Skip to main content

The database contains a total of

227 GDPR fines across the EU and beyond

that have been submitted so far by rapporteurs.



Country & Fine Details Infringement Articles Reason Overview Reason Details Link
Country: Czech Republic
Organization: UniCredit Bank Czech Republic and Slovakia, a.s.
Amount: CZK 80 000
Date: 2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 6 (1) GDPR Insufficient legal basis for data processing

The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Natural person (enterpreneur)
Sector: Private Sector
Amount: 980 €
Date: 2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5(1) f) GDPR, Art. 5 (2) GDPR, Art. 28 (3) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

The operator of an online game was exposed to multiple DDoS attacks which triggered the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As component of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a "backdoor" in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The Czech Data Protection Authority concluded that the operator did not take proper security measures.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Denmark
Organization: IDdesign A / S
Sector: Furniture
Amount: 200.850 €
Date: 03.06.2019
INPLP Partner: NJORD Advokatpartnerselskab
Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Failure to comply with the principle of storage limitation - Proposed fine

October 2018: The Danish Data Protection Authority completed a planned inspection visit to a furniture company. The inspection focused on the limitation of storage according to Article 5(1)(e) GDPR. The company implemented a new computer system in several of its furniture stores in Denmark. In three of the stores however, the old system was still being used, which meant that information on approximately 385,000 customer names, addresses, telephone numbers, e-mail addresses and purchasing history was processed. The furniture company had not assessed the need for data storage and had not set any retention periods. Consequently, the personal data was never deleted from the old system. The company had set a deadline for the anonymisation of customer information, which was set to 912 days (corresponding to the guarantee period). However, the deadline for anonymisation had not yet been implemented because the data controller had not sufficiently documented his procedures for deleting the personal data. The Danish Data Protection Authority reported the company to the police and proposed a fine of DKK 1.5 million (approx. EUR 201,000) for non-compliance with the principle of storage limitation, cf. Art. 5(1)(e), as the company had stored the personal data of approx. 385,000 customers for longer than the Danish Data Protection Authority considered necessary. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), fines are imposed by the courts.

Authority: Danish Data Protection Authority (Datatilsynet)

Link
Country: Denmark
Organization: Taxa 4x35
Sector: Taxi business
Amount: DKK 1,2 million
Date: 18.03.2019
INPLP Partner: NJORD Advokatpartnerselskab
Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Non-compliance with general data processing principles and principles of data minimisation - Proposed fine

In October 2018, the Danish Data Protection Authority notified the police about a taxi company and proposed a fine (of DKK 1.2 million) for non-compliance with the principle of data minimisation. According to the taxi company, the stored personal data of customers should be anonymised after two years. However, the company deleted the names of its passengers from all its records after two years, while the passengers' telephone numbers were deleted only after five years. Information on the consumer behaviour of the customers, the pick-up and return points, could therefore be attributed to a private person up to five years after a taxi tariff. The taxi company had registered information on 8,873,333 personally identifiable taxi tariffs that were older than two years. The taxi company argued that the storage of its customers' telephone numbers was important in regards to the access to the company's database and for business development. The Danish Data Protection Authority reported the taxi company to the police and proposed a fine of DKK 1.2 million (approx. EUR 160,000). The Danish Data Protection Authority stated that business development was not a legitimate reason to keep personal data for such a long period of time. The Danish Data Protection Authority concluded that a data controller may not set a deadline for deletion that is three years longer than necessary, simply because the company's system makes it difficult to comply. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), penalties are imposed by the courts.

Authority: Danish Data Protection Agency (Datatilsynet)

Link
Country: Greece
Organization: PriceWaterhouseCoopers Business Solutions SA (PWC BS)
Sector: Private / Business Consultancy
Amount: 150.000 €
Date: 26.07.2019
INPLP Partner: Zepos & Yannopoulos
Article 5 par. 1(a) Article 5 par. 2 Article 6 par. 1(a) Unlawful and non-transparent processing of employees' personal data and failure to demonstrate compliance

The fined company has requested the consent of its employees for the processing of their personal data, for the transfer of their personal data to third parties (including customers) and for the use of video surveillance in the workplace. The Greek Data Protection Authority found that PWC BS was in breach of the following provisions: - Article 5(1)(a) (lawfulness) for unlawfully processing workers' data on the basis of consent which does not constitute an inappropriate legal basis for such processing activities and, in any event, the consent was not valid because it was not given voluntarily, -Article 5(1)(a) (fairness and transparency) and Article 6(1)(a), in order to give the false impression to data subjects in dependent employment that the basis of the processing was consent, although this should not be the case -Article 5(2) in the event that compliance cannot be proved and the burden of proof is transferred to the data subject

Authority: HELLENIC DATA PROTECTION AUTHORITY

Additional Information:

Link 2

Link
Country: Greece
Organization: Hellenic Telecommunications Organization S.A. (OTE)
Sector: Private / Telecommunications
Amount: 200.000 €
Date: 13.09.2019
INPLP Partner: Zepos & Yannopoulos
Article 25 par. 3 Article 5 par. 1(d) (also non-GDPR): Article 11 of Greek Law 3471/2006 (implementing ePrivacy Directive) Violation of data protection by design and the principle of data accuracy

Article 11 of Law 3471/2006 mandates that every telecoms provider maintains a “subscriber directory” with the numbers of all the data subjects who wish to not receive unsolicited marketing calls. Consequently, companies that wish to make direct marketing calls should exclude these numbers from their lists. Due to a system error, OTE had failed to successfuly communicate the entire directory to the marketing companies resulting in many data subjects who had opted out of the marketing to receive unsolicited promotional calls. Following a series of complaints by individuals, the Hellenic DPA decided to impose an administrative fine due to the high number of data subjects affected (approximately 16.000) and the long duration of the violation (approximately 3 years).

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Greece
Organization: Hellenic Telecommunications Organization S.A. (OTE)
Sector: Private / Telecommunications
Amount: 200.000 €
Date: 30.09.2019
INPLP Partner: Zepos & Yannopoulos
Article 25 par. 3 Article 21 par. 3 Breach of data protection by design and failure to effectively comply with data subject's right to object to processing for direct marketing purposes

Following complaints from the data subjects, the Greek data protection authority investigated whether OTE had sufficient technical and organisational measures to comply with the requests of the data subjects not to receive promotional material from OTE. The organisation had an 'unsubscribe' link in the e-mail sent to customers and on its website. However, due to a technical error, even when the data subjects clicked on the 'Unsubscribe' button, their contact details were not removed from the register and they received the promotional material. As OTE did not have the organisational and security measures necessary to identify and solve the technical problem, so that it could exist for a long period of time (since 2013) and affected a large number of people (approximately 8,000), the data protection authority imposed an administrative penalty.

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Italy
Organization: Associazione Rousseau - Movimento 5 stelle (Italian political party)
Sector: Public sector - political association
Amount: 50.000 €
Date: 04.04.2019
INPLP Partner: R&P legal
Art. 32 GDPR This fine concerns insufficient technical and organisational measures

The Rousseau platform, created by the Italian political party "Movimento 5 Stelle" (“5 Stelle”), where registered users were able to designate, among others, candidates for the EU parliamentary election, had suffered a data breach during the summer 2017, that led the Italian data protection authority ("Italian DPA") to require to 5 Stelle the implementation of a number of security measures, in addition to the obligation to update the privacy information notice, in order to guarantee transparency to the data processing activities performed. While the update of the privacy information notice was timely completed, the Italian DPA found the lack of implementation of the security measures provided by GDPR. In particular, the Italian DPA ascertained that the tracking of log files was not active for all the sections of the Rousseau Platform; the managing of said website, moreover, was allowed through a system administrator account shared among 5 people, a circumstance that implied the impossibility for the data controller to monitor the activities done by each person involved in said processing and that was qualified as very serious and unacceptable, considering the possibility for such persons to access to special categories of personal data, such as those on political opinion. Finally, also the security measures aimed at anonymizing the activities performed through the e-voting system were considered not to be adequate.

Authority: Italian Data Protection Authority

Link
Country: Malta
Organization: Lands Authority
Sector: Public Sector
Amount: 5.000 €
Date: 18.02.2019
INPLP Partner: Malta IT Law Association
Art. 5 GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

Due to the lack of necessary security measures on the Lands Authority's website, it was reported by a local newspaper that over 10 gigabytes of personal data were rendered accessible via a Google search. It was reported that the data contained sensitive correspondence between individuals and the Authority itself. In Malta, if a public authority or public body is found to be in breach of data protection laws, the Data Protection Commissioner can impose an administrative fine of up to EUR 25 000 for every violation, in addition to a daily fine of EUR 25 for as long as the violation subsists. In this case the Lands Authority did not Appeal the IDPC's decision.

Authority: Office of the Information and Data Protection Commissioner (IDPC)

Link
Country: Malta
Organization: No information available
Sector: Private Sector
Amount: € 19.500
Date: 2018
INPLP Partner: MITLA
No information available No information available

No information available

Country: Malta
Organization: No information available
Sector: No information available
Amount: 10.000 €
Date: 2019
INPLP Partner: MITLA
No information available No information available

No information available

Country: Portugal
Organization: Centro Hospitalar Barreiro Montijo, EPE
Sector: Public Sector
Amount: 400.000 €
Date: 09.10.2018
INPLP Partner: Abreu Advogados
Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security and violation of the data minimization principle

The public hospital violated the principle of data minimization by granting access to an excessive amount of data and violated the obligation to take appropriate organizational and technical measures.

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Car brand
Sector: Private Sector
Amount: 20.000 €
Date: 05.02.2019
INPLP Partner: Abreu Advogados
Article 15 Insufficient fulfilment of data subjects rights

Violation of the right of access to the personal data of the data subject. Especially, the denial by the data subject of the right of access to recorded telephone conversations

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Private Entity
Sector: Private Sector
Amount: 2.000 €
Date: 19.03.2019
INPLP Partner: Abreu Advogados
Art. 13 GDPR Inadequate fulfilment of information obligations

Inadequate fulfilment of information obligations, due to the inexistence of signalization regarding the use of CCTV systems.

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Private Entity
Sector: Private Sector
Amount: 2.000 €
Date: 25.03.2019
INPLP Partner: Abreu Advogados
Art. 13 GDPR Insufficient fulfilment of information obligations

Insufficient fulfilment of information obligations due to the lack of signalling regarding the use of CCTV systems.

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Deco Proteste Editores, Lda
Sector: Public Sector
Amount: 107.000 €
Date: 06.05.2019
INPLP Partner: Abreu Advogados 
Art. 6 GDPR Inadequate fulfilment of the requirements to send unsolicited direct marketing communications

Sending unsolicited e-mails for direct marketing and/or advertising purposes without prior consent

Authority: Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados "CNPD")

Link
Country: Austria
Organization: Austrian Post AG (Österreichische Post AG) Mail service provider
Sector: Private Sector
Amount: 18.000.000 €
Date: 29.10.2019
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 GDPR, Art. 6 GDPR Monetary fine because of the inadequate legal basis for data processing

The Austrian Post AG had generated profiles of a large number of Austrians. These generated profiles contained information about various personal data including in particular their possible party affinities, personal prefences and habits, which were later sold to political parties and companies. The provider had claimed that the profiles were merely statistical predictions and had no personal reference. The DPA rejected this allegation and determined that this was in breach of the GDPR. Further violations of the data protection law were also found in connection to data on parcel deliveries and data on the frequency of movement of persons used for direct marketing. In connection with this case, a civil court judgement has already been handed down on claims for damages in the amount of 800 €. The data subject whos party affinitiy was processed, had not given a consent to the processing and was not informed about the data processing by the controller (LG Feldkirch, Urteil v. 07.08.2019 - Az.: 57 Cg 30/19b). The decision is not yet final and the provider has appealed the decision.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: A medical ambulatory, whose corporate purpose includes in particular the diagnosis and therapy of allergic diseases
Sector: Private Sector
Amount: 50.000 €
Date: 30.08.2019
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 7 GDPR, Art. 13, 14 GDPR, Art. 35 GDPR, Art. 37 GDPR Monetary fine because of several infringements

The medical ambulatory had violated the obligation to appoint a data protection officer. It obliged the personas concerned to give their unlawful consent and did not correctly comply with the duty to provide information on several points. Finally, the allergy outpatient clinic did not fulfil its duty to examine the need to carry out data protection impact assessments to the necessary extent.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Cyprus
Organization: Archbishop Makarios III Hospital
Sector: Hospital/Heath Industry
Amount: 15.000 €
Date: 07.11.2018
INPLP Partner: tassos papadopoulos & associates LLC
Articles 15, 24 and 32 of the GDPR Loss of patient file by the hospital

The patient complained to the Commissioner about the lack of protection of personal data. The complainant did not have access to her medical file from the Archbishop Makarios III Hospital because the file could not be found by the data controller. Following the investigation of the case, the Data Protection Authority imposed an administrative fine of €5,000 on the Archbishop Makarios III Hospital for the loss of a medical file.

Authority: Hospital/Heath Industry

Link
Country: Cyprus
Organization: Politis Newspaper
Sector: Newspaper/News publishing
Amount: 10.000 €
Date: 09.01.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 5(1)(c) and 6 of the GDPR Publication of names and photographs of police-investigators at Larnaca Airport by Politis newspaper

A newspaper was fined 10,000 euros for publishing the names and pictures of three police investigators in both electronic and physical form. The Cypriot data protection commissioner believed that it would have been sufficient to publish only the initials of the police officers or photos where the three officers could not be identified, for example by using blurred faces.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Cyprus
Organization: Breikot Management Ltd
Sector: News outlet/Publishing
Amount: 13.000 €
Date: 12.04.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 5(1)(c) and 6 of the GDPR and Article 29(1) of the local Data Protection Law 125(I)2018 Publication of photographs of individuals in the printed form of "24h" newspaper

Following the publication of the photographs of three (3) of five (5) complainants in three (3) of the four (4) publications in news articles, the Commissioner ruled that there was a violation of the principle of data minimisation and that it was excessive in relation to the objective pursued, since the news could be published even without the photographs of the complainants. The publication of photographs does not serve the public interest in information and is not considered necessary under the principle of data minimisation. Furthermore, it does not convey any additional valuable public information. As the subject is of journalistic interest, the complainants' family business is still entitled to carry out public works, even after the criminal conviction of one of them on a relevant matter.

Authority: News outlet/Publishing

Link
Country: Cyprus
Organization: Sigma Live Ltd
Sector: Publications/News outlet/Media House
Amount: 5.000 €
Date: 12.04.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 6(1)(a) of the GDPR Sigma Live Ltd had published and processed the complainant's personal data without their prior consent.

During the media coverage of an abduction incident of two minor children from their school a complaint was filed with the DPA against Sigma Live Ltd, for showing the complainant in a video originally screened on SIGMA TV channel, and which was subsequently posted on www.sigmalive.com as well as on the official Sigma Live YouTube account. The complainant was the person who helped identify the perpetrator and the abducted students, and despite expressing a desire to maintain their anonymity, the video in question did not blur the complainant’s face which was clearly visible and was shown and characterized as the "informant" who helped solve the case.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Cyprus
Organization: Altius Insurance Ltd
Sector: Insurance Company
Amount: 4.000 €
Date: 13.03.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 6(1)(a) of the GDPR Unauthorised SMS advertising material sent to non-customers.

The DPA received 8 complaints from people claiming to have received SMS messages from Altius Insurance Ltd. without their consent and without prior business relationship with the insurance company. The company reported that the phone numbers used for the broadcast were randomly generated by a software tool. The Commissioner for Personal Data Protection has pointed out that the telephone numbers, even if randomly selected, constitute personal data as soon as their telephone number holder is easily identifiable.

Authoriy: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Cyprus
Organization: Skroutz.com.cy
Sector: Marketing Sector
Amount: 3.400 €
Date: 28.03.2019
INPLP Partner: tassos papadopoulos & associates LLC
The full text of the decision is not available therefore the exact infringed articles are unknown. Unauthorised promotional material e-mailed to material sent to individuals.

Six people complained to the DPA because they received promotional e-mails without their consent and/or despite explicit requests not to receive promotional e-mails from the Skroutz.com.cy website. Five of the complainants had asked to stop receiving messages about the use of "unsubscribe" and/or e-mail to the website moderator, without success. The webmaster provided evidence that one of the complainants had purchased products from the website. However, there was no clear information on how the addresses of the other complainants were obtained. He (webmaster) claimed that the reason why the complainants continued to receive messages despite the request to unsubscribe was because of the change in the email messaging platform.

