Skip to main content

The database contains a total of

189 GDPR fines across the EU and beyond

that have been submitted so far by rapporteurs.



Country & Fine Details Infringement Articles Reason Overview Reason Details Link
Country: Czech Republic
Organization: UniCredit Bank Czech Republic and Slovakia, a.s.
Amount: CZK 80 000
Date: 2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 5 (1) f) GDPR, Art. 6 (1) GDPR Insufficient legal basis for data processing

The Bank has opened a personal bank account for a person concerned without their consent or knowledge. The bank allegedly had his or her personal data at its disposal because the data subject had access to his or her employer's company account. The bank was not in a position to provide the Czech Data Protection Authority with the documents necessary to prove that the contract with the data subject had been concluded.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Natural person (enterpreneur)
Sector: Private Sector
Amount: 980 €
Date: 2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5(1) f) GDPR, Art. 5 (2) GDPR, Art. 28 (3) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

The operator of an online game was exposed to multiple DDoS attacks which triggered the malfunctioning of the servers. The attacker blackmailed the operator stating that the attacks will not stop unless he pays money. As component of the blackmail, the attacker offered the operator that he will create an upgraded and better firewall protection to the servers of the operator. The operator agreed and paid the attacker. The operator implemented the new code from the attacker which proved better than the old one but there was a "backdoor" in the code. The attacker used the backdoor to steal all the data from the server about the players and uploaded these details to his website. The Czech Data Protection Authority concluded that the operator did not take proper security measures.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Denmark
Organization: IDdesign A / S
Sector: Furniture
Amount: 200.850 €
Date: 03.06.2019
INPLP Partner: NJORD Advokatpartnerselskab
Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Failure to comply with the principle of storage limitation - Proposed fine

October 2018: The Danish Data Protection Authority completed a planned inspection visit to a furniture company. The inspection focused on the limitation of storage according to Article 5(1)(e) GDPR. The company implemented a new computer system in several of its furniture stores in Denmark. In three of the stores however, the old system was still being used, which meant that information on approximately 385,000 customer names, addresses, telephone numbers, e-mail addresses and purchasing history was processed. The furniture company had not assessed the need for data storage and had not set any retention periods. Consequently, the personal data was never deleted from the old system. The company had set a deadline for the anonymisation of customer information, which was set to 912 days (corresponding to the guarantee period). However, the deadline for anonymisation had not yet been implemented because the data controller had not sufficiently documented his procedures for deleting the personal data. The Danish Data Protection Authority reported the company to the police and proposed a fine of DKK 1.5 million (approx. EUR 201,000) for non-compliance with the principle of storage limitation, cf. Art. 5(1)(e), as the company had stored the personal data of approx. 385,000 customers for longer than the Danish Data Protection Authority considered necessary. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), fines are imposed by the courts.

Authority: Danish Data Protection Authority (Datatilsynet)

Link
Country: Denmark
Organization: Taxa 4x35
Sector: Taxi business
Amount: DKK 1,2 million
Date: 18.03.2019
INPLP Partner: NJORD Advokatpartnerselskab
Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Non-compliance with general data processing principles and principles of data minimisation - Proposed fine

In October 2018, the Danish Data Protection Authority notified the police about a taxi company and proposed a fine (of DKK 1.2 million) for non-compliance with the principle of data minimisation. According to the taxi company, the stored personal data of customers should be anonymised after two years. However, the company deleted the names of its passengers from all its records after two years, while the passengers' telephone numbers were deleted only after five years. Information on the consumer behaviour of the customers, the pick-up and return points, could therefore be attributed to a private person up to five years after a taxi tariff. The taxi company had registered information on 8,873,333 personally identifiable taxi tariffs that were older than two years. The taxi company argued that the storage of its customers' telephone numbers was important in regards to the access to the company's database and for business development. The Danish Data Protection Authority reported the taxi company to the police and proposed a fine of DKK 1.2 million (approx. EUR 160,000). The Danish Data Protection Authority stated that business development was not a legitimate reason to keep personal data for such a long period of time. The Danish Data Protection Authority concluded that a data controller may not set a deadline for deletion that is three years longer than necessary, simply because the company's system makes it difficult to comply. Please note: As Danish law does not provide for administrative penalties as in the GDPR (unless the case is straightforward and the accused person has given consent), penalties are imposed by the courts.

