial capacity of CP&A to be limited, as a result of which the AP is up to the conclusion that CP&A cannot afford the fine of €1,035,000 financially. On this basis, the AP sees reason to reduce the fine. The AP is of the opninion a fine of € 15,000 appropriate in this case.

AP Vice-President Monique Verdier: 'When you register with an orthodontist, you provide a combination of personal data in confidence. These data are necessary for orthodontic practice, but are also very interesting for criminals. Taking good care of your patients also means taking good care of your patients' personal data. That does not only apply to large healthcare organisations, but also applies to every healthcare provider.'

UWV fined for poor security when sending group messages. The Dutch Data Protection Authority (AP) imposes a fine of € 450,000 on the Employee Insurance Agency (UWV). The UWV had not properly secured the sending of group messages via the so-called 'My Work Folder' environment. This is a personal environment on the UWV website, where job seekers have contact with the UWV. As a result, there were several data breaches of personal data, including health data.

Between August 2016 and the end of 2018, the process for sending group messages via the My Workbook environment was not properly secured. The data leaks happened 9 times in that period, with a total of the data of more than 15,000 people ending up with the wrong recipients. As a result, files containing a multitude of personal data of job seekers ended up with the wrong recipients, namely in the My Work Folder environment of other job seekers.

The information that Dutch users – mostly young children – received from TikTok when installing and using the app was in English and therefore not easy to understand. By not offering the privacy statement in Dutch, TikTok did not adequately explain how the app collects, processes and further uses personal data. This is contrary to privacy legislation, where the basic principle is that it must always be clear what happens to your personal data.

The first notification to the AP took place on November 21, 2017. On the same day, Uber issued a news item about the data breach on its website. More than 57 million Uber users worldwide were affected by this data breach, including approximately 174,000 Dutch people. It concerned personal data such as names, e-mail addresses and telephone numbers of customers and drivers.

In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39 million for a breach of Art. 32 GDPR. The proposed fine related to a cyber incident in 2018, where users searching for the British Airways website were diverted to a fraudulent website. The website harvested  personal data of approximately 500,000 customers. The ICO’s investigation found that different types of personal data were compromised due to poor security arrangements at BA. Some of the personal data compromised included log in, payment card, and travel booking details as well names and addresses. The ICO subsequently reduced the final fine to £20 million (approximately €22,046,000) further to represenations from BA, subsequent review of the case and other factors such as the economic impact of the COVID-19 pandemic on the aviation industry.

The ICO issued a notice of its intention to fine Marriott International Inc for a breach of Art. 32 GDPR relating to a cyber incident in November 2018. Personal data belonging to approximately 339 million guest records globally were exposed by the incident, of which 7 million were UK residents. It is believed the vulnerability began when the systems of the Starwood Hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems. On 30 October 2020, the ICO announced its final decision to impose a fine of £ 18.4 million (approximately €20.4 million) on Marriott International Inc. In its decision, the ICO outlined various factors that influenced its calculation of the fine, which included Marriott's lack of prior violations and the fact that Marriott had fully cooperated with the investigation. In addition, the ICO noted that the fine was in line with other fines imposed by other European data protection authorities.

The company had stored approximately 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building. The company failed to protect these documents from the elements, resulting in water damage to the documents in breach of Art.32 GDPR

Ticketmaster UK Limited was fined  £1.25 million (approximately  €1.405 million) for failing to protect the personal data of its customers with adequate security measure, as required by Art.32 GDPR. Potentially 9.4 million European customers were affected by a cyber attack that occured between February 2018 and June 2018. The attack originated from an unsecured chat bot hosted by a third party on its online payment site. This arrangement allowed an attacker to gain access to customers' financial information, such as names, full payment card details and Ticketmaster log in details.

The DPA found that 60,000 payment cards belonging to Barclays Bank customers were subject to fraud, and several international banks also reported fraudulent activity to Ticketmaster. This was deemed to be a breach of Art 5(1)(f).

The ICO conducted an investigation after it received a report of a data breach from an internal email group. The ICO found that the group was created with sufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly 3 years. The ICO subsequently fined the organisation £25,000 for breaches of Arts. 5(1)(f) and 32 GDPR.