Authority: Website

Link
Country: Cyprus
Organization: Democratic Party
Sector: Political Party
Amount: 3.000 €
Date: July - September 2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 6(1)(a) and 21 of the GDPR Unauthorised use of direct phone calls to individuals.

Four complainants alleged that the Democratic Party had sent them SMS messages as well as telephone harassment. When the complaints were investigated, it emerged that they were only telephone harassment. The two complainants had a legitimate interest in the use of their personal data since they were members of the political party in question (Article 6(1)(f)). In the case of the other two complainants, the political party had failed to demonstrate the consent of the data subjects under Article 6(1)(a).

Authority: Political Party

Link
Country: Cyprus
Organization: Anonymous individuals
Sector: Unknown
Amount: 2.000 €
Date: July - September 2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 6(1)(a) and 5 of the GDPR Unauthorised processing of personal data for purposes other than those originally intended. Unauthorised sending of messages to individuals.

Two complainants alleged that a certain person had sent them greetings. As regards the first complainant, the accused had previously been warned and had promised that, although he was on his personal contact list, he would not receive any further greetings. Nevertheless, the first complainant had again received a message. In the second case, it was established that the complainant had no personal contact/relationship with the accused person and had nevertheless received a greeting message. The complainant's telephone numbers came into the possession of the accused person for another purpose and were also used to send greetings.

Authority: Unknown

Link
Country: Cyprus
Organization: Auctioneer
Sector: Auctions
Amount: 2.000 €
Date: 12.09.2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 6(1)(a) and 6(4) of the GDPR Breach of personal data by auctioneer

The complainant claimed that a certain auctioneer had called them and offered them the possibility to find a buyer for a property for which they had already initiated an auction under the legislation. This auctioneer was not the designated auctioneer.

Authority: Auctions

Link
Country: Cyprus
Organization: City Councilor of Aglantzia Municipality
Sector: Municipality
Amount: 1.000 €
Date: 25.09.2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 5(1)(b) and 6(1)(a) of the GDPR Unauthorised processing of personal data by City Councilor

Employees in the municipality, noticed that a list of their personal data (such as names, jobs and pay slips) had been leaked and distributed both in public places (e.g. café) and in places used by municipal officials (e.g. warehouses, canteens, etc.). The leak had a negative impact on the complainants, as the disclosure of their data and especially their pay slips was gossiped and despised/mocked by the villagers and others The City Council's act of handing over the list to an administrator of the Water Department for its own use amounts to further processing, which does not correspond to the original purpose of the list, which was that the City Council discussed in one of its meetings the workers who were to be transferred to the Nicosia Water Department.

Authority: Municipality

Link
Country: Cyprus
Organization: Individual Doctor
Sector: Health Professional/Medical services
Amount: 14.000 €
Date: 06.09.2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 9(1) and 9(2)(a) of the GDPR The posting of sensitive personal data of a patient from a Doctor on Instagram

The complainant alleged that her doctor had published and/or shared her personal data on Instagram without her consent. After investigating the complaint, the DPA found that the publication was not in line with the purpose of the consent given by the complainant, since her identity had been fully disclosed.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Norway
Organization: Oslo Municipality
Sector: Public services
Amount: 51.000 €
Date: 11.10.2019
INPLP Partner: Gjessing Reimers
Art. 32 GDPR Monetary fine

From 2007 to November 2018, 19 nursing homes operated by the Municipality of Oslo stored patient data outside the patient journal system in the form of work lists describing the medical needs of the residents (i.e. patient data). The violation of the Data Protection Act was reported to the Municipality of Oslo by the data controller. The fine was calculated according to the practice of the former Norwegian Personal Data Act.

Authority: Norwegian Data Protection Authority (Datatilsynet)

Link
Country: Norway
Organization: Bergen Municipality
Sector: Public services
Amount: 170.000 €
Date: 18.03.2019
INPLP Partner: Gjessing Reimers
Art. 5 (1) f) GDPR, Art. 32 GDPR Failure to implement sufficient measures to ensure information security

The municipality had taken minor security precautions to protect its computer systems. As a result, personal data of more than 35,000 people became publicly available. At a few schools, everyone could access information about the staff, students and employees of the school. Furthermore, the municipality had received warnings about the weakness of its security measures before, but did nothing about it.

Authority: Norwegian Data Protection Authority (Datatilsynet)

Link
Country: The Netherlands
Organization: Haga Hospital
Sector: Hospital
Amount: 460.000 €
Date: 18.06.2019
INPLP Partner: Cordemeyer & Slager
Art. 32 GDPR Lack of technical and organizational measures to ensure information security

The result of an investigation by the Dutch data protection authority is that Haga Hospital has a lack of internal security for patient files. This investigation came after it was found that dozens of hospital staff had unnecessarily checked the medical records of a known Dutch person. In order to force the hospital to improve the security of patient files, the AP is at the same time issuing a penalty order. If Haga Hospital has not improved security before 2 October 2019, the hospital will have to pay 100,000 euros every two weeks, with a maximum of 300,000 euros. Haga Hospital has meanwhile taken measures.

Authority: Dutch Supervisory Authority for Data Protection (AP)

Link
Country: Slovakia
Organization: Dopravný podnik Bratislava, joint stock company
Sector: The only public transport provider in the city of Bratislava, in addition to public transport, it also operates suburban lines and regular international bus lines. DPB operates trolleybus, bus and tram services.
Amount: 1.000 €
Date: 06.02.2019
Article 15 section 1 and 3 of GDPR following article 12 of GDPR Failed to comply with the proposer's request to apply the proposer's right of access to his personal data processed through audiovisual recording media and to provide a copy thereof

After examining the complete file, in particular the proposer's proposal and the parties' observations, the Office found that DP, as the controller processing the personal data of the persons concerned by monitoring them by audio or video recording in public transport vehicles, infringed Article 15 section 1 and section 3 by failing to comply with the proposer's request as a data subject applied by e-mail on 18.06.2018 and repeatedly on 14.07.201 regarding the application of the right of access to his personal data, thereby violating the proposer's right of access to personal data.

Additional Information:

The Office states that the amount of the fine is affected by the fact that the infringement was found in only one data subject, the Office did not find a repeated violation of GDPR provisions by another data subject in relation to the processing of passenger's personal data by audio or video recording. DP cooperated with the office, which is in the position of the supervisory body. Taking into account these circumstances, which the Office assessed individually and in their mutual relationship, the Office imposed a fine of EUR 1000 on the DP operator. In the light of all the circumstances of the case, the Office considers the fine to be appropriate, both in terms of punitive and preventive.

Country: Slovakia
Organization: FERPLAST SLOVAKIA, Limited Liability Company
Sector: The company specializes in the production of pet supplies for dogs, cats, fish, birds and more
Amount: the personal data proceedings have been suspended
Date: 29.04.2019
Article 5 section 1 letter f) GDPR The company suspected that as an employer of an xy employee, it had violated the protection of the employee's personal health data.

Having examined the documents submitted by the data controller and on the basis of the facts established during the procedure, the Authority concluded that the procedure did not reveal any infringement of the protection of personal data allegedly based on the fact that the company FERPLAST SLOVAKIA, l.l.c. provided its employees with a medical certificate of medical fitness for work with a professional title which does not entitle them to know personal data to the extent that it was disputed, and the Office therefore closed the procedure.

The company FERPLAST SLOVAKIA s.r.o. suspected that as an employer of an xy employee, it had violated the protection of the employee's personal health data by providing the data contained in the medical evaluation of health fitness to the employees of FERPLAST SLOVAKIA s.r.o. with a job title that does not entitle them to know this information. After examination of the documents submitted by the data controller (instruction protocol of the entitled person, employment contract, medical opinion), the Office found that the employees had legitimate reasons to acquaint themselves with the personal data within the scope of the medical opinion in question.

Additional Information:

Company FERPLAST SLOVAKIA s.r.o. was suspected that, as an employer of an xy employee, has violated the protection of personal health data of emplpyee by making the data contained in the medical assessment of health fitness available to employees of FERPLAST SLOVAKIA s.r.o. with a job title that does not entitle them to know this information. After examining the documents submitted by the controller (record of the instruction of the authorized entity, employment contract, medical opinion), the Office found that the employees had legitimate reasons for familiarizing themselves with the personal data within the scope of the medical opinion in question.

Country: Slovakia
Organization: Ministry of Interior of the Slovak Republic
Sector: Central body of state administration for protecting the constitutional system, public order, security of persons and property and more
Amount: The Authority did not impose a measure to remedy the identified deficiencies
Date: 17.04.2019
Article 5 section 1 letter a) GDPR The Office for the Protection of Personal Data dealt with a complaint against the Ministry of the Interior of the Slovak Republic for an alleged violation of the legislation on the protection of personal data.

The Office for the Protection of Personal Data dealt with a complaint against the Ministry of the Interior of the Slovak Republic for an alleged violation of the legislation on the protection of personal data, which was to be committed by the publication of the decision of the Regional Court of Senica, which was made public by public notice. This decision was also published 15 days after its publication, and the personal data of the person concerned were processed without authorisation (without legal basis). The Ministry of the Interior of the Slovak Republic cooperated with the Office and remedied the deficiencies voluntarily; the Office did not consider it necessary to impose remedial measures on the controller.

Service by public notice shall be effected by posting the document on the official notice board of the administrative body for a period of 15 days, as provided by law. At the same time, the administrative body is obliged to publish the document simultaneously in another customary manner, while the controller has chosen to publish it on the website as well. The Office is of the opinion that the publication of a decision containing the personal data of the data subject on the website of the controller after a period longer than that specified (15 days) constitutes a breach of Section 9(1). 1 of Law No 122/2013.

Additional Information:

Service by public notice is made by posting the document on the official board of the administrative body for a period of 15 days stipulated by law. At the same time, the administrative body is obliged to publish the document at the same time in another usual way, while the controller hase chosen to publish it also on the website The Office considers that the publication of a decision containing the personal data of the data subject on the controller's website after a period longer than the specified period (15 days) constitutes a breach of § 9 par. 1 of Act no. 122/2013.

Country: Slovakia
Organization: Municipality Veľká Lomnica
Sector: The basic role of the municipality in the exercise of self-government is to care for the versatile development of its territory and the needs of its inhabitants
Amount: The Authority did not impose a measure to remedy the identified deficiencies
Date: 11.02.2019
Article 10 section 2 of the Act 122/2013 on personal data protection The municipality of Veľká Lomnica violated the proposer's right to protection against unauthorized disclosure of information about the proposer by publishing a statement containing the proposer's personal information.

The applicant signed a petition addressed to the municipal council of the municipality Veľká Lomnica. The applicant's personal data from the petition and the personal data of other residents were published on the official notice board and on the Municipality's website. The Office considered that the Municipality Veľká Lomnica had violated the law by unlawfully disclosing this information from its information system of the petitioner and other persons, although Act No. 85/1990 does not provide for the purpose of disclosing the personal data of the petition's supporters, nor does it provide for a list of the personal data of the petition's supporters that may be disclosed. The Office has not imposed any measures on the operator to remedy the deficiencies found, since the personal data in question are no longer published.

In the present proceedings, the Office did not agree with the Controller's view that he was obliged under Law No 85/1990 to publish the result of the application as he did. The Office stated that the obligation to publish the result of the application does not affect the obligation arising from a special regulation and thus the obligation under Law No 122/2013 on the protection of personal data. For this reason, the provisions of Law No 85/1990 do not constitute a legal basis that would allow the operator to disclose the personal data of the supporters of the petition contrary to the requirements of Law No 122/2013. Similarly, the Office considered that the right to invite other persons to support the petition by signature and to provide signatures for that purpose in publicly accessible places does not imply the power of an authority to which the petition is addressed to disclose information about the persons supporting it.

Additional Information:

In the present proceedings the Office did not agree with the controller's opinion that he was within the meaning of Act no. 85/1990 obliged to publish the result of the petition as he did. The Office stated that the obligation to disclose the outcome of the petition is without prejudice to the obligation under a special regulation, and therefore the obligation under Act no. 122/2013 on personal data protection. For this reason provisions of Act no. 85/1990 does not constitute a legal basis which would allow the operator to disclose personal data of supporters of the petition contrary to the requirements of Act 122/2013. Similarly, the Office was of the opinion, that from the right to invite others to support the petition by signing it and to that end issue signatures in places accessible to the public, it is not possible to infer the authority of a public authority, to whom the petition was delivered, to disclose information about the persons supporting it.

Country: Slovakia
Organization: Municipality Bratislava - Ruzinov district
Sector: The basic role of the municipality in the exercise of self-government is to care for the versatile development of its territory and the needs of its inhabitants
Amount: The Authority did not impose a measure to remedy the identified deficiencies
Date: 02.05.2019
Article 5 section 1 letter f) GDPR Bratislava Ruzinov City District delivered the decision to the applicant, while the applicant was not an authorized entity to deliver the decision.

Proceedings on presumed violation of the GDPR provisions, which happened because the data controller, the Municipality of Bratislava - Ružinov, delivered to an electronic mailbox of Owl & Crow Association Limited, l.l.c., a decision containing personal data in the scope of surname, first name, address, information about the fact that and with what content he made a request for information, although the applicant was not entitled to deliver the decision in question.

The decision of the Controller, Bratislava - Municipality of Ružinov, in the proceedings on free access to information was delivered by the Operator to the electronic mailbox of Owl & Crow Association Limited, l.l.c., to which the applicant in the position of managing partner had access. As there were two managing directors in this company, and therefore two natural persons as statutory bodies, this procedure infringed Article 5(1)(f) of the GDPR, as the personal data were not processed in a manner that ensured adequate security and were subject to unauthorised processing. In the course of the proceedings, the Office also examined whether it was appropriate to impose a fine for the established breach of the GDPR. The Office concluded that it would not impose a fine, in particular in view of the seriousness and number of persons concerned.

Additional Information:

The decision of the controller, Bratislava - city district of Ružinov, in proceedings on free access to information was delivered by the operator to the electronic mailbox of Owl & Crow Association Limited, l.l.c., to which had access the applicant for disclosure of information in the position of managing partner. Since there were two directors and thus two natural persons as the statutory body in that company, those proceedings infringed Article 5 section 1 letter f of the GDPR, since the personal data were not processed in a manner guaranteeing adequate security and were exposed to unauthorized processing. In the proceedings, the Office also assessed whether it is appropriate to impose a fine for the violation of GDPR found. Office concluded that, having regard in particular to the gravity and the number of persons concerned, Office won't impose a fine.

Country: Czech Republic
Organization: Alza.cz a.s.
Amount: 588 €
Date: Unknown
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 6 (1) GDPR, Art. 7 (3) GDPR, Art. 12 (3) GDPR, Art. 29 GDPR Insufficient legal basis for data processing

The company got a copy of photographic ID of the personal data subject with his/her consent, however did not react to his/her consent withdrawal and continued in processing of his/her personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Unknown
Amount: 3.105 €
Date: 13.05.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 32 (1) GDPR Inadequate legal basis for data processing and inadequate technical and organisational measures to guarantee information security

The Czech Data Protection Authority found that the controller used personal data of his client without his knowledge to open a bank account and that he had therefore not complied with the purpose of the processing. Furthermore, the controller did not ensure sufficient control of compliance with the relevant internal rules on personal data.