Authority: Danish Data Protection Agency (Datatilsynet)

Link
Country: Greece
Organization: PriceWaterhouseCoopers Business Solutions SA (PWC BS)
Sector: Private / Business Consultancy
Amount: 150.000 €
Date: 26.07.2019
INPLP Partner: Zepos & Yannopoulos
Article 5 par. 1(a) Article 5 par. 2 Article 6 par. 1(a) Unlawful and non-transparent processing of employees' personal data and failure to demonstrate compliance

The fined company has requested the consent of its employees for the processing of their personal data, for the transfer of their personal data to third parties (including customers) and for the use of video surveillance in the workplace. The Greek Data Protection Authority found that PWC BS was in breach of the following provisions: - Article 5(1)(a) (lawfulness) for unlawfully processing workers' data on the basis of consent which does not constitute an inappropriate legal basis for such processing activities and, in any event, the consent was not valid because it was not given voluntarily, -Article 5(1)(a) (fairness and transparency) and Article 6(1)(a), in order to give the false impression to data subjects in dependent employment that the basis of the processing was consent, although this should not be the case -Article 5(2) in the event that compliance cannot be proved and the burden of proof is transferred to the data subject

Authority: HELLENIC DATA PROTECTION AUTHORITY

Additional Information:

Link 2

Link
Country: Greece
Organization: Hellenic Telecommunications Organization S.A. (OTE)
Sector: Private / Telecommunications
Amount: 200.000 €
Date: 13.09.2019
INPLP Partner: Zepos & Yannopoulos
Article 25 par. 3 Article 5 par. 1(d) (also non-GDPR): Article 11 of Greek Law 3471/2006 (implementing ePrivacy Directive) Violation of data protection by design and the principle of data accuracy

Article 11 of Law 3471/2006 mandates that every telecoms provider maintains a “subscriber directory” with the numbers of all the data subjects who wish to not receive unsolicited marketing calls. Consequently, companies that wish to make direct marketing calls should exclude these numbers from their lists. Due to a system error, OTE had failed to successfuly communicate the entire directory to the marketing companies resulting in many data subjects who had opted out of the marketing to receive unsolicited promotional calls. Following a series of complaints by individuals, the Hellenic DPA decided to impose an administrative fine due to the high number of data subjects affected (approximately 16.000) and the long duration of the violation (approximately 3 years).

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Greece
Organization: Hellenic Telecommunications Organization S.A. (OTE)
Sector: Private / Telecommunications
Amount: 200.000 €
Date: 30.09.2019
INPLP Partner: Zepos & Yannopoulos
Article 25 par. 3 Article 21 par. 3 Breach of data protection by design and failure to effectively comply with data subject's right to object to processing for direct marketing purposes

Following complaints from the data subjects, the Greek data protection authority investigated whether OTE had sufficient technical and organisational measures to comply with the requests of the data subjects not to receive promotional material from OTE. The organisation had an 'unsubscribe' link in the e-mail sent to customers and on its website. However, due to a technical error, even when the data subjects clicked on the 'Unsubscribe' button, their contact details were not removed from the register and they received the promotional material. As OTE did not have the organisational and security measures necessary to identify and solve the technical problem, so that it could exist for a long period of time (since 2013) and affected a large number of people (approximately 8,000), the data protection authority imposed an administrative penalty.

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Italy
Organization: Associazione Rousseau - Movimento 5 stelle (Italian political party)
Sector: Public sector - political association
Amount: 50.000 €
Date: 04.04.2019
INPLP Partner: R&P legal
Art. 32 GDPR This fine concerns insufficient technical and organisational measures

The Rousseau platform, created by the Italian political party "Movimento 5 Stelle" (“5 Stelle”), where registered users were able to designate, among others, candidates for the EU parliamentary election, had suffered a data breach during the summer 2017, that led the Italian data protection authority ("Italian DPA") to require to 5 Stelle the implementation of a number of security measures, in addition to the obligation to update the privacy information notice, in order to guarantee transparency to the data processing activities performed. While the update of the privacy information notice was timely completed, the Italian DPA found the lack of implementation of the security measures provided by GDPR. In particular, the Italian DPA ascertained that the tracking of log files was not active for all the sections of the Rousseau Platform; the managing of said website, moreover, was allowed through a system administrator account shared among 5 people, a circumstance that implied the impossibility for the data controller to monitor the activities done by each person involved in said processing and that was qualified as very serious and unacceptable, considering the possibility for such persons to access to special categories of personal data, such as those on political opinion. Finally, also the security measures aimed at anonymizing the activities performed through the e-voting system were considered not to be adequate.