Authority: Czech Data Protection Authority (UOOU)

Link
Country: Czech Republic
Organization: Public service company - employer
Amount: 194 €
Date: 06.05.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 15 (1) GDPR Insufficient fulfilment of data subjects rights

Despite his e-mail request, the data controller did not provide his employee with information on the processing of his personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 9.704 €
Date: 21.03.2019
Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR Non-compliance with general data processing principles

The data were not adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimisation'). Furthermore the data were not kept in a form which enables identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 582 €
Date: 28.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5 (1) f) GDPR, Art. 28 (3) GDPR Insufficient technical and organisational measures to ensure information security

The data have not been processed in a way that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality'). Furthermore, the controller has not concluded relevant agreements with processors concerning the processing of personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 776 €
Date: 26.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 15 (1) GDPR Insufficient fulfilment of data subjects rights

Despite their requests, the data controller has not provided the data subjects with information on the processing of their personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Car renting company
Amount: 1.165 €
Date: 04.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5(1) a GDPR Insufficient fulfilment of information obligations

A person has rented a car and found out, that the car was tracked by the renting company, using GPS, although no information about the fact that the car is being tracked was provided. The Czech Data Protection Authority found that no information in the sense of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis in the specific circumstances. The UOOU therefore found a violation of Art. 6 (1) f) GDPR. 5 (1) a) GDPR for which it imposed the fine.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Credit brokerage
Amount: 1.165 €
Date: 04.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5(1) f GDPR Insufficient technical and organisational measures to ensure information security

Data have not been processed with an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality')

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Company (employer)
Amount: 388 €
Date: 10.01.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 6 (1) GDPR Insufficient legal basis for data processing

A former employee of a company requested the deletion of his or her personal information, which was published on the employer's Facebook website and which was still available long after the termination of employment. The fine was imposed because the employer did not delete the information about the former employee.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 388 €
Date: 25.10.2018
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 15 GDPR Insufficient fulfilment of data subjects rights

The person concerned has not been provided with information on the processing of his/her personal data by the controller, despite his/her request

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: One of the largest e-shops in Czech Republic
Amount: CZK 1.500.000
Date: 03.10.2018
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
pre-GDPR Insufficient technical and organisational measures to ensure information security

One company employee failed to ensure adequate security of processing, resulting in over 735,000 customers losing their personal data.

Authority: The Office for Personal Data Protection

Link
Country: Denmark
Organization: Various companies
Amount: 361.000 €
Date: Period: 2018 -2019
INPLP Partner: NJORD Advokatpartnerselskab
Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Inspections and proposed monetary fines for non-compliance with general data processing principles

The Danish Data Protection Agency has the authority and right to carry out data protection audits and inspections without a court order, including the right to demand access to all necessary premises where personal data are processed. The Danish Data Protection Authority carries out a number of planned inspections every year. During the past 1.5 years, the main subjects of the audits and inspections have been as follows: 2018: - Legal bases for processing of personal data, including the consent of the data subject - Deletion of personal data - Use of data processing equipment by the municipalities - Appointment of data protection officers - establishment of records of processing activities - The rights of the data subjects 2019: - Security measures of public authorities and private companies - Encryption of e-mails by private companies - The data subject's right of access to personal data processed by public authorities and private undertakings - Aggregation and compilation of personal data for resale by private companies - Data processors and data processing agreements - Daily monitoring - Data protection in relation to employees - Automated decision making and profiling The Danish Data Protection Authority has reported two companies to the Danish police and proposed two fines. The first proposed fine was a fine of DKK 1.2 million (approx. EUR 160,000) for a company's failure to take action to make personal data anonymous (e.g. timely deletion of personal data). The second was a fine of DKK 1.5 million (approx. EUR 201,000) for the company's failure to comply with the principle of storage limitation.

Authority: Danish Data Protection Authority (Datatilsynet)

Additional Information:

2018: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2018/jun/planlagte-tilsyn-indtil-udgangen-af-2018/

First half of 2019: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jan/planlagte-tilsyn-i-foerste-halvaar-af-2019/

Second Half of 2019: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jul/planlagte-tilsyn-for-andet-halvaar-af-2019/

Country: Greece
Organization: ALLSEAS MARINE S.A.
Amount: 15.000 €
Date: 13.01.2020
INPLP Partner: Zepos & Yannopoulos
Articles 12, 13 & 15 Article 5 par. 1(a) & par. 2 Article 5 par. 1 (b-f) Violation of an employee's right to access their personal data and unlawful operation of a CCTV system.

The senior manager of a shipping company filed a complaint with the Hellenic DPA alleging that such company (i) had not properly informed him of his data protection rights and refused to provide access to his personal data stored in his business computer, including corporate emails and files, and (ii) has unlawfully installed cameras at the company's premises. The case related to an investigation initiated by the company to the corporate emails and documents stored in the business computer of the senior manager and to extracts recorded by the company's CCTV following reasonable suspicion that the senior manager embezzled company's funds. When the senior manager asked to have access to his personal data stored in his business computer, the company refused to satisfy his right without providing adequate justification and did not inform him of the right to lodge a complaint with the Hellenic DPA. Also, it was found that the company had placed cameras, some of which were hidden, without any warning signs and notices, as required. The Hellenic DPA held that the conducting of an investigation on the business computer of the manager was conducted in accordance with the GDPR, since the investigation was limited to specific data relating only to one employee, and was based on the overriding legitimate interest of the company to protect its assets. The Hellenic DPA concluded that, although the investigation was lawful, the company had unlawfully refused to satisfy the right of access of the senior manager and operated the CCTV in violation of the GDPR and the regulatory framework.

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Greece
Organization: AEGEAN MARINE PETROLEUM NETWORK INC.
Amount: 150.000 €
Date: 19.12.2020
INPLP Partner: Zepos & Yannopoulos
Article 5 Violation of essential data protection principles mainly integrity and accountability

A marine bunkering company created a back-up of a database server which contained personal data. The personal data in question related to a branch's employees (e.g. documents, company profiles, email communications) as well as third parties whose offices were located in the same building and were informally using the same server. The fined company had also not implemented any policies/procedures for compliance with data protection legislation. The Hellenic DPA held that the company was responsible to implement measures of logical and technical distinction of the files it needed to back-up and to adequately inform all employees of the further processing and the reasons thereof. By indiscriminately cloning the server it violated the principles of transparency, data minimization, data integrity and accountability. It was given 3 months to implement the appropriate policies and procedures and render itself fully compliant.

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Italy
Organization: Eni Gas e Luce S.p.A. (electricity and gas)
Amount: 3.000.000 €
Date: 11.12.2019 (published on 17.01.2020)
INPLP Partner: R&P legal
Art. 5 and art. 32 of GDPR Breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘deregulated market’ conditions, due to the inadequacy of privacy policies adopted by Eni Gas e Luce S.p.A.

The investigation of the Italian DPA showed that, although the unlawful processing operations were carried out by data processors (agents and sellers) who acted in partial violation of the instructions given by ENI, the technical and organizational measures adopted by ENI were not adequate to the nature, context, purposes and risks of the processing, thus violating the principle of "accountability" imposed by GDPR. Several gaps emerged in the privacy policies implemented by ENI, that appeared to be deficient and ineffective, especially in terms of guaranteeing the accuracy of the data processed, the security of the processing and the control of the actions carried out by ENI’s data processors.

Authority: Italian Data Protection Authority

Link
Country: Italy
Organization: Eni Gas e Luce S.p.A. (electricity and gas)
Amount: 8.500.000 €
Date: 11.12.2019 (published on 17.01.2020)
INPLP Partner: R&P legal
Art. 5; art. 6; art. 7 and art. 25 of GDPR The violations include (i) the use of advertising calls without the consent of the contacted person; (ii) the absence of adequate technical and organisational measures; (iii) the unlawful data retention and (iv) the unlawful processing of personal data ac

The key point of this decision is based on the absence of the data subjects’ consent. Infact, in doing its telemarketing and teleselling activities, Eni didn’t match in a proper way its database with the “Opt-out Register”; it considered as prevalent the general consent given by data subjects to third parties for marketing purposes (lists providers), rather than the refusal to give consent, for the same kind of data processing, expressed by the same data subjects to ENI itself. According to the Italian DPA, these unlawful data processing operations were carried out as ENI did not take and implement technical and organizational measures, suitable for recording and update the users’ willness not to receive marketing communications.

Authority: Italian Data Protection Authority

Link
Country: Austria
Organization: Kebab restaurant
Sector: Private Sector
Amount: 1.800 € - reduced to 1.500 € by the Federal Administrative Court
Date: 25.11.2019
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) and c); Art. 6 (1) GDPR; § 50b (2) and § 50d (1) DSG 2000 / § 13 (3) and (5) DSG Monetary fine because of lack of insufficient legal basis for data processing, lack of video surveillance indication and excessive storage duration

The video surveillance covered public areas (especially a public street) and a neigbouring gas station. It was therefore not appropriate to the purpose of the processing and was not limited to the necessary extent. Apart form that the video surveillace was not appropriately indicated. Furhtermore, there was no deletion of the personal data recorded by the video surveillance within 72 hours and no separate protocol in this respect. The storage period was unreasonably long. The Federal Administrative Court confirmed the content of the DPA's decision, but reduced the amount of the fine by EUR 300 because the defendant reduced the storage period to the permissible level and sufficiently indicated the video surveillance, both while the proceedings were still in progress (BVwG Erkenntnis v. 25.11.2019, W211 2210458-1).

Authority: Federal Administrative Court (Bundesverwaltungsgericht "BvwG")

Additional Information:

UPDATE: The Federal Administrative Court has confirmed the decision of the data protection authority in principle.

Link
Country: Austria
Organization: Private person. - Owner of a residential unit in an apartment building.
Sector: Private Sector
Amount: 2.200 €
Date: 20.12.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR Monetary fine because of lack of insufficient legal basis for data processing

The fine was imposed on a private individual who used a video surveillance, which covered areas intended for general use by the residents of the residential complex (parking spaces, sidewalks, courtyard, garden and acess to building) and garden areas of an adjacent property. The video surveillance was not limited to areas which are under the exclusive control of the controller. The surveillance recorded the hallway and the entering and leaving of the apartments by the residents, thereby intervening in the very personal areas of life of the data subjects without their consent. It was therefore not proportionate to the purpose and not limited to a necessary extend. In addition the video surveillance were also not displayed properly.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: Private car owner
Sector: Private Sector
Amount: 300 €
Date: 27.09.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) GDPR, Art. 6 GDPR;  § 50d (1) DSG 2000 / § 13 (5) DSG Monetary fine because of lack of insufficient legal basis for data processing, lack of video surveillance indication

The private car owner had used two dash cams which covered public areas in front of and behind the vehicle in particular the public road traffic. The dash cams was insufficient for the purposes and not limited to the necessary extent. Furthermore, there was no deletion of the record data within the required time limits, no logging of the processing operations related to video surveillance and it was not marked as video surveillance. The dash cams were used illegaly.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: Sports betting company
Sector: Public Sector
Amount: 4.800 €
Date: 12.09.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) and c); Art. 6 (1) GDPR; § 50b (1) and (2) and § 50d (1) DSG 2000 / § 13 (2), (3) and (5) DSG Monetary fine becuase of lack of insufficient legal basis for data processing, lack of video surveillance indication and excessive storage duration

The video surveillance system covered public areas in front of the entrance of the sports betting company. The video surveillance system was not limited to the necessary extent. In addition, the storage period was unreasonably long and there was no logging of the processing operations related to video surveillance. Furthermore, the monitored area was not marked as video surveillance. Surveillance of the public area in this way, i.e. to a large extent by private persons, is not permitted. The controller has lodged an appeal against this decision with the Federal Administrative Court.

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

Additional Information:

UPDATE: The Federal Administrative Court has closed the proceedings.

Link
Country: Austria
Organization: Private Person - Soccer Coach
Sector: Private Sector
Amount: 11.000 €
Date: 01.07.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
not available - The defandant appealed against the decision of the DSB - the case is yet not legally binding and therefore not published. Monetary fine because of non-compliance with lawful basis for data processing

A soccer coach monitored his female players secretly for years while they were taking a shower. The defandant appealed against the decision of the DPA

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

Additional Information:

UPDATE: The penal decision is now legally binding.

Link
Country: Cyprus
Organization: State Hospital
Amount: 5.000 €
Date: 01.03.2019
INPLP Partner: tassos papadopoulos & associates LLC
Art. 15 GDPR Non-compliance with subjects' rights protection safeguards

The data controller could not grant a patient access to his or her own personal information because the file could not be identified. The patient complained to the Commissioner about this and the hospital was fined 5,000 euros.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: The Netherlands
Organization: UWV (Dutch employee insurance service provider)
Sector: Private Sector
Amount: 900.000 €
Date: 31.10.2019
INPLP Partner: Cordemeyer & Slager
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

As UWV (the Dutch service provider for employee insurance - "Uitvoeringsinstituut Werknemersverzekeringen") did not use multi-factor authentication when accessing the online employer portal, security was insufficient. Employers and occupational health and safety services were able to access personal health data of employees in an absence system. A fine of EUR 900,000 was imposed if UWV did not provide proper multi-factor authentication by 31 October 2019. This date was postponed by the Dutch DPA to 1 March 2020 at the request of UWV.

Authority: Dutch Supervisory Authority for Data Protection (AP)

Link
Country: Turkey
Organization: Newspaper
Sector: Public Sector
Amount: 125.000 TL
Date: 09.12.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Unlawful processing of sensitive data

It has been determined that health data is processed unlawfully on the newspaper.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Bank
Sector: Private Sector
Amount: 100.000 TL
Date: 26.11.2019
INPLP Partner: Gün + Partners
Article 12 and 18(1) (b) Illegal use of customer data

There was illegal used of bank customers' data through the illegal access and use of its employees, and the DPA held that the bank has not taken adequate measures to protect personal data and also was in breach of its notification obligation.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Insurance Company
Sector: Public Sector
Amount: 100.000 TL
Date: 07.11.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Unlawful use of public data

It has been determined that use of public data for commercial purposes (to sell insurance services) not paralell with its professional data which is made public, was found unlawful.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Doctor
Sector: Private Sector
Amount: 50.000 TL
Date: 07.11.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Sending commercial messages to mobile phone

It has been determined that the use of personal data of teh data subject is not based on a legal reasoningç

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An airline company
Sector: Private Sector
Amount: 100.000 TL
Date: 01.10.2019
INPLP Partner: Gün + Partners
Article 4,6,12 and 18 of the DPL Failure to comply with duties related to ensuring information security + Insufficient legal basis for sensitive data processing

It has been determined by the KVKK that an airline company had processed sensitive personal data by taking a copy of national ID (which includes the blood type and religion information) and therefore decided to issue a penalty based on the lack of legal basis of such processing activity. The KVKK also ordered to stop the processing and destroy or anonymyse the data.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A mobile network operator company
Sector: Public Sector
Amount: NON
Date: 01.10.2019
INPLP Partner: Gün + Partners
Article 11 and 13 of the DPL NON

A complaint was submitted to the DPA stating that a data subject request has been declined after data subject has refused providing ID confirmation documents. The KVKK has stated in its decision that such demand can only be conducted by a public notary or with a e-signed document and ordered the company to act in compliance with the Regulation on Application to Data Controllers.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Facebook Inc
Sector: Public Sector
Amount: 1.600.000 TL
Date: 18.09.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

The decision is based on the data breach caused by an error in the "View As" system of Facebook. The data breach has lasted for 14 days and included sensitive personal data. It affected 280.959 people in Turkey. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA in the compulsory deadline.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A bank
Sector: Private Sector
Amount: 100.000 TL
Date: 18.09.2019
INPLP Partner: Gün + Partners
Article 4 and 12 of the DPL Insufficient technical and organisational measures to ensure information security + Non-compliance with general data processing principles

A complaint was issued to the KVKK regarding unlawful utilisation of personal data. It is stated in the decision that the bank employee has accessed to the personal data of customers and used it out of the scope of the processing. The KVKK has issued a penalty based the lack of technical and organisational measures.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Sevinç Eğitim Kurumları (Education Insitution)
Sector: Private Sector
Amount: 50.000 TL
Date: 18.09.2019
INPLP Partner: Gün + Partners
Article 3, 5, 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to comply witj duty of data controller to prevent unlawful data processing

It has been determined after a complaint that an education company has sent multiple SMS to people without any legal basis for such data processing. The KVKK states that such action requires explicit consent and therefore decides to issue a penalty based on failure to comply with the DPL regulations underlining that the institution did also not pay attention to the Communique sent by KVKK.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: S Şans Oyunları A.Ş
Sector: Public Sector
Amount: 180.000 TL
Date: 27.08.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the data subjects in the shortest time possible

A database was leaked to Internet by mistake from a betting company website. The data breach has not been detected by the company and therefore the number of people affected by it remain unknown. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the affected data subjects in the shortest time possible.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A tourism company
Sector: Technical Sector
Amount: 500.000 TL
Date: 27.08.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA and the data subjects in the compulsory deadline

A database of the company has been leaked after a cyberattack. The details of the breach could not have been totally determined since the company failed to detect and analyse the breach. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA and the affected data subjects in the compulsory deadline.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: NON
Sector: Technical Sector
Amount: NON
Date: 23.07.2019
INPLP Partner: Gün + Partners
Article 4 of the GDPR and relevant DPL regulations NON

The decision analyses whether the branch and liason offices of company based abroad shall register to the Data Controller Registry (VERBIS). KVKK has stated that if the branch offices and liason offices meet the criteria of the registry duty, they shall also, aside from the main company, register to the Data Controller Registry.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Dubmash Inc
Sector: Public Sector
Amount: 730.000 TL
Date: 17.07.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

It has been determined by the KVKK that Dubmash Inc was subject to a data breach affecting 679.269 people in Turkey. Data servers of Dubmash Inc was accessed by unidentified people on Internet and it is detected that personal data of people up to 162 million have been illegally sold. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA and the people affected by the data breach.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An investment company
Sector: Private Sector
Amount: 75.000 TL
Date: 08.07.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Non-compliance with general data processing principles

A complaint was submitted to DPA regarding unlawful data processing of a data subject. The KVKK has determined that company processes data without a legal basis and therefore issued a penalty based on non-compliance with general data processing principles and insufficient legal basis.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Mimar Sinan Üniversitesi
Sector: Public Sector
Amount: NON
Date: 01.07.2019
INPLP Partner: Gün + Partners
Article 15 and 18 of the DPL Failure to comply with duties related to ensuring information security + Insufficient legal basis for sensitive data processing

The data controller has published application and exam results on a public page. A data subject has requested from data controller to remove the relevant personal data. The university did not respond to the application. KVKK has ordered the university to conduct a disciplinary proceeding and update the methods used in the publication of such data in a way that complies with the DPL regulations.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: NON
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 9 of the DPL Crossborder Data Transfer Requirements

The KVKK has stated that personal data occurded from the mail traffic conducted by Gmail is stored abroad in different parts of the world and users of such services shall meet the criteria of crossborder data transfers of DPL.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An asset management company
Sector: Technical Sector
Amount: 20.000 TL
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 5,12 and 18 of the T Insufficient technical and organisational measures to ensure information security + Non-compliance with general data processing principles

The KVKK has determined in its decision that the company has repeatedly sent the same SMS within the scope of the explicit consent to the data subject. It's considered to be non-compliant with the general data processing principles in terms of abuse of rights. That's why the KVKK has issued a penalty based on the lack of technical and organisational measures.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A joint-stock company
Sector: Technical and Organisational Sector
Amount: 50.000 TL
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 5,6 and 12 of the DPL Insufficient technical and organisational measures to ensure information security + Non-compliance with general data processing principles

The KVKK has stated in its decision that data controller shall not send any commercial purposed emails to data subjects without their explicit consent. That's why the KVKK has issued a penalty based on the lack of technical and organisational measures which allowed employees to send such emails.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A gym owner company
Sector: Technical Sector
Amount: Unknown
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 6 of GDPR, Article 4, 12 and 18 of the Turkish DPL Insufficient technical and organisational measures to ensure information security + Insufficient legal basis for data processing

The KVKK analyses the possibility of biometric data processing conditions for gyms in its decision. Relavant GDPR regulations and Turkish DPL regulations are evaluated in the decision. KVKK forbids the processing of such data underlining the principle of proportionality even though data subjects provide their explicit consents. A fine was issued based on the lack of technical and organisational measures. KVKK finally orders all data controllers to either destroy or anonymyse the relevant biometric data in terms of controlling the entrance and exit information of users.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: 50.000 TL
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security

A complaint was submitted to the DPA regarding a misdirected SMS. The KVKK has decided to issue a penalty based on the duty of data controller to prevent unlawful data processing.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Clickbus Seyahat Hizmetleri A.Ş.
Sector: Technical Sector
Amount: 1.000.000 TL
Date: 16.05.2019
INPLP Partner: Gün + Partners
Article 12 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

A fine of 1.000.000,00 TL was issued as a result of a data breach affecting 67.519 people in Turkey by Clickbus. A malware has been detected in the server of Clickbus, leaking personal data of people wihch lasted for 2 months. The KVKK has issued a penalty based the lack of technical and organisational measure and the delay of notification to the DPA for nearly 45 days.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Marriott International Inc.
Sector: Private Sector
Amount: 1.450.000 TL
Date: 16.05.2019
INPLP Partner: Gün + Partners
Article 12 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

A fine of 1.450.000,00 TL was issued as a result of a data breach possibly affecting 1.24 million people in Turkey by Marriott International Inc. The breach was caused because of an unlawful access to database of Starwood Hotels for nearly 4 years, leaking personal data including financial information of data subjects. The KVKK has issued a penalty based on lack of technical and organisational measure and the delay of notification to the DPA for nearly 3 months.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Cathay Pasific Airway Limited
Sector: Technical Sector
Amount: 550.000 TL
Date: 16.05.2019
INPLP Partner: Gün + Partners
Article 12 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

A fine of 550.000,00 TL was issued as a result of a data breach possibly affecting 1286 people in Turkey by Cathay Pasific. The breach was induced by a cyber attack and lasted for 2 months leaking important personal data such as Passport Numbers of Turkish citizens. The KVKK has issued a penalty based on the lack of technical and organisational measure and the delay of notification to the DPA for nearly 5 months.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: T.C. Ziraat Bankası A.Ş
Sector: Bank Sector
Amount: NON
Date: 02.05.2019
INPLP Partner: Gün + Partners
Article 5,6 and 18 of the the DPL Non-compliance with the notification obligation + Insufficient legal basis for data processing

A state bank so-called T.C. Ziraat Bankası A.Ş did not respond to a data subject request. Data subject has issued a complaint. KVKK has decided to order the Bank to comply with the Turkish DPL.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Facebook
Sector: Public Sector
Amount: 550.000 TL
Date: 11.04.2019
INPLP Partner: Gün + Partners
Art. 12 of the DPL Failure to implement sufficient measures to ensure information security, and to fulfill information obligations

Data breach, which has been on press under the name "Photohraph API" has been announced on 14.12.2018. Facebook has discovered an photograph API error that enabled third parties to access the photos of Facebook users. It has been stated that third parties may have had access to thereof for 12 days. The Authority found Facebook in failure to implement sufficient measures to ensure information security and to fulfil information obligations, since the Authority has not been notified and the individuals were started to be notified on 17.12.2018, although the breach was discovered on 19.09.2019.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An energy company
Sector: Energy Sector
Amount: NON
Date: 25.03.2019
INPLP Partner: Gün + Partners
Article 4 and 5 of the DPL Explanation of legitimate interest for as a legal basis for Data Processing

The KVKK has decided that car plate numbers and other relevant data can be process by oil stations under the scope of the legitimate interest cause. KVKK also instructs the company to inform the data subjects in accordance with the legislation.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A supermarket (Full name dislosed)
Sector: Food Sector
Amount: NON
Date: 25.03.2019
INPLP Partner: Gün + Partners
Article 13 of the DPL Insufficient legal basis for data processing

A complaint was issued to KVKK regarding unlawful gathering of explicit consent by SMS (not clear enough and missing the required conditions) and the ambiguity of Information Notice. The KVKK has decided to order the company to update the Information Notice and requested from the company to anonymization of personal data collected before the DPL.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: NON
Date: NON
INPLP Partner: Gün + Partners
NON NON

A complaint was issued to KVKK regarding the unlawful gathering of personal data by a real person. The KVKK has decided that the act is subject to Turkish Criminical Code and therefore no penalty was issued.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Crime Sector
Amount: NON
Date: 24.12.2018
INPLP Partner: Gün + Partners
Article 17 and 15 of the DPL Criminal Proceeding Conditions

KVKK states in its decision that data leaks&breaches subject to Turkish Criminal Code shall only be evaluated by judiciary authorities and therefore decides not to rule on the issue.

Link
Country: Turkey
Organization: Pharmacy
Sector: Health Sector
Amount: Unknown
Date: 05.12.2018
INPLP Partner: Gün + Partners
Art. 6, 12 of the DPL Non-compliance with general data processing principles

Healt data that belong to a patient who uses drugs under medical supervision have been exposed to third parties by the pharmacy that provides the drugs, based on no grounds for processing. The Authority has decided that the action of the pharmacy violates the conditions specified under the law, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A bank
Sector: Financial Sector
Amount: NON
Date: 05.12.2018
INPLP Partner: Gün + Partners
Article 4(2) of the DPL Maximum data storage time limits

A request has been submitted to a bank to destroy relevant personal data. KVKK rules here that banks shall keep the data for 10 years based on the relevant regulations on the sector and therefore decides that bank do not have to destroy the data.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A legal entity
Sector: Law Sector
Amount: NON
Date: 19.11.2018
INPLP Partner: Gün + Partners
Article 2,3 and 11 of the DPL Scope of the Law

KVKK States in its decision that the Law No. 6698 shall not apply to personal data of legal entities and therefore decides that data leaks&breaches subject to such activities are not in the scope of the law.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Public Institution
Sector: Public Sector
Amount: Instructed the Data Controller
Date: 16.10.2018
INPLP Partner: Gün + Partners
Art. 11, 15, 18 of the DPL Insufficient fulfilment of data subjects rights

The data subject has made an application to the Data Controller, requesting the Data Controller to delete its personal data. However received no sufficient responses. The Data Controller has been granted a term of 30 days to notify the data subject pertaining to the transactions that will be performed, however it has been detected that the Data Control failed to comply with this obligation. Therefore, the Authority has established administrative transaction against the Data Controller, pursuant to Article 18 of the Law.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: N/A
Date: 13.09.2018
INPLP Partner: Gün + Partners
Art. 3, 17 of the DPL Definition of Data Controller

The document signed by the data subject for occupational purposes has been shared by unidentified third parties on internet. It has been decided that although the data subject has been subject to data breach, unknown parties cannot be identified as data controller, and therefore the Authority decided that there were no transactions to be performed by the Authority.

Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: NON
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 28/1(c) of the Data Protection Law No. 6698 ("The DPL") Unknown

A real person has asked from the Authority to remove a newspaper column including their name, on grounds of data breach. The Authority has deemed the column a reflection of freedom of expression and dismissed the request, since the subject is found to be falling under the freedom of press. No details are specified pertaining to the content of the column.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Public Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12/1(c) of the DPL Failure to implement sufficient measures to ensure information security

The doctors at a hospital have disclosed the health report of a patient to a broad mass by means of sharing it on the internet and on social media platforms. The Authority ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Public Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12/1(c) of the DPL Non-compliance with the right of consent

A Data Controller has shared the personal data, gathered at a work application, of one of its data subjects with the other applicants with no legal basis. The Authority has decided that the same rule must apply when an enterprise composed of multiple companies share the data on the same platform, and it ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12/5 of the DPL Insufficient fulfilment of information obligations

A Data Controller has notified the Authority in 17 months and the related individuals in 10 months, regarding a data breach. The Authority founded the said term exceeding the limits of "the shortest course of time possible", which is specified under the Law. The Authority ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Technical Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4, 5(2) and 12 of the DPL Insufficient technical and organisational measures to ensure information security

A Data Controller has imposed the explicit consent as a condition of the agreement due to membership and the service. The Authority found the Data Controller in breach with the principle of being bounded and limited by law and good faith when processing the data, and deemed it abuse of right.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4/1(ç), 5/2(ç), 8/2 and 12(1) of the DPL Non-compliance with the principle of data minimization

The Court has requested the data pertaining to an individual from a Data Controller, and the Data Controller has transfered more personal data than required. The Authority decided that the Data Controller failed to ensure the security of the personal data, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Instructed the Data Controller
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 11 and 15(5) of the DPL Non-compliance with information obligations

The data subject has made an application to the Data Controller pertaining to its rights in scope of Article 11 of the Data Protection Law No. 6698. However, the Data Controller has not responded within the due course of time. The Authority has granted 30 days for response, and stated that the Data Controller will be subject to administrative fine othersiwse.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Instructed the Data Controller
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4 of the DPL Insufficient fulfilment of data subjects rights

A Data Controller has abstained from fulfilling the requests made by inactive customers, demanding from the Data Controller to delete their personal data. The Authority has instructed the Data Controller, by suggesting that it must not process the data of the inactive customers, in breach with the general principles, other than the purpose of storage, since it is obliged to store the data for 10 years.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12 of the DPL Insufficient technical and organisational measures to ensure information security

A Data Controller has submitted a document including the personal data of one of its customers, to another individual that bears the same name as the customer. Also, one the Data Controller's employees has performed query on the data for personal purposes, without the consent of the data subject. The Authority has pointed out a vulnerability in the system, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4(b), 4(c), 12(1) of the DPL Non-compliance with general data processing principles

A Data Controller has requested the customer to provide a document including personal data, which are not necessary for the transaction that is demanded by the customer. The Authority has deemed the request of the Data Controller in contradiction with good faith, and decided that it does not comply with the purpose, and eventually ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 5, 12 of the DPL Failure to implement sufficient measures to ensure information security

A Data Controller has submitted contract samples to the employees of a company by means of e-mail. where it has written the names and home addresses of the individuals who are in charge of managing the processes on behalf of the company as correspondance address, instead of the company's address. The Authority decided that the Data Controller has failed in ensuring information security, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Ready-wear Company
Sector: Business Sector
Amount: Unknown, also Instructed the Data Controller
INPLP Partner: Gün + Partners
26.07.2018 Insufficient technical and organisational measures to ensure information security

A data subject requested the Data Controller to delete and destroy its data, since the data has become available to third party accessing. The response it received from the company has been found insufficient. The Authority ruled administrative fine on the company that failed to provide sufficient measures to ensure the data, and granted it a term of 30 days to notify the customer pertaining to the transactions made regarding the matter.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Instructed the Data Controller
Date: 26.07.2018
INPLP Partner: Gün + Partners
Art. 7 of the DPL Non-compliance with the right of consent, and information obligations

It has been detected that the Data Controller has made membership mandatory for the applicants at the course of a job application, and during the membership application, the applicants have been provided with only one box to click for both acknowledging that they have read the information text, and for accepting that they give consent for data processing. The Authority decided to give instruction to the Data Protection to separate the options. from each other.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Public Institution
Sector: Public Sector
Amount: N/A
Date: 28.06.2018
INPLP Partner: Gün + Partners
Art. 7 of the DPL Insufficient technical and organisational measures to ensure information security

A public officer has requested the Data Controller, which is a public institution, to destroy the data pertaining to an investigation case that has been conducted on the data subject. The Institution has rejected the request. The Authority decided that the term pertaining to the storage of personal files of public officers has not been expired pursuant to the legislation, and therefore has not ruled any fines.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: France
Organization: Futura Internationale
Sector: Business Sector
Amount: 500.000 €
Date: 21.11.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR Unsatisfactory execution of the rights of the data subjects

Futura Internationale was fined for cold calling after several complainants had received cold calling although they had told the caller directly and by mail that they did not want it. The CNIL's on-site investigation at Futura Internationale revealed that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about clients and their health, and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: ACTIVE ASSURANCES (car insurer)
Sector: Business Sector
Amount: 180.000 €
Date: 25.07.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

A large number of customer accounts, customer documents (including copies of driving licences, vehicle registrations, bank statements and documents) to determine whether a person's driving licence had been withdrawn and other personal data were easily accessible online. The CNIL criticised password management (unauthorised access was possible without any authentication).

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: Insurance Company Description
Sector: Business Sector
Amount: 180.000 €
Date: 18.07.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
missing Monetary fine

An investigation by the CNIL revealed that the documents registered by the company's clients in their personal accounts were accessible to other people by changing the numbers at the end of the URL addresses displayed in the browser. The CNIL imposed a fine of 180,000 euros on the company for having taken inadequate security measures. In determining the amount of the fine, the CNIL took particular account of the sensitivity of the data and documents concerned (identity cards, information relating to the offences, bank details, etc.) and the number of persons concerned.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Employer - UNIONTRAD COMPANY
Sector: Business Sector
Amount: 20.000 €
Date: 13.06.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR Poor legal basis for data processing

Between 2013 and 2017, the CNIL received complaints from several employees of a company filmed at their workplace. The CNIL drew the company's attention to the rules to be observed when installing cameras in the workplace, in particular that employees must not be constantly filmed and that information on data processing must be provided. No satisfactory measures were taken during the period stipulated. As a result, the CNIL conducted a second audit in October 2018, which confirmed that the employer continued to breach data protection laws when recording employees using video surveillance. In setting the amount of the fine, the CNLIN took into account the size (9 employees) and the financial situation of the company, which had a negative net result in 2017 (turnover of EUR 885,739 in 2017 and a negative net result of EUR 110,844), in order to retain a dissuasive but proportionate administrative penalty.