Authority: Italian Data Protection Authority

Link
Country: Malta
Organization: Lands Authority
Sector: Public Sector
Amount: 5.000 €
Date: 18.02.2019
INPLP Partner: Malta IT Law Association
Art. 5 GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

Due to the lack of necessary security measures on the Lands Authority's website, it was reported by a local newspaper that over 10 gigabytes of personal data were rendered accessible via a Google search. It was reported that the data contained sensitive correspondence between individuals and the Authority itself. In Malta, if a public authority or public body is found to be in breach of data protection laws, the Data Protection Commissioner can impose an administrative fine of up to EUR 25 000 for every violation, in addition to a daily fine of EUR 25 for as long as the violation subsists. In this case the Lands Authority did not Appeal the IDPC's decision.

Authority: Office of the Information and Data Protection Commissioner (IDPC)

Link
Country: Malta
Organization: No information available
Sector: Private Sector
Amount: € 19.500
Date: 2018
INPLP Partner: MITLA
No information available No information available

No information available

Country: Malta
Organization: No information available
Sector: No information available
Amount: 10.000 €
Date: 2019
INPLP Partner: MITLA
No information available No information available

No information available

Country: Portugal
Organization: Centro Hospitalar Barreiro Montijo, EPE
Sector: Public Sector
Amount: 400.000 €
Date: 09.10.2018
INPLP Partner: Abreu Advogados
Art. 5 (1) f) GDPR, Art. 32 GDPR Insufficient technical and organisational measures to ensure information security and violation of the data minimization principle

The public hospital violated the principle of data minimization by granting access to an excessive amount of data and violated the obligation to take appropriate organizational and technical measures.

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Car brand
Sector: Private Sector
Amount: 20.000 €
Date: 05.02.2019
INPLP Partner: Abreu Advogados
Article 15 Insufficient fulfilment of data subjects rights

Violation of the right of access to the personal data of the data subject. Especially, the denial by the data subject of the right of access to recorded telephone conversations

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Private Entity
Sector: Private Sector
Amount: 2.000 €
Date: 19.03.2019
INPLP Partner: Abreu Advogados
Art. 13 GDPR Inadequate fulfilment of information obligations

Inadequate fulfilment of information obligations, due to the inexistence of signalization regarding the use of CCTV systems.

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Private Entity
Sector: Private Sector
Amount: 2.000 €
Date: 25.03.2019
INPLP Partner: Abreu Advogados
Art. 13 GDPR Insufficient fulfilment of information obligations

Insufficient fulfilment of information obligations due to the lack of signalling regarding the use of CCTV systems.

Authority: Portuguese Data Protection Authority (CNPD)

Link
Country: Portugal
Organization: Deco Proteste Editores, Lda
Sector: Public Sector
Amount: 107.000 €
Date: 06.05.2019
INPLP Partner: Abreu Advogados 
Art. 6 GDPR Inadequate fulfilment of the requirements to send unsolicited direct marketing communications

Sending unsolicited e-mails for direct marketing and/or advertising purposes without prior consent

Authority: Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados "CNPD")

Link
Country: Austria
Organization: Austrian Post AG (Österreichische Post AG) Mail service provider
Sector: Private Sector
Amount: 18.000.000 €
Date: 29.10.2019
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 GDPR, Art. 6 GDPR Monetary fine because of the inadequate legal basis for data processing

The Austrian Post AG had generated profiles of a large number of Austrians. These generated profiles contained information about various personal data including in particular their possible party affinities, personal prefences and habits, which were later sold to political parties and companies. The provider had claimed that the profiles were merely statistical predictions and had no personal reference. The DPA rejected this allegation and determined that this was in breach of the GDPR. Further violations of the data protection law were also found in connection to data on parcel deliveries and data on the frequency of movement of persons used for direct marketing. In connection with this case, a civil court judgement has already been handed down on claims for damages in the amount of 800 €. The data subject whos party affinitiy was processed, had not given a consent to the processing and was not informed about the data processing by the controller (LG Feldkirch, Urteil v. 07.08.2019 - Az.: 57 Cg 30/19b). The decision is not yet final and the provider has appealed the decision.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: A medical ambulatory, whose corporate purpose includes in particular the diagnosis and therapy of allergic diseases
Sector: Private Sector
Amount: 50.000 €
Date: 30.08.2019
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 7 GDPR, Art. 13, 14 GDPR, Art. 35 GDPR, Art. 37 GDPR Monetary fine because of several infringements