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: SERGIC (Real Estate)
Sector: Business Sector
Amount: 400.000 €
Date: 28.05.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

The CNIL based the penalty on two grounds: lack of security measures and excessive data retention. Details of the two reasons: The user documents uploaded by the tenant candidates (including identity cards, health cards, tax assessment notices, certificates from the Family Allowance Fund, divorce decrees, bank statements) were accessible online without any authentication procedure. Although the vulnerability had been known to the company since March 2018, it was not resolved until September 2018. Furthermore, the company kept the documents submitted by the candidates longer than necessary. The CNIL took into account, among other things, the seriousness of the breach (lack of diligence in remedying the vulnerability and the fact that the documents contained intimate aspects of users' lives), the size of the company and its financial situation.

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: Google Inc.
Sector: Public Sector
Amount: 50.000.000 €
Date: 21.01.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR Lack of legal basis for data processing

Following complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net", a fine of 50 million euros was imposed. The complaints were filed on 25 and 28 May 2018, immediately after the entry into force of the GDPR. The complaints concerned the creation of a Google account when configuring a mobile phone with the Android operating system. Reasons for the high fine: lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The consents obtained were not "specific" and not "unequivocal" (Art. 4 No. 11 GDPR).

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: Telecom Company Description
Sector: Business Sector
Amount: 250.000 €
Date: 26.12.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

The company experienced a data breach involving the personal information of more than 2 million customers over a two-year period because the company failed to reactivate an authentication feature on its website that had been disabled for a trial period. The company was fined for failing to ensure the security of its customers' personal information. The CNIL determined the amount of the fine taking into account the company's rapid reactivity in remedying the security breach and the many measures taken to limit the consequences of the breach.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Multinational Transportation Network Company
Sector: Business Sector
Amount: 400.000 €
Date: 19.12.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

In November 2017, the company revealed to the press that in 2016, two individuals succeeded in stealing the personal data of 57 million users of its services by accessing a server on which the personal data is stored using credentials accessible on a software development platform. Following the investigation, the CNIL decided that the company had failed to fulfil its obligations to ensure the security of its users' personal data.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Online Advertising Company Description
Sector: Business Sector
Amount: missing
Date: 30.10.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
missing Formal Notice

A CNIL investigation revealed that the company was collecting geolocation data on mobile devices without consent in order to run advertising campaigns on mobile applications. Note: In February 2019, the CNIL closed the solicitation procedure after the Company met the requirements of the solicitation.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Video Hosting Platform Description
Sector: Public Sector
Amount: 50.000 €
Date: 24.07.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

In 2016, hackers were able to access the credentials of a video hosting platform company's administrator account stored on a software development platform, giving them access to information about the users of the video hosting platform. The hacked data included 82.5 million email addresses and 18.3 million encrypted passwords. The company was fined for failing to adequately secure the personal data of customers on its platform.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Social Housing Public Organisation Description
Sector: Business Sector
Amount: 30.000 €
Date: 24.07.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

The organisation was fined for unlawfully processing the personal data of the tenants. The CNIL considers that the processing of tenants' personal data in order to send a letter criticising a government announcement is unrelated to the original purpose of collecting this data, i.e. managing a property portfolio and applications for social housing.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Social Housing Non-Profit Organisation
Sector: Business Sector
Amount: 75.000 €
Date: 21.06.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

June 2017: The investigation by the CNIL showed that changing the path of the URL of the company's website allowed access to documents (tax assessment notices, passports, identity cards, residence permits and pay slips) uploaded by other users. The company was fined under Article 34 of the French Data Protection Act for failing to take adequate measures to ensure the security of users' personal data.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Optical Retail Company
Sector: Business Sector
Amount: 250.000 €
Date: 07.05.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

The CNIL found that the company had not implemented an appropriate method of authenticating customers on its website to allow them to access their invoices. As a result, customers were able to access the documents (which included names, addresses, health records and, in some cases, social security numbers) of another customer. In determining the amount of the fine, the CNIL took into account the sensitivity of the information, the number of clients involved and the fact that more than 334,000 records were compromised in the course of the infringement. Note: A decision of the Conseil d'État (Supreme Administrative Court) of 17 April 2019 reduced the administrative fine to 200,000 euros, as the company reacted quickly to remedy the lack of security of its website.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Toy Manufacturer
Sector: Business Sector
Amount: missing
Date: 20.11.2017
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Formal Notice

Investigations by the CNIL in 2017 revealed that the company was collecting personal information from users (including children) via the microphone of connected toys and the applications associated with the toys. The CNIL issued a formal notice against the company for failing to adequately ensure the safety of the device that enables toys to be linked to computers, for failing to inform users properly and for failing to take adequate measures to ensure the safety and confidentiality of the data collected.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: Belgium
Organization: Website operator
Sector: Public Sector
Amount: 15.000 €
Date: 17.12.2019
INPLP Partner: Time.lex
Art. 6 and 7 GDPR, and Art. 12 and 13 GDPR Insufficient legal basis for data processing (no lawful consent); and violation of transparency obligations

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for failure to comply with cookie legislation. The website initially provided false information in its privacy policy, which was furthermore unavailable in the website's own languages. The site also used third party analytics cookies ("Google Analytics", "Google Tag Manager" and "Google Adsense") without valid consent via a cookie banner - consent boxes were already ticked.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Mayor
Sector: Business Sector
Amount: 5.000 €
Date: 25.11.2019
INPLP Partner: Time.lex
Art. 5 (1) b) GDPR, Art. 6 GDPR Violation of purpose limitation principle, and insufficient legal basis for data processing

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Candidate in local elections
Sector: Business Sector
Amount: 5.000 €
Date: 25.11.2019
INPLP Partner: Time.lex
Art. 5 (1) b) GDPR, Art. 6 GDPR Violation of purpose limitation principle, and insufficient legal basis for data processing

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the unauthorized use of personal data (e-mail addresses obtained during previous contacts between a veterinarian and his clients) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Merchant
Sector: Business Sector
Amount: 10.000 €
Date: 17.09.2019
INPLP Partner: Time.lex
Art. 5 (1) c) GDPR; Art. 6 GDPR; Art. 12 and 13 GDPR Violation of proportionalitypprinciple, no legal basis, and violation of transparency obligations

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 10,000 euros on a merchant who used the national Belgian electronic identity card (eID) to create customer loyalty cards. The chamber ruled that the data on the card was used unlawfully. Moreover, it noted that the eID card was the only way for customers to obtain a loyalty card, so that no free and valid consent was given. Customers were not also informed in detail about the conditions of data processing.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Mayor
Sector: Business Sector
Amount: 2.000 €
Date: 28.05.2019
INPLP Partner: Time.lex
Art. 5 (1) b) GDPR, Art. 6 GDPR Violation of purpose limitation principle, and insufficient legal basis for data processing

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Romania
Organization: Entirely Shipping&Trading S.R.L.
Sector: Private Sector
Amount: 5.000 €
Date: 16.01.2020
INPLP Partner: Wolf Theiss
Articles 12 and 13, Article 5 alin. (1) a) - c),e), Articles 6, 7 and 9 Breach of the controller's obligation to inform data subjects Breach of the principles governing the processing of personal data Lack of legal basis for the processing of data Failure to comply with the conditions for consent

The Controller has excessively processed the employees' personal data by using the video surveillance cameras installed in the offices and changing rooms. Furthermore, the Controller processed biometric data (fingerprints) of the employees, even though other, less intrusive means to protect the privacy of the data subjects could have been used for the same purpose. The controller was also fined for not providing evidence to inform data subjects about the processing of their personal data. Moreover, the supervisory authority established that the controller had processed the personal data of a former employee without a legal basis by continuing to use these data in electronic correspondence for the purpose of carrying out the company's activities after the termination of the employment contract.

Link
Country: Romania
Organization: Enel Energie S.A.
Sector: Private Sector
Amount: 3.000 €
Date: 14.01.2020
INPLP Partner: Wolf Theiss
Article 5(1),d) and (2), Articles 6 and 7, Article 21(1) Infrigement of data accuracy principle Lack of legal basis for data processing Non-observance of the data subject's right to object

The sanctions were imposed on the basis of a complaint claiming that the controller illegally processed the data of the petitioner - the data subject - because the controller could not prove that he had obtained the consent of the data subject to receive communications to his e-mail address. In addition, the data controller did not take the appropriate measures to prevent the transmission of notifications, despite the fact that the data subject had repeatedly exercised his right to object.

Link
Country: Romania
Organization: Hora Credit IFN S.A.
Sector: Private Sector
Amount: 10.000 €
Date: 13.01.2020
INPLP Partner: Wolf Theiss
Article 5, Articles 25 and 32, Artcle 33 Breach of data accuracy and confidentiality principles; Inssuficient organisational and technical measures; Failure to comply with the deadline to notify the personal data breach to the supervisory authority

Lack of evidence of compliance with the principles of accuracy and confidentiality. Failure to take proper technical and organisational measures to avoid unauthorised disclosure of customers' personal data. Failure to notify the Romanian Data Protection Authority within 72 hours of becoming aware of the breach of personal data security.

Link
Country: Romania
Organization: Homeowners Association
Sector: Private Sector
Amount: 500 €
Date: 23.12.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of adeqaute organisational and technical measures

Failure to implement relevant technical and organisational measures in relation to personal data processed through a video surveillance system Failure to properly inform the data subjects.

Link
Country: Romania
Organization: Globus Score S.R.L.
Sector: Private Sector
Amount: 2.000 €
Date: 16.12.2019
INPLP Partner: Wolf Theiss
Article 83 (5), e) corroborated with Article 58 (1), a), e) Lack of cooperation with Romanian Data Protection Authority

The measures imposed by the data protection authority have not been fulfilled.

Link
Country: Romania
Organization: Modern Barber S.R.L.
Sector: Private Sector
Amount: 3.000 €
Date: 13.12.2019
INPLP Partner: Wolf Theiss
Article 83 (5) corroborated with Article 58 (1), a), e) Lack of cooperation with Romanian Data Protection Authority

Failure to comply with the measures imposed by the Romanian Data Protection Authority.

Link
Country: Romania
Organization: Nicola Medical Team 17 S.R.L.
Sector: Private Sector
Amount: 2.000 €
Date: 13.12.2019
INPLP Partner: Wolf Theiss
Article 83 (5),(6) corroborated with Article 58 (1), a), e) Lack of cooperation with Romanian Data Protection Authority

The measures imposed by the data protection authority have not been fulfilled.

Link
Country: Romania
Organization: SC CNTAR TAROM S.A.
Sector: Private Sector
Amount: 20.000 €
Date: 29.11.2019
INPLP Partner: Wolf Theiss
Art. 32 GDPR Lack of suitable organisational and technical measures

Failure to take appropriate organisational and technical measures to guarantee that all persons acting under his authority and having access to personal data process them only in accordance with internal procedures and at his request This resulted in one employee having unauthorised access to the booking application, whereby the respective employee was able to photograph a list of personal data of 22 passengers and publish it on the Internet.

Country: Romania
Organization: Royal President S.R.L.
Sector: Private Sector
Amount: 2.500 €
Date: 29.11.2019
INPLP Partner: Wolf Theiss
Article 12, Article 15, Article 5(1), f), Article 32 Lack of adeqaute organisational and technical measures Link
Country: Romania
Organization: ING Bank N.V. Amsterdam - Bucharest Subsidiary
Sector: Private Sector
Amount: 80.000 €
Date: 25.11.2019
INPLP Partner: Wolf Theiss
Article 25, Article 5 (1),f), Article 32 Lack of required organisational and technical measures

Failure to implement appropriate technical and organisational measures regarding and to integrate adequate guarantees into the automated data processing system of card payments settlement, affecting a number of 225,525 customers whose payment operations were doubled during the period 8-10.10.2018.

Link
Country: Romania
Organization: FAN COURIER EXPRESS S.R.L.
Sector: Private Sector
Amount: 11.000 €
Date: 25.10.2019
INPLP Partner: Wolf Theiss
Article 32, Article 5 (1),f) Lack of required organisational and technical measures

Failure to implement adequate technical and organizational measures to ensure a level of security corresponding to the risk of the processing, which led to the loss of personal data (name, surname, card number, security card, card holder address, personal identification number, serial number and identity card number , IBAN account number, approved credit limit, correspondence address) and the unuathorized access to such data of over 1,100 individuals.

Link
Country: Romania
Organization: BNP Paribas Personal Finance SA Paris Bucharest Subsidiary (CETELEM IFN S.A.)
Sector: Private Sector
Amount: 2.000 €
Date: 22.10.2019
INPLP Partner: Wolf Theiss
Article 12 Failure to comply with the deadline for responding to the request of data subject

Failure to reply to a data subject's request for deletion of personal data within one month of receipt of the request

Link
Country: Romania
Organization: INTELIGO MEDIA SA
Sector: Private Sector
Amount: 9.000 €
Date: 15.10.2019
INPLP Partner: Wolf Theiss
Article 5(1), a), b), Article 6(1), a), and Article 7 Inadequate legal basis for data processing

Failure to obtain the users' explicit consent under the conditions provided for in the GDPR. During the process of registration on the avocatnet.ro website, the company provided an unfilled box for users to express their request not to receive newsletters by e-mail. If a user has not ticked the box, he/she will automatically become a subscriber to the newsletter of the data controller without express permission.

Link
Country: Romania
Organization: Raiffeisen Bank SA
Sector: Private Sector
Amount: 150.000 €
Date: 09.10.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of required organisational and technical measures

Failure to take appropriate organisational and technical measures to guarantee that all persons acting under his authority and having access to personal data process these data in accordance with internal procedures. Credit scoring information was exchanged via the WhatsApp platform.

Link
Country: Romania
Organization: Vreau Credit SRL
Sector: Private Sector
Amount: 20.000 €
Date: 09.10.2019
INPLP Partner: Wolf Theiss
Articles 32 and 33 Lack of appropriate organisational and technical measures

Breach of data security and failure to inform the Romanian data protection authority of the security violation in a timely and unjustified manner. Unauthorized / illegal procession of personal data of customers via the WhatsApp platform.

Link
Country: Romania
Organization: UTTIS INDUSTRIES S.R.L.
Sector: Private Sector
Amount: 2.500 €
Date: 06.08.2019
INPLP Partner: Wolf Theiss
Article 12, Article 5, paragraph 1, letter c) in conjunction with Article 6 failure to comply with the obligation to provide transparent information and the principle of data minimisation

The data subjects were not notified of the use of their image by the video surveillance system. In addition, the person in charge disclosed the personal identification number of his employees by posting a report on their participation in the training courses on the company notice board.

Link
Country: Romania
Organization: LEGAL COMPANY & TAX HUB S.R.L.
Sector: Private Sector
Amount: 3.000 €
Date: 12.07.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of suitable organisational and technical measures

Failure to take appropriate technical and organisational measures to ensure a level of security adequate to the risks represented by the processing. This has resulted in the unauthorised disclosure and access to personal data of certain individuals carrying out transactions through the website of the controller.

Link
Country: Romania
Organization: WORLD TRADE CENTER BUCHAREST S.A.
Sector: Private Sector
Amount: 15.000 €
Date: 08.07.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of required organisational and technical measures

Failure to take measures to guarantee that the data is not disclosed to unauthorised persons. A printed paper list used to control breakfast participation, which includes the personal data of 46 customers who stayed at the data controller's hotel, was photographed by unauthorised persons and disclosed through online publication.

Link
Country: Romania
Organization: UNICREDIT BANK S.A.
Sector: Private Sector
Amount: 130.000 €
Date: 04.07.2019
INPLP Partner: Wolf Theiss
Article 25 (1), Article 5 (1) c) Lack of appropriate organisational and technical measures

Failure to take adequate security and organisational measures leading to the online disclosure of the identity cards and addresses of 337,042 affected persons.

Link
Country: Spain
Organization: Viaqua Xestión Integral Augas de Galicia
Amount: 60.000 €
Date: 21.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Inadequate legal basis for data processing

Processing (modification) of a customer's personal data contained in a contract by a third party without the customer's consent.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Corporación radiotelevisión espanola
Sector: Private Sector
Amount: 60.000 €
Date: 19.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The breach affected approximately 11,000 people, including identification data, employment data, data on criminal convictions and health data.

Link
Country: Spain
Organization: Xfera Moviles S.A.
Sector: Business Sector
Amount: 60.000 €
Date: 19.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

An individual complainant had recently received an SMS from Xfera Móviles to be addressed to a third party, which enabled him to access the account and personal data of this third party via the telephone number and password obtained by SMS on the Xfera Móviles website.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Telefónica SA
Sector: Financial Sector
Amount: 30.000 €
Date: 14.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR Failure to comply the general data processing principles

Telefónica had charged the complainant different fees in relation to the operation of a telephone line that the complainant had never heard of. The reason was that the complainant's bank account was linked to another Telefónica customer, which meant that the charges were debited from the complainant's account. In the AEPD's opinion, this was in violation of the principle of accuracy as required by Article 5(1)(d) GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: General Confederation of Labour ('CGT')
Sector: Private Sector
Amount: 3.000 €
Date: 13.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Inadequate legal basis for data processing

With a view to convening a meeting, the CGT sent personal details of the complainant, including her residential address, family situation, pregnancy status and the date of an active case of abuse and harassment, by e-mail to 400 union members without her permission.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: TODOTECNICOS24H S.L.
Sector: Private Sector
Amount: 900.000 €
Date: 07.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Insufficient fulfilment of information obligations

TODOTECNICOS24H had collected personal data without providing precise details of the data collected in its data protection declaration pursuant to Article 13 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Cerrajero Online
Sector: Private Sector
Amount: 1.500 €
Date: 06.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Insufficient fulfilment of information obligations

The company had been collecting personal data without providing detailed information about the data collection in its privacy statement under Article 13 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Jocker Premium Invex
Sector: Public Sector
Amount: 6.000 €
Date: 31.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Inadequate legal basis for data processing

Jocker Premium Invex had sent postal advertisements and commercial offers to the applicant after registration for a local census. Data such as first name, surname and postal address were only sent to the public administration.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: VODAFONE ESPANA, S.A.U.
Sector: Business Sector
Amount: 36.000 €
Date: 25.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing

The plaintiff, whose data had been provided to the company by his authorised subsidiary, was contacted by the company that was offering its services, which he refused. Since Vodafone España continued to offer him services and demanded payment from him, Vodafone España had processed the plaintiff's personal data without his consent.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Xfera Moviles S.A.
Sector: Private Sector
Amount: 60.000 €
Date: 16.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Inadequate legal basis for data processing

Xfera Movile has made use of personal data with no legal basis for the establishment of a telephone contract and has continued the processing of personal data even if the data subject has requested to stop the processing.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Iberdrola Clientes
Sector: Business Sector
Amount: 8.000 €
Date: 16.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 31 GDPR Lack of cooperation with the supervisory authority

The electricity company Iberdrola Clientes had declined to apply to a person to change electricity supplier, because it claimed that its data would be added to the solvency list. The AEPD then demanded information from Iberdrola Clientes about the option of including the person's data in the solvency list, to which the company did not reply. This failure to cooperate with the AEPD constituted a breach of Article 31 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Vueling Airlines
Sector: Business Sector
Amount: 30.000 €
Date: 01.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Inadequate legal basis for data processing

The Spanish data protection authority (AEPD) has fined Vueling Airlines 30,000 euros for not providing users with the ability to refuse their cookies and force them to use them when they want to surf its website. In other terms, it was not possible to surf the Vueling site without accepting their cookies. The AEDP imposed a sanction of 30,000 euros, which could be reduced to 18,000 euros for immediate payment.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: AVON COSMETICS
Sector: Private Sector
Amount: 60.000 €
Date: 16.08.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Insufficient legal basis for data processing

One consumer complained that AVON COSMETICS had processed his data illegally without properly verifying his identity, resulting in his data being incorrectly registered in a list of claims, which prevented him from cooperating with his bank. As a result, a third party had used the consumer's personal data fraudulently.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: TODOTECNICOS24H S.L.
Sector: Private Sector
Amount: 900 €
Date: 11.07.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Information obligation non-compliance

The company TODOTECNICOS24H collected personal data without specifying how this data was collected.

Authority: Spanish Data Protection Authority (AEPD)

Link
Country: Spain
Organization: VODAFONE ONO, S.A.U.
Sector: Private Sector
Amount: 36.000 €
Date: 28.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) f) GDPR Non-compliance with general data processing principles

The Spanish data protection authority imposed a fine on a mobile phone company for disclosing to the complainant, via the mobile phone application "My Vodafone", personal data of third parties, consisting of billing data.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: Cerrajero Online
Sector: Private Sector
Amount: 1.500 €
Date: 11.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Information obligation non-compliance

The Company gathered personal information without specific information about the collection of this information.

Authority: Spanish Data Protection Authority (AEPD)

Link
Country: Spain
Organization: Professional Football League (LaLiga)
Sector: Business Sector
Amount: 250.000 €
Date: 11.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) a), Art. 7 (3) GDPR Insufficient fulfilment of information obligations

The national football league (LaLiga) was imposed a fine for providing an app that accessed the microphone of the user's mobile phone once a minute to identify pubs that show football matches without having to pay a fee. The AEPD considers that the LaLiga did not provide sufficient information to users of the app about this practice. In addition, the app did not meet the requirements for revoking consent.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Xfera Moviles S.A.
Sector: Private Sector
Amount: 60.000 €
Date: 04.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing

The Spanish data protection authority imposed a fine on a mobile phone operator for reporting the plaintiff's personal data to the credit and equity solvency file in connection with an alleged debt that had already been paid at the time of the report.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: VODAFONE ESPAÑA, S.A.U.,
Sector: Private Sector
Amount: 40 €
Date: 03.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Insufficient legal basis for data processing

The Spanish DPA imposed a fine on a mobile telephone company for the processing of personal data in order to charge the applicant for a Netflix service which it had not used. However, according to the Spanish data protection authority, the company did not exercise the minimum level of care to verify the identity of the data subject.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: AMADOR RECREATIVOS, S.L
Sector: Business Sector
Amount: 8.000 €
Date: 25.05.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) c) GDPR Failure to comply the general data processing principles

The Spanish DPA imposed a fine on an amusement machine distributor for dismissing an employee on the basis of data collected without permission via a GPS locator installed in his device. This application resulted in the employee staying at home during working hours without working. The employee was not informed about such data collection beforehand.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: Madrileña Red de Gas
Sector: Technical Sector
Amount: 12.000 €
Date: 21.01.2019
INPLP Partner: Andersen Tax & Legal
Art. 32 GDPR Failure to implement sufficient measures to ensure information security

The gas company did not have the technical measures necessary to check the identity of the data of the persons involved. A third party claimed that the company had sent its information in relation to a request by e-mail to a third party.

Authority: Spanish Data Protection Authority (AEPD)

Link
Country: Spain
Organization: ENDESA (energy supplyer)
Sector: Energy Sector
Amount: 60.000 €
Date: 02.01.1900
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) f) GDPR Insufficient legal basis for data processing

The complainant's bank account was debited by ENDESA, whose beneficiary was a third party who had been convicted of criminal offences and had been granted a two-year injunction in respect of the applicant, her residence and her work. Instead, at the request of the plaintiff, ENDESA erroneously deleted her data and inserted the data of the third party. The AEPD found that the disclosure of the applicant's data to the third party constituted a serious breach of the principle of confidentiality.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: VODAFONE ESPANA, S.A.U.
Sector: Business Sector
Amount: 5.000 €
Date: 02.01.1900
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) d) GDPR Failure to comply the general data processing principles

The Spanish Telecommunications and Information Agency (SETSI) concluded that Vodafone must refund a customer for costs that were wrongly charged to it. Despite this, Vodafone reported the customer's personal data to a credit rating agency (BADEXCUG). The AEPD found that this conduct violated the principle of accuracy.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Sector: Business Sector
Amount: 60.000 €
Date: Unknown
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) f) GDPR Insufficient legal basis for data processing

After the applicant allegedly failed to repay a microcredit to an online credit agency, the claim was assigned to the collection agency. The latter then began to send e-mails not only to the e-mail address provided by the applicant, but also to an institutional e-mail address of his workplace, which can be reached by any employee who was never provided by the applicant.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: VODAFONE ESPANA, S.A.U.
Sector: Private Sector
Amount: 27.000 €
Date: Unknown
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) d) GDPR Insufficient fulfilment of data subjects rights

Although the complainant (a former Vodafone customer) had requested Vodafone to erase his data in 2015 and this request was approved by the company, he continued to receive more than 200 SMS from the company from 2018 onwards. Vodafone stated that this happened because the complainant's mobile phone number was mistakenly used for testing purposes and inadvertently appeared in various customer files of customers other than the complainant. As the company agreed to both the payment and the admission of responsibility, the fine was reduced to EUR 27 thousand in accordance with Spanish administrative law.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Restaurant
Sector: Business Sector
Amount: 12.000 €
Date: Unknown
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing

A restaurant attempted to impose disciplinary action on an employee by utilizing images from a cell phone video recorded by another employee in the restaurant for evidential purposes.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Germany
Organization: Large Social Media Company
Sector: Business Sector
Amount: 51.000 €
Date: 13.02.2020
INPLP Partner: Derra, Meyer & Partner
Art. 37 GDPR Lack of appointment of data protection officer

Altough Facebook Ireland had appointed a data proteciton officer for all Facebook companies located in the EU, Facebook Germany GmbH did not notify this appointment to the Hamburg Data Protection Authority. The fine was calculated only on the basis of the turnover of the German branch (EUR 35 million) and not on the basis of Facebooks worldwide turnover. As relevant factors for the calculation were named inter alia that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.

Authority: Data Protection Authority of Hamburg

Link
Country: Germany
Organization: Unknown
Sector: Business Sector
Amount: 9.550.000 €
Date: 09.12.2019
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR Inadequate technical and organisational measures to ensure information security

The Controller provides telecommunication services. The company's customer service team identified the caller simply by name and date of birth. The Federal Data Protection Officer did not consider this identification procedure to be sufficient in accordance with Art. 32 GDPR. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale.

Authority: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Link
Country: Germany
Organization: Unknown
Sector: Business Sector
Amount: 10.000 €
Date: 09.12.2019
INPLP Partner: Derra, Meyer & Partner
Art. 37 GDPR Lack of appointment of data protection officer

The Internetprovider has not fulfilled its legal obligation under Article 37 GDPR to appoint a data protection although the Federal Data Protection Officer requested to do so. Therefore, the controller was fined.

Authority: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Link
Country: Germany
Organization: Unknown
Sector: Business Sector
Amount: 105.000.000 €
Date: 03.12.2019
INPLP Partner: Derra, Meyer & Partner
Art. 5 GDPR Non-compliance with general data processing principles

Several violations of the GDPR in relation to patient mix-ups in the admission of the patient result in this fine. The mix-up led to erroneous billing. This revealed structural technical and organizational deficits in patient management.

Authority: Data Protection Authority of Rheinland-Pfalz

Link
Country: Germany
Organization: Huge rental company
Sector: Business Sector
Amount: 14.500.000 €
Date: 30.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 5 GDPR, Art. 25 GDPR Non-compliance with general data processing principles

In 2017, in the course of an inspection the Berlin Data Protection Authority urgently recommended an adjustment of the archive system. However, in March 2019, the company was still unable to either demonstrate a clean-up of its database or present legal reasons for the continued storage. To remedy the deficiencies the company solely did make preliminary preparations. However, those measures did not suffice to align the storage of personal data with the legal requirements. Therefore, the Berlin Data Protection Authority imposed a fine for an infringement of Article 25 (1) GDPR and Article 5 GDPR during the period between May 2018 and March 2019 was therefore mandatory. (Press Release 711.412.2, November 5th 2019, Berlin Commissioner for Data Protection, www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PR-Translation-Fine_DW.pdf)

Authority: Data Protection Authority of Berlin

Link
Country: Germany
Organization: Unknown
Sector: Health Sector
Amount: 80.000 €
Date: 17.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR No sufficient measures to ensure information security

A digital publication inadvertently disclosed personal health data relating to several persons due to insufficient data security mechanisms.

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Unknown
Sector: Private Sector
Amount: 80.000
Date: 17.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR No sufficient measures to ensure information security

A company of the finance sector disposed personal data insufficiently.

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Huge rental company
Sector: Private Sector
Amount: 15 fines of between 6.000 € and 17.000 €
Date: 01.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 5 GDPR, Art. 25 GDPR Non-compliance with the principles of data processing

The Berlin Data Protection Authority fined a company between 6,000 and 17,000 euros in 15 specific individual cases for the improper storage of personal data of tenants. (Press release 711.412.2, 5 November 2019, Berlin Commissioner for Data Protection, www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PR-Translation-Fine_DW.pdf)

Authority: Data Protection Authority of Berlin

Link
Country: Germany
Organization: Food Delivery Service Company
Sector: Business Sector
Amount: 195.407 €
Date: 19.09.2019
INPLP Partner: Derra, Meyer & Partner
Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR Failure to comply with the rights of the data subjects

According to the investigations of the Berlin Data Protection Authority, a company had not erased accounts of former customers in ten cases, although these data subjects had not been active on the company's delivery service platform for years - in one case for about 10 years. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. One data subject, who had expressly objected to the use of his data for advertising purposes, nevertheless received further 15 advertising e-mails from the company. In further five cases, the company did not provide the data subjects with the necessary information or only after the intervention of the Berlin Data Protection Authority.

Authority: Data Protection Authority of Berlin

Link
Country: Germany
Organization: Police Officer
Sector: Private Sector
Amount: 1.400 €
Date: 09.05.2019
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR Insufficient legal basis for data processing

Using his official user ID, but without reference to official duties, a police officer used the Central Traffic Information System of the Federal Motor Transport Authority to query the owner data of the license plate of a person he did not know well. After that, he carried out a query with the Federal Network Agency, in which he queried the personal data and the house and mobile phone numbers stored there. Using this mobile phone number, he contacted the person by telephone. He did that all without official justification or consent from the injured party. Through queries for private purposes and the use of the phone for private contact, the police officer processed personal data on his own responsibility. This violation is not attributable to the police officer's office, as he commited the offence exclusively for private purposes and not in the exercise of his official duties. The prohibition of punishment in Sect. 28 of the respectice Local Data Protection Act (Landesdatenschutzgesetz - LDSG), according to which the sanctions of the GDPR cannot be imposed on public authorities, does therefore not apply in this case.

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Private Bank
Sector: Private Sector
Amount: 50.000 €
Date: 01.03.2019
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR Inadequate legal basis for data processing

The fine was imposed on a bank which had unlawfully processed "personal data of all former customers". The bank admitted that it kept data on former customers in order to keep a black list, so that it would not provide these persons with a new bank account. Initially, the bank justified this with reference to the German Banking Act to take security measures against customers suspected of money laundering. The Berlin Data Protection Authority held this to be illegal. The Berlin Data Protection Authority argues that only those who are actually suspected of money laundering or who have other valid reasons for refusing a new account may be included in a settlement file. At the moment, it is unclear whether the fine proceesding are legally concluded.

Authority: Data Protection Authority of Berlin

Country: Germany
Organization: Private person
Sector: Private Sector
Amount: 2.500 €
Date: 05.02.2019
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR, Art. 5 GDPR Insufficient legal basis for data processing

8 The fine was impossed against a private individual who sent lots of e-mails within 3 months in 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences and between 131 and 153 personal mail addresses were identifiable in his mailing list.

Authority: Data Protection Authority of Sachsen-Anhalt

Link
Country: Germany
Organization: Small shipping company
Sector: Business Sector
Amount: 5.000 €
Date: 23.01.2019
INPLP Partner: Derra, Meyer & Partner
Art. 28 of the GDPR Violation of Art. 28 GDPR

The controller lacked an agreement on data processing with the Spanish service provider. Report according to the following website (no official statement): www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html

Authority: Data Protection Authority

Additional Information:

No official statement: www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html

Country: Germany
Organization: Unknown
Sector: Private Sector
Amount: 20.000 €
Date: 01.12.2018
INPLP Partner: Derra, Meyer & Partner
Art. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR Failure to comply with the obligation to provide information

A personal data breach (Art. 4 Subsect. 12 GDPR) was not notified in time (Art. 33 GDPR) and also the affected subjects were not made informed (Art. 34 GDPR).