The medical ambulatory had violated the obligation to appoint a data protection officer. It obliged the personas concerned to give their unlawful consent and did not correctly comply with the duty to provide information on several points. Finally, the allergy outpatient clinic did not fulfil its duty to examine the need to carry out data protection impact assessments to the necessary extent.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Cyprus
Organization: Archbishop Makarios III Hospital
Sector: Hospital/Heath Industry
Amount: 15.000 €
Date: 07.11.2018
INPLP Partner: tassos papadopoulos & associates LLC
Articles 15, 24 and 32 of the GDPR Loss of patient file by the hospital

The patient complained to the Commissioner about the lack of protection of personal data. The complainant did not have access to her medical file from the Archbishop Makarios III Hospital because the file could not be found by the data controller. Following the investigation of the case, the Data Protection Authority imposed an administrative fine of €5,000 on the Archbishop Makarios III Hospital for the loss of a medical file.

Authority: Hospital/Heath Industry

Link
Country: Cyprus
Organization: Politis Newspaper
Sector: Newspaper/News publishing
Amount: 10.000 €
Date: 09.01.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 5(1)(c) and 6 of the GDPR Publication of names and photographs of police-investigators at Larnaca Airport by Politis newspaper

A newspaper was fined 10,000 euros for publishing the names and pictures of three police investigators in both electronic and physical form. The Cypriot data protection commissioner believed that it would have been sufficient to publish only the initials of the police officers or photos where the three officers could not be identified, for example by using blurred faces.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Cyprus
Organization: Breikot Management Ltd
Sector: News outlet/Publishing
Amount: 13.000 €
Date: 12.04.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 5(1)(c) and 6 of the GDPR and Article 29(1) of the local Data Protection Law 125(I)2018 Publication of photographs of individuals in the printed form of "24h" newspaper

Following the publication of the photographs of three (3) of five (5) complainants in three (3) of the four (4) publications in news articles, the Commissioner ruled that there was a violation of the principle of data minimisation and that it was excessive in relation to the objective pursued, since the news could be published even without the photographs of the complainants. The publication of photographs does not serve the public interest in information and is not considered necessary under the principle of data minimisation. Furthermore, it does not convey any additional valuable public information. As the subject is of journalistic interest, the complainants' family business is still entitled to carry out public works, even after the criminal conviction of one of them on a relevant matter.

Authority: News outlet/Publishing

Link
Country: Cyprus
Organization: Sigma Live Ltd
Sector: Publications/News outlet/Media House
Amount: 5.000 €
Date: 12.04.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 6(1)(a) of the GDPR Sigma Live Ltd had published and processed the complainant's personal data without their prior consent.

During the media coverage of an abduction incident of two minor children from their school a complaint was filed with the DPA against Sigma Live Ltd, for showing the complainant in a video originally screened on SIGMA TV channel, and which was subsequently posted on www.sigmalive.com as well as on the official Sigma Live YouTube account. The complainant was the person who helped identify the perpetrator and the abducted students, and despite expressing a desire to maintain their anonymity, the video in question did not blur the complainant’s face which was clearly visible and was shown and characterized as the "informant" who helped solve the case.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Cyprus
Organization: Altius Insurance Ltd
Sector: Insurance Company
Amount: 4.000 €
Date: 13.03.2019
INPLP Partner: tassos papadopoulos & associates LLC
Article 6(1)(a) of the GDPR Unauthorised SMS advertising material sent to non-customers.

The DPA received 8 complaints from people claiming to have received SMS messages from Altius Insurance Ltd. without their consent and without prior business relationship with the insurance company. The company reported that the phone numbers used for the broadcast were randomly generated by a software tool. The Commissioner for Personal Data Protection has pointed out that the telephone numbers, even if randomly selected, constitute personal data as soon as their telephone number holder is easily identifiable.

Authoriy: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Cyprus
Organization: Skroutz.com.cy
Sector: Marketing Sector
Amount: 3.400 €
Date: 28.03.2019
INPLP Partner: tassos papadopoulos & associates LLC
The full text of the decision is not available therefore the exact infringed articles are unknown. Unauthorised promotional material e-mailed to material sent to individuals.