Authority: Data Protection Authority of Hamburg

Link
Country: Germany
Organization: Social Media Chat Platform
Sector: Private Sector
Amount: 20.000 €
Date: 21.11.2018
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

After a hacker attack in July, the personal data of approximately 330,000 users, such as passwords and e-mail addresses, became known. The controller has notified this personal data breach (Art. 4 Subsect. 12 GDPR) according to Art. 33 GDPR to the respective data protection authority and also cooperated with the data protection authority. Due to the cooperation and the performance of the controller, the fine was only 20.000,00

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Unknown
Sector: Private Sector
Amount: 118.000 €
Date: Unknown
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR Insufficient legal basis for data processing

Unlawful disclosure of personal data to third parties via social media.

Authority: Data Protection Authority of Saarland

Link
Country: Norway
Organization: Public Roads Administration of Norway
Amount: 367.000 € (NOK 4.000.000)
Date: Norwegian Data Protection Authority (Datatilsynet)
INPLP Partner: Gjessing Reimers
Art 17 GDPR, Art 25 GDPR The public roads administration had failed to comply with its obligations under the GDPR Article 17 (Right to erasure)

The public roads administration of Norway is the controller for a system processing and storing personal data from the toll road systems of Norway, i.e. data collected when different identifiable vehicles pass the different public toll stations. This information is then used for billing the owners of the vehicles. Under the Norwegian accounting rules, personal data pertaining to customer invoicing must be stored for 5 years after the end of the accounting year, however the public roads administration had not deleted any personal data from its system upon expiry of the 5 year term, as the data system used for the processing did not have functionality for deletion. The public roads administration had therefore failed to comply with its obligations under the GDPR Article 17 (Right to erasure), as well as having failed to implement functionality in the data solution that would allow such deletion, in violation of the GDPR Article 25 (Data protection by design and by default). The DPA have has been threatened with a fine of NOK 4,000,000. The public roads administration has been given a deadline until 23 March 2020 to give its account, after which the DPA will make a final decision in the case.

Country: Slovakia
Organization: The town of Rajecké Teplice
Sector: An independent territorial self-governing and administrative unit of the Slovak Republic
Amount: 10.000 €
Date: 24.01.2020
Art. 5 par. 1 letter a) GDPR Art. 5 par. 1 letter e) and art. 5 par. 2 GDPR Art. 12 par. 1 GDPR Art. 13 par. 2 letter b) GDPR The Controller processed personal data in an illegal manner, kept camera recordings for longer than the time he had set, did not provide the data subjects with information pursuant to Art.13 GDPR in connection with the camera information system.

The Controller also does not provide the data subject with information on the right to object to the processing of personal data.

The Controller illegally processed the personal data of the persons concerned by means of a camera information system, while at the time of the inspection he did not prove the fulfillment of at least one of the conditions of legal processing according to Art. 6 par. 1 GDPR.

The Controller has kept the camera recordings for longer than the period specified in the security documentation, without proving the need to extend the retention period of the camera recordings.

At the time of the inspection, the Controller did not provide the data subjects with information pursuant to Art.13 GDPR in connection with the camera information system in a sufficiently transparent, comprehensible and easily accessible form, formulated clearly and simply.

The controller in relation to the camera information system does not provide the data subject with information on the right to object to the processing of personal data concerning him, which is carried out on the basis of Art. 6 par. 1 letter e) GDPR.

Additional Information:

The controller uses a camera system to capture the premises of the municipal office and public spaces. The purpose of operating a camera information system is to protect public order and security, detect crime, protect company property or the health of people in the monitored areas.

Fine measures:

  • perform an analysis in order to determine the retention period of camera recordings in accordance with Art. 5 par. 1 letter e) GDPR
  • duly justify the individual retention period of camera recordings and update its internal security policy for the processing of personal data
  • to update its information obligation, including the indication of the right to object pursuant to Art. 21 GDPR against the processing of personal data by the controller's camera information system
Country: Slovakia
Organization: Slovak Fishermen's Association, Municipal Organization of Žilina
Sector: Civic association - provides on water surfaces of fishing grounds proper breeding, refinement, protection of fishes and fishing as whole
Amount: The Authority did not impose a measure to remedy the identified deficiencies The Authority did not impose a fine, instead reprimanded the controller for the breach of the principle of legality
Date: 24.01.2020
Art. 5 par. 1 letter a) GDPR The controller published personal data of the proposer without given consent of the proposer

Violation of the principle of legality under Art. 5 par. 1 letter a) GDPR, which the controller committed by publishing on the website www.srzmsozilina.sk via the Minutes of the controller's committee meeting of 22.11.2018 in the period from 15.12.2018 to 02.01.2019 without the legal basis the personal data of the proposer

Additional Information:

The Authority did not impose a fine, instead reprimanded the controller for the breach of the principle of legality.

The Controller published on his website the personal data of the proposer in the scope of name, surname and information that a report was submitted to the proposer, while the proposer did not give consent to such processing

Country: Slovakia
Organization: BeMi real estate agency, s.r.o. as the controller, processor of BeMi real estate agency, s.r.o.
Sector: Real estate agency operating on the real estate market throughout Slovakia
Amount: 2580 €
Date: 27.01.2020
Art. 5 par. 1 letter f) GDPR Art. 33 GDPR The processor has violated the principle of data confidentiality and the controller has breached the obligation under Art. 33 GDPR to report the breach of personal data.

The processor has violated the principle of data confidentiality according to Art. 5 par. 1 letter f) GDPR because he has unlawfully disclosed the personal data of the three persons concerned on 25.03.2019 for approximately 20 minutes on the websites, for example www.realitybemi.sk, www.nehnutelnosti.sk, www.bazar.sk.

The controller has breached the obligation under Art. 33 GDPR to report the breach of personal data protection to the Authority as a supervisory body without undue delay and, if possible, within 72 hours after becoming aware of the above-mentioned disclosure of personal data on the Internet.

Additional Information:
  • The Authority imposed a fine of 480 € against the processor.
  • The Authority imposed a fine of 2100 € against the processor.

The submitter of the complaint within the viewing of the advertisement for the sale of a family house in Volkovce on the website www.bazar.sk discovered at the time of 20:00 on March 25, 2019 in the photo gallery the published part of the proposal for deposit in the real estate cadastre.

That part of thepublished  proposal contained the personal data of the three persons concerned in the scope of name, surname, maiden name, date of birth, birth number, permanent residence address and nationality.

The document in question was automatically published at www.realitybemi.sk and www.nehnutelnosti.sk and others at the time.

Country: Slovakia
Organization: TESCO STORES SR, a.s.
Sector: A chain of hypermarkets and department stores
Amount: 10.000 €
Date: 19.12.2019
INPLP Partner: Bukovinský & Chlipala
Art. 12 par. 3 GDPR The proposal's request concerning the exercise of the right of access to his personal data was not compiled with within the time limit set in the GDPR.

The controller violated Art. 12 par. 3 GDPR by failing to comply with the request of the proposer as a data subject submitted by e-mail to otazky@sk.tesco-europe.com on 16.07.2018 regarding the exercise of the right of access to his personal data within the time limit set in the GDPR, without processing the data subject's request within one month of receipt of the request.

Additional Information:
  • The Controller is obliged to ensure that the requests of data subjects concerning the processing of personal data are processed in accordance with the principles set out in Art. 5 GDPR, within the period under Art. 12 par. 3 GDPR.
  • The controller is obliged to ensure that the persons concerned are provided with correct and up-to-date personal data in requests for access to personal data.
  • "The Controller has not fulfilled the legal obligation to inform the proposer within one month from the submission of the application about what information controller processes about him.
  • The content of the proposer's request was what personal data are being processed about him, what is the list of third countries to which his personal data have been provided and what is the legal basis for the processing of his personal data."
Country: Slovakia
Organization: The town of Rajec
Sector: An independent territorial self-governing and administrative unit of the Slovak Republic
Amount: 9.000 €
Date: 03.12.2019
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR Art. 5 par. 1 letter e) GDPR In the record of processing activities, the controller did not specify the legal basis for the processing of personal data by the camera information system.

Infringement of the principle of minimization, when at the time of the inspection controller kept the personal data of the data subjects longer than it was necessary in relation to the purpose of processing.

The controller violated the principle of transparency under Art. 5 par. 1 letter a) GDPR, which was committed at the time of control (26.09.2018), so that in the record of processing activities the controller did not specify the legal basis for processing personal data by the camera information system. Controller also did not provide information on monitoring the data subjects at the point of entry into the area monitored by the camera information system.

The controller violated the principle of minimization according to Art. 5 par. 1 letter (e) the GDPR, when at the time of the inspection he kept the personal data of the data subjects for longer than was necessary and necessary for the purpose of the processing.

Additional Information:
  • That the controller must provide information pursuant to Art. 13 GDPR within 10 days from the date of entry into force of the decision in relation to the data subjects no later than the moment of entry of the data subjects into the monitored premises, otherwise the Authority  the processing of personal data pursuant to Art. 58 par. 2 letter f. GDPR will ban.
  • The controller uses a camera system to capture the premises of the municipal office and public spaces. The purpose of operating a camera information system is to protect public order and security, detect crime, protect company property or the health of people in the monitored areas.

 

 

Country: Slovakia
Organization: The town of Tesáre
Sector: An independent territorial self-governing and administrative unit of the Slovak Republic
Amount: 2.500 €
Date: 07.01.2020
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR The controller published the birth number without the existence of a legal basis in the minutes of the regular meeting of the Municipal Council in Tesáry

In connection with the conclusion of the donation contract between the controller and the data subject, the controller published the birth number without the existence of a legal basis in the minutes of the regular meeting of the Municipal Council in Tesáry held on 03.12.2018, which was on the official board of the controller from 06.12.2018 2018  to 20.12.2018 and on the website of the operator www.tesare.sk from 08.12.2018 at least until 24.07.2019

Country: Slovakia
Organization: Social Insurance Agency in Slovakia
Sector: Social Insurance Agency in Slovakia was founded on 1 November 1994 by Act No. 274/1994 Coll. as a statutory institution to administer the sickness insurance and the pension security substituting thus its ancestor the National Insurance Institution.
Amount: 50.000 €
Date: 13.06.2019
INPLP Partner: Bukovinský & Chlipala
Art. 24 par. 1 GDPR Art. 32 par. 1 and 2 GDPR Social Insurance Agency in Slovakia violated the proposer's right to protection of his personal data by sending personal data of applicants to the adress of the holders of social insurance of the EU member states via Slovenská pošta.

Social Insurance Agency in Slovakia violated the proposer's right to protection of his personal data by sending personal data of applicants to the extent that includes data related to health, identifiers assigned for individual identification in information systems and data related to economic and social identity, sent to the adress of the holders of social insurance of the EU member states via Slovenská pošta, a.s. always as a Class 2 letter-post item and not as a registered item which provides a higher level of protection of the personal data processed and therefore the controller has not taken appropriate measures to ensure a level of security commensurate with the risk to the rights of data subjects with regard to the scope and content of the personal data processed and the nature of their processing.

 

 

Additional Information:

The proposer has found that the controller violated the protection of his personal data, in particular by sending sensitive documents concerning his person, in particular the consignment "Application for a foreign invalidity pension", by ordinary (not recommended) consignment, i. without any confirmation of shipment, without a delivery number and without any guarantee that the shipment will be delivered in order and not lost, or misused by a third party.

In the specific case, the consignment was sent to Denmark. The consignment contained a large amount of the insured's personal data, including data on his health, data on the course of employment, income, as well as personal data of family members. This shipment was lost during delivery.

In order for the Controller to take organizational measures to ensure that personal data of applicants for disability pension from social insurance of EU member states, which the operator sends to the relevant social insurance holders by letter via Slovenská pošta, a.s., will be sent as a registered item

Link
Country: Slovakia
Organization: The municipality of Horné Plachtince
Sector: The basic role of the municipality in the exercise of self-government is to care for the versatile development of its territory and the needs of its inhabitants
Amount: 4.000 €
Date: 09.08.2019
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR Without the existence of a legal basis, the controller published the birth number of the two data subjects on the website www.horne-plachtince.eu

Without the existence of a legal basis, the controller published on the website www.horne-plachtince.eu the birth number of the two data subjects, in the form of a scan of the exchange contract for land owned by the controller dated 21.11.2017 (birth number published from 21.11.2017 to 18.01. 2019) and the purchase contract dated 25.09.2019 (birth number published from 25.09.2018 from 20.10.2018)

 

 

Additional Information:

From the date of validity of the decision, the Controller is obliged to process the personal data of the data subjects by publishing them on the website exclusively in the existence of a legal basis within the meaning of Art. 6 par. 1 GDPR

Country: Slovakia
Organization: Aukčný Dom, s.r.o.
Sector: A company specializing in the organization and implementation of voluntary auctions and in providing a comprehensive solution for out-of-court and judicial debt collection.
Amount: 3.000 €
Date: 04.11.2019
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR Aukčný Dom, s.r.o., in the processing of personal data of proposers, violated the principle of legality by publishing photographs of pictorial portraits

Aukčný Dom, s.r.o. in the processing of personal data of proposers, violated the principle of legality under Art. 5 par. 1 letter a)  GDPR, that, in the course of his activity as an auctioneer, he processed the personal data of the proposers in position of the controller pursuant to Art. 4 par. 7 GDPR in a way, that as an auctioneer advertising the auction of real estate registered on the title deed no. 1328 published in the time from 02.10.2018 from 10.12.2018 on the website www.aukcnydom.eu photographs of the interior of the auctioned real estate, which include pictorial portraits of the proposers placed in this interior, thus performing the processing of publishing and disseminating personal data of proposers via the Internet, which does not meet any of the conditions of legal processing according to Art. 6 par. 1 GDPR.

Country: Italy
Organization: Italian Data Protection Authority
Sector: Università degli studi di Roma "La Sapienza" (university)
Amount: 30.000 €
Date: 23.1.2020
INPLP Partner: R&P Legal
Art. 32 of GDPR This fine concerns insufficient technical and organisational measures to ensure information security

On december 2018 Università degli studi di Roma "La Sapienza", notified to the Italian DPA a data breach regarding the disclosure of personal data processed through the platform that the data controller was using for the processing of whistleblowing reports. According to the Italian DPA, the data breach occured as the platform used by the University did not provide sufficient technical measures regarding access control, which would have made it possible to limit access only to authorised parties in possession of authentication credentials and a specific authorisation profile.

Link
Country: Italy
Organization: Italian Data Protection Authority
Sector: Azienda Ospedaliero Universitaria Integrata di Verona (hospital)
Amount: 30.000 €
Date: 23.1.2020
INPLP Partner: R&P Legal
Art. 5 par. 1 lett. f) and 9 of GDPR This fine concerns insufficient technical and organisational measures to ensure information security

In may 2019, the Hospital notified to the Italian DPA a data breach, due to the illegal conduct of some employees who, in absence of the necessary authorization, had had access to the health records of their colleagues who were also patients of the Hospital.The investigations carried out by the Italian DPA showed that the technical and organizational measures adopted by the Hospital to patients’ dossiers were not suitable to ensure adequate protection of patients' personal data and to protect them from unauthorized access, thus leading to an unlawful data processing.
According to the Italian DPA, the violations could have been avoided if the data controller had applied the Guidelines on Health Data published by the Authority in 2015, in which it was established that access to patients’ health data should be allowed only to the personnel directly involved in the patient care process, through personal authorization profile.

Link
Country: Italy
Organization: Italian Data Protection Authority
Sector: R.T.I. - Reti Televisive Italiane S.p.A. (television company)
Amount: 20.000 €
Date: 6.2.2020
INPLP Partner: R&P Legal
Art. 5 par. 1 lett. a) of GDPR This fine concerns the violation of principles of lawfulness and fairness of data processing

The Italian DPA fined R.T.I. after having received a complaint regarding the broadcasting of a documentary about prostitution in Switzerland, in which the identity of the claimant was not sufficiently anonymized.
In determining the amount of the fine, the Italian DPA has taken into account: (i) the seriousness of the infringement, having regard to the particular nature of the data processed, relating to the sexual practices of the data subject and the general context of the documentary; and also (ii) the circumstance that no measures have been taken to ensure the anonymity of the claimant in an proper way, such as the alteration of the voice and the omission of certain specific personal references.