Six people complained to the DPA because they received promotional e-mails without their consent and/or despite explicit requests not to receive promotional e-mails from the Skroutz.com.cy website. Five of the complainants had asked to stop receiving messages about the use of "unsubscribe" and/or e-mail to the website moderator, without success. The webmaster provided evidence that one of the complainants had purchased products from the website. However, there was no clear information on how the addresses of the other complainants were obtained. He (webmaster) claimed that the reason why the complainants continued to receive messages despite the request to unsubscribe was because of the change in the email messaging platform.

Authority: Website

Link
Country: Cyprus
Organization: Democratic Party
Sector: Political Party
Amount: 3.000 €
Date: July - September 2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 6(1)(a) and 21 of the GDPR Unauthorised use of direct phone calls to individuals.

Four complainants alleged that the Democratic Party had sent them SMS messages as well as telephone harassment. When the complaints were investigated, it emerged that they were only telephone harassment. The two complainants had a legitimate interest in the use of their personal data since they were members of the political party in question (Article 6(1)(f)). In the case of the other two complainants, the political party had failed to demonstrate the consent of the data subjects under Article 6(1)(a).

Authority: Political Party

Link
Country: Cyprus
Organization: Anonymous individuals
Sector: Unknown
Amount: 2.000 €
Date: July - September 2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 6(1)(a) and 5 of the GDPR Unauthorised processing of personal data for purposes other than those originally intended. Unauthorised sending of messages to individuals.

Two complainants alleged that a certain person had sent them greetings. As regards the first complainant, the accused had previously been warned and had promised that, although he was on his personal contact list, he would not receive any further greetings. Nevertheless, the first complainant had again received a message. In the second case, it was established that the complainant had no personal contact/relationship with the accused person and had nevertheless received a greeting message. The complainant's telephone numbers came into the possession of the accused person for another purpose and were also used to send greetings.

Authority: Unknown

Link
Country: Cyprus
Organization: Auctioneer
Sector: Auctions
Amount: 2.000 €
Date: 12.09.2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 6(1)(a) and 6(4) of the GDPR Breach of personal data by auctioneer

The complainant claimed that a certain auctioneer had called them and offered them the possibility to find a buyer for a property for which they had already initiated an auction under the legislation. This auctioneer was not the designated auctioneer.

Authority: Auctions

Link
Country: Cyprus
Organization: City Councilor of Aglantzia Municipality
Sector: Municipality
Amount: 1.000 €
Date: 25.09.2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 5(1)(b) and 6(1)(a) of the GDPR Unauthorised processing of personal data by City Councilor

Employees in the municipality, noticed that a list of their personal data (such as names, jobs and pay slips) had been leaked and distributed both in public places (e.g. café) and in places used by municipal officials (e.g. warehouses, canteens, etc.). The leak had a negative impact on the complainants, as the disclosure of their data and especially their pay slips was gossiped and despised/mocked by the villagers and others The City Council's act of handing over the list to an administrator of the Water Department for its own use amounts to further processing, which does not correspond to the original purpose of the list, which was that the City Council discussed in one of its meetings the workers who were to be transferred to the Nicosia Water Department.

Authority: Municipality

Link
Country: Cyprus
Organization: Individual Doctor
Sector: Health Professional/Medical services
Amount: 14.000 €
Date: 06.09.2019
INPLP Partner: tassos papadopoulos & associates LLC
Articles 9(1) and 9(2)(a) of the GDPR The posting of sensitive personal data of a patient from a Doctor on Instagram

The complainant alleged that her doctor had published and/or shared her personal data on Instagram without her consent. After investigating the complaint, the DPA found that the publication was not in line with the purpose of the consent given by the complainant, since her identity had been fully disclosed.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: Norway
Organization: Oslo Municipality
Sector: Public services
Amount: 51.000 €
Date: 11.10.2019
INPLP Partner: Gjessing Reimers
Art. 32 GDPR Monetary fine

From 2007 to November 2018, 19 nursing homes operated by the Municipality of Oslo stored patient data outside the patient journal system in the form of work lists describing the medical needs of the residents (i.e. patient data). The violation of the Data Protection Act was reported to the Municipality of Oslo by the data controller. The fine was calculated according to the practice of the former Norwegian Personal Data Act.