Link
Country: Slovakia
Organization: POP Akadémia - Pokora Odvaha Pokoj
Sector: Academy focusing on the creation of programs for children - sports, cultural and environmental programs for children both in the school environment and outside the school environment.
Amount: 0 €
Date: 17.06.2019
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR The controller has not provide necessary information in the scope of Art. The operator continued to publish the photo after withdrawing the proposer's consent to the publication of the photograph.13 GDPR in obtaining the personal data.

On 24 August 2018, the proposer has found out that the controller was violating the protection of personal data of proposer's son by publishing his photograph, to which the proposer had not given consent. The proposer, on August 24, 2018, by e-mail sent to popakademia@gmail.com, claimed the right of deletion from the controller (proposer has  requested an immediate deletion of the photo). This was repeated several times without the controller's response. Subsequently, on September 27, 2018, the proposer notified the controller by e-mail that the controller had not complied with her multiple requests to remove a photo of her son. On October 5, 2018, the proposer filed a complaint adressed to the Office for Personal Data Protection of the Slovak Republic.

Additional Information:

On 16 April 2019, the photograph of the proposer's son was removed within the Facebook network, which also deleted the photograph of the data subject from the official website of the controller, and therefore the Authority did not consider it justified to impose measures to eliminate the identified deficiencies.

Measures:
The controller is obliged to ensure, in accordance with the principle of transparency, that all data subjects from whom it obtains personal data are provided with the necessary information within the scope of Art. 13 GDPR.

Country: Slovakia
Organization: Stavebné bytové družstvo Trenčín
Sector: It offers comprehensive management of apartments, non-residential and common areas in residential or multifunctional houses. As the largest administrator in Trenčín, it has been operating on the market of flats and non-residential premises management for
Amount: 0 €
Date: 10.01.2020
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR Without a legal basis, the controller enabled the proposer's surname in connection with the information "returned stamps for action and refunded court fee", which was subsequently delivered by the controller to 32 owners of flats and non - residential pre

In the second half of May 2019, on the notice board at the entrance to the apartment building without a legal basis, the controller stated in the document entitled "Creation and drawing of the operation, maintenance and repair fund (FPÚO) year 2018" stated the proposer's surname in connection with the information "returned stamps for action and refunded court fee", which was subsequently delivered by the controller to 32 owners of flats and non - residential premises.

Additional Information:

Taking into account the gravity, duration, number of data subjects (exclusively the proposer), the category of personal data concerned by the breach (ordinary personal data) and the fact that the controller did not obtain any pecuniary benefit, the Authority did not impose a fine.

Measures:
The controller is obliged, in accordance with the principle of legality, to process personal data, in particular to make them available exclusively in the existence of a legal basis within the meaning of Art. 6 par. 1 GDPR.

Country: Slovakia
Organization: O2 Slovakia, s.r.o.
Sector: Company providing mobile services and mobile data transmissions
Amount: 0 €
Date: 05.09.2019
INPLP Partner: Bukovinský & Chlipala
Art. 6 par. 2 letter b) GDPR Art. 6 par. 2 letter i) GDPR Controller was creating the orders via the controller's website by pre-filling the consents to send the marketing offers.

Until April 27, 2018, in obtaining the consent of the data subjects for the purpose of sending marketing offers of partners of O2 Slovakia, s.r.o. and of sending marketing offers from O2 Slovakia, s.r.o. using operational and location data, controller proceeded with the creation of the order via the controller's website by pre-filling the consents to send the said marketing offers and not allowing the data subjects to actively grant consent, thus limiting the right of the data subjects to decide on processing of their personal data by free and explicit expression of will.

 

 

 

Additional Information:

Measure:
The Authority did not impose a corrective measure due to the fact that the controller have removed the pre-filled field with consents to send marketing offers on 27.04.2018.

Country: Slovakia
Organization: Odborné učilište
Sector: The school is intended for children , who have finished 9th class, compulsory education in a Specialized Primary School or Primary School. It is focused on a specialized classes or like indivudually integrated pupils with a special type of education needs
Amount: 0 €
Date: 24.09.2019
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter a) GDPR Art. 9 par. 1 GDPR The controller published the proposer's personal data in the scope of name, surname and address. The controller did not designate or disclose the contact details of the data protection officer, nor did he notify them to the Authority.

The controller, in the position of the proposer's employer, asked the doctor for information - a prognosis, when she expects the proposer's incapacity for work to end. The controller received a document containing the proposer's personal data relating to health to the extent of an extract from the medical file, whereby the controller performed an operation to obtain personal data relating to health which did not meet any of the legal processing conditions under Article 6 para. 1 GDPR, neither any processing conditions under Article 9 para. 2 GDPR.

Additional Information:

The proposer was unable to work from 27.02.2018. In that regard, her employer contacted the proposer's district doctor with a written request for information on when does she expect the proposer's incapacity for work to end.

Measures:
The Authority has reprimanded the Controller that the processing operation which was used for the collection of personal data  related to health of the proposer, violated Art. 5 par. 1 letter a) GDPR
Art. 9 par. 1 GDPR.

The Authority did not impose a measure on the controller to reconcile the processing operation with the GDPR, nor did it impose a fine for violation of the provisions of the GDPR, as the controller after receiving the proposer's medical documentation decided to shred it on 22.10.2018.

Country: Slovakia
Organization: FIN, spol s.r.o.
Sector: Company engaged in the manufacture and sale of confectionery, bakery and other products
Amount: 7.000 €
Date: 22.05.19
INPLP Partner: Bukovinský & Chlipala
Art. 5 par. 1 letter f) GDPR Art. 33 GDPR The controller violated the principle of confidentiality by unauthorized processing and access to the personal data of the data subjects.

The controller violated the principle of confidentiality because in January 2019, the controller was disposing the personal data of the data subjects in paper form (such as photocopies of loan agreements, official documents such as ID card, birth certificate, passport), during liquidation of his store Elektro and the removal of waste to the collection yard in the village of Strečno,  there was unauthorized processing and access to the personal data, which violated the security of the processing of personal data of the data subjects. The controller has not complied with its obligation to report the breach to the Authority without undue delay and, if possible, within 72 hours, in accordance with Article 33 of the GDPR.

Additional Information:

On February 5, 2019, the Authority received an e-mail from a person who was to find the accounts of the company FIN, spol. s.r.o. During a quick review of discarded documents, he discovered, among other things, the company's contracts with citizens, while these contracts contained personal data of citizens, their clients, including their birth numbers.

Measures:
The Authority has imposed on the controller a measure pursuant to which the controller is obliged in accordance with Art. 32 The GDPR, to take appropriate organizational measures to determine the procedure for persons acting on his behalf (employees) in checking unnecessary paper documents and disposing of personal data on them, instructing them of the procedure.

Country: Czech Republic
Organization: One of the largest e-shops in Czech Republic
Amount: CZK 1.500.000
Date: 03.10.18
pre-GDPR Insufficient technical and organisational measures to ensure information security

The company failed to ensure adequate security of processing, resulting in a leak of personal data of over 735.000 customers.

Link
Country: Czech Republic
Organization: Bank - UniCredit Bank Czech Republic and Slovakia, a.s.
Sector: Private Sector
Amount: CZK 80.000
Date: 2019
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 6 (1) GDPR Insufficient legal basis for data processing

The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded.

Link
Country: Czech Republic
Organization: Online shop with electronics - Alza.cz a.s.
Sector: Private Sector
Amount: CZK 15.000
Date: 2019
Art. 6 (1) GDPR, Art. 7 (3) GDPR, Art. 12 (3) GDPR, Art. 29 GDPR Insufficient legal basis for data processing

The company got a copy of photographic ID of the personal data subject with his/her consent, however did not react to his/her consent withdrawal and continued in processing of his/her personal data.

Link
Country: Czech Republic
Organization: Natural person (enterpreneur)
Sector: Private Sector
Amount: CZK 25.000
Date: 2019
Art. 5(1) f) GDPR, Art. 5 (2) GDPR, Art. 28 (3) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

The operator of an online game was exposed to multiple DDoS attacks which triggered the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As component of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a "backdoor" in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The  Czech Data Protection Authority concluded that the operator did not take proper security measures.

Link
Country: Czech Republic
Organization: Anonymous
Sector: -
Amount: CZK 80.000
Date: 13.05.2019
Article 5 (1) a), b), Article 32 (1) Inadequate legal basis for data processing and inadequate technical and organisational measures to guarantee information security

The  Czech Data Protection Authority found that the controller used personal data of his client without his knowledge to open a bank account and that he had therefore not complied with the purpose of the processing.
Furthermore, the controller did not ensure sufficient control of compliance with the relevant internal rules on personal data.

Link
Country: Czech Republic
Organization: Public service company - employer
Sector: -
Amount: CZK 5.000
Date: 06.05.2019
Art. 15 (1) GDPR Insufficient fulfilment of data subjects rights

Despite his e-mail request, the data controller did not provide his employee with information on the processing of his personal data.

Link
Country: Czech Republic
Organization: Anonymous
Sector: -
Amount: CZK 250.000
Date: 21.05.2019
Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR Non-compliance with general data processing principles

The data were not adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimisation'). Furthermore the data were not kept in a form which enables identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').

Link
Country: Czech Republic
Organization: Anonymous
Sector: -
Amount: CZK 15.000
Date: 28.02.2019
Art. 5 (1) f) GDPR, Art. 28 (3) GDPR Insufficient technical and organisational measures to ensure information security

The data have not been processed in a way that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality'). Furthermore, the controller has not concluded relevant agreements with processors concerning the processing of personal data.

Link
Country: Czech Republic
Organization: Anonymous
Sector: -
Amount: CZK 20.000
Date: 26.02.2019
Art. 15 (1) GDPR Insufficient fulfilment of data subjects rights

 Despite their requests, the data controller has not provided the data subjects with information on the processing of their personal data.

Link
Country: Czech Republic
Organization: Car renting company
Sector: Private Sector
Amount: CZK 30.000
Date: 04.02.2019
Art. 5(1) a GDPR Insufficient fulfilment of information obligations

A person has rented a car and  found out, that the car was tracked by the renting company, using GPS, although no information about the fact that the car is being tracked was provided.
The Czech Data Protection Authority found that no information in the sense of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis in the specific circumstances. The UOOU therefore found a violation of Art. 6 (1) f) GDPR. 5 (1) a) GDPR for which it imposed the fine.

Link
Country: Czech Republic
Organization: Credit brokerage
Sector: Private Sector
Amount: CZK 30.000
Date: 04.02.2019
Art. 5(1) f GDPR Insufficient technical and organisational measures to ensure information security

Data have not been processed with an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality').

Link
Country: Czech Republic
Organization: Employer
Sector: -
Amount: CZK 10.000
Date: 10.01.2019
Art. 6 (1) GDPR Insufficient legal basis for data processing

A former employee of a company requested the deletion of his or her personal information, which was published on the employer's Facebook website and which was still available long after the termination of employment.
The fine was imposed because the employer did not delete the information about the former employee.

Link
Country: Czech Republic
Organization: Association
Sector: -
Amount: CZK 10.000
Date: 25.10.2018
Art. 15 GDPR Insufficient fulfilment of data subjects rights

The person concerned has not been provided with information on the processing of his/her personal data by the controller, despite his/her request.

Link
Country: Czech Republic
Organization: Company - energy distributor
Sector: -
Amount: CZK 40.000
Date: 2019
Art. 6 (1), Art. 29 GDPR Insufficient legal basis for data processing and processing

The controller as an anergy distributor is obliged to according to Czech law provide Czech Television and Czech Radio with information with whom the controller concluded a contract on providing electricity. This obligation does not concern personal data of customers who are being provided with gas. Upon a complaint of one customer the controller found out that one employee transferred the personal data of its customers from their database to Czech Television and Czech Radio without legal basis for such transferring because the transfer included personal data of customers who are not provided with electricity.

Link
Country: Czech Republic
Organization: Provider of social services - Retirement home
Sector: -
Amount: CZK 50.000
Date: 2019
Art. 5 (1), (2), Art. 6 (1), Art. 9 (1), Art. 12 (1), Art. 13, Art. 24, Art. 25, Art. 30 GDPR Insufficient legal basis for data processing and insufficient technical and organisational measures to ensure information security

The controller was unlawfully processing  special categories of personal data and birth number as well as did not  ensure an adequate level of security of such personal data.

Link
Country: Czech Republic
Organization: Company
Sector: -
Amount: CZK 10.000
Date: 2019
Art. 6, Art. 17 GDPR Insufficient legal basis for data processing and insufficient fulfilment of data subject rights

The controller process personal data of data subject by publishing data from other official registers on the controller's website and it was found out that the controller was processing some of the data without sufficient legal basis for such processing. Furthermore, the controller did not provide the data subjects with information on the processing of their personal data despite their requests.

Link
Country: Ireland
Organization: TUSLA
Sector: Public Sector
Amount: 75.000 €
Date: 01.05.2020
Art. 5 accidentally disclosing contact and location data of a mother and child to their alleged abuser Link
Country: Ireland
Organization: TUSLA
Sector: Public Sector
Amount: 40.000 €
Date: 01.06.2020
Art. 5 accidental disclosure of contact, location and school information of children in foster care to a grandparent, allowing the grandparent to contact the foster parent about the children Link
Country: Netherlands
Organization: Dutch DPA
Sector: Royal Dutch Tennis Association : "KNLTB"
Amount: 525.000 €
Date: 03.03.2020
art. 5 GDPR, art. 6 GDPR Insufficient legal basis data processing

The Royal Dutch Lawn Tennis Association (KNLTB) provided the sponsors with personal data such as names, gender and addresses, so that they could approach a selection of KNLTB members with tennis related and other offers. One sponsor received personal data from 50,000, the other from more than 300,000 members. These sponsors approached some of those KNLTB members by post or by telephone. In the opinion of the DPA, the KNLTB had no legitimate interest to sell these personal data.  The KNLTB argued it did have a legitimate interest to sell personal data of its members. However, the DPA concluded the purely financial interest of the KNLTB was no lawful basis for infringing the basic rights of its members. The members had not given their permission either. The KNLTB lodged an objection to the fine imposed. The objection was decided on by the DPA itself.

Link
Country: Netherlands
Organization: Dutch DPA
Sector: Unknown Organisation
Amount: 725.000 €
Date: 30.04.2020
art. 5 GDPR, art. 9 GDPR Insufficient legal basis for data processing

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently imposed a €725,000 fine on a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes.There are two derogations that would have been available to the company to legitimize the processing of biometric data in this case: (1) explicit consent (Article 9(2)(a) of the GDPR) and (2) the necessity of the processing for authentication or security purposes (a derogation introduced by the Dutch law implementing the GDPR, the Uitvoeringswet Algemene Verordening Gegevensbescherming).According to the Dutch DPA, the company could not rely on either of these two exceptions as:
Employees’ consent is generally not considered valid, given the relationship of subordination between employer and employee (i.e., consent would not be freely given). Following its investigation, the Dutch DPA found that many employees had felt obliged to agree to the use of their fingerprints; and
The necessity of the processing for authentication or security purposes can only be relied on when buildings and information systems must be secured in such a way that this cannot be done without the use of biometric data (i.e., biometrics can only be used if there are no less invasive measures available). In this case, the Dutch DPA considered that, even though the activities of the company must remain confidential, the use of biometrics for security purposes was not justified.

Link
Country: Netherlands
Organization: Dutch DPA
Sector: Bureau Krediet Registration ('BKR')
Amount: 830.000 €
Date: 06.07.2020
art. 12 GDPR, art. 15 GDPR No good fulfilment of data subjects rights

The BKR foundation maintains the Dutch central credit information system, which holds information about all Dutch credit registrations and payment records. The DPA received numerous complaints about the BKR’s excessive and unreasonably complicated procedures for accessing personal data and initiated an investigation.The DPA took into account the seriousness of the violation, the time period of 9 months in which the violations took place, the number of data subjects involved, and following their fining structure for the violation of the GDPR, determined two fines.
The violation of Article 12(2), classified as category III, which resulted in €650,000 fine,  and violation of Article 12(5), classified as category II, for which € 385,000 fine has been determined. The total fine could not exceed the maximum of €20,000,000 or up to 4% of total global annual revenue in the previous fiscal year, leading to € 830,000 fine in total.

Link
{$page.footerData}