Authority: Norwegian Data Protection Authority (Datatilsynet)

Link
Country: Norway
Organization: Bergen Municipality
Sector: Public services
Amount: 170.000 €
Date: 18.03.2019
INPLP Partner: Gjessing Reimers
Art. 5 (1) f) GDPR, Art. 32 GDPR Failure to implement sufficient measures to ensure information security

The municipality had taken minor security precautions to protect its computer systems. As a result, personal data of more than 35,000 people became publicly available. At a few schools, everyone could access information about the staff, students and employees of the school. Furthermore, the municipality had received warnings about the weakness of its security measures before, but did nothing about it.

Authority: Norwegian Data Protection Authority (Datatilsynet)

Link
Country: The Netherlands
Organization: Haga Hospital
Sector: Hospital
Amount: 460.000 €
Date: 18.06.2019
INPLP Partner: Cordemeyer & Slager
Art. 32 GDPR Lack of technical and organizational measures to ensure information security

The result of an investigation by the Dutch data protection authority is that Haga Hospital has a lack of internal security for patient files. This investigation came after it was found that dozens of hospital staff had unnecessarily checked the medical records of a known Dutch person. In order to force the hospital to improve the security of patient files, the AP is at the same time issuing a penalty order. If Haga Hospital has not improved security before 2 October 2019, the hospital will have to pay 100,000 euros every two weeks, with a maximum of 300,000 euros. Haga Hospital has meanwhile taken measures.

Authority: Dutch Supervisory Authority for Data Protection (AP)

Link
Country: Slovakia
Organization: Dopravný podnik Bratislava, joint stock company
Sector: The only public transport provider in the city of Bratislava, in addition to public transport, it also operates suburban lines and regular international bus lines. DPB operates trolleybus, bus and tram services.
Amount: 1.000
Date: 06.02.2019
Article 15 section 1 and 3 of GDPR following article 12 of GDPR Failed to comply with the proposer's request to apply the proposer's right of access to his personal data processed through audiovisual recording media and to provide a copy thereof

After examining the complete file, in particular the proposer's proposal and the parties' observations, the Office found that DP, as the controller processing the personal data of the persons concerned by monitoring them by audio or video recording in public transport vehicles, infringed Article 15 section 1 and section 3 by failing to comply with the proposer's request as a data subject applied by e-mail on 18.06.2018 and repeatedly on 14.07.201 regarding the application of the right of access to his personal data, thereby violating the proposer's right of access to personal data.

Additional Information:

The Office states that the amount of the fine is affected by the fact that the infringement was found in only one data subject, the Office did not find a repeated violation of GDPR provisions by another data subject in relation to the processing of passenger's personal data by audio or video recording. DP cooperated with the office, which is in the position of the supervisory body. Taking into account these circumstances, which the Office assessed individually and in their mutual relationship, the Office imposed a fine of EUR 1000 on the DP operator. In the light of all the circumstances of the case, the Office considers the fine to be appropriate, both in terms of punitive and preventive.

Country: Slovakia
Organization: FERPLAST SLOVAKIA, Limited Liability Company
Sector: The company specializes in the production of pet supplies for dogs, cats, fish, birds and more
Amount: the personal data proceedings have been suspended
Date: 29.04.2019
Article 5 section 1 letter f) GDPR The company suspected that as an employer of an xy employee, it had violated the protection of the employee's personal health data.

Having examined the documents submitted by the data controller and on the basis of the facts established during the procedure, the Authority concluded that the procedure did not reveal any infringement of the protection of personal data allegedly based on the fact that the company FERPLAST SLOVAKIA, l.l.c. provided its employees with a medical certificate of medical fitness for work with a professional title which does not entitle them to know personal data to the extent that it was disputed, and the Office therefore closed the procedure.

The company FERPLAST SLOVAKIA s.r.o. suspected that as an employer of an xy employee, it had violated the protection of the employee's personal health data by providing the data contained in the medical evaluation of health fitness to the employees of FERPLAST SLOVAKIA s.r.o. with a job title that does not entitle them to know this information. After examination of the documents submitted by the data controller (instruction protocol of the entitled person, employment contract, medical opinion), the Office found that the employees had legitimate reasons to acquaint themselves with the personal data within the scope of the medical opinion in question.

Additional Information:

Company FERPLAST SLOVAKIA s.r.o. was suspected that, as an employer of an xy employee, has violated the protection of personal health data of emplpyee by making the data contained in the medical assessment of health fitness available to employees of FERPLAST SLOVAKIA s.r.o. with a job title that does not entitle them to know this information. After examining the documents submitted by the controller (record of the instruction of the authorized entity, employment contract, medical opinion), the Office found that the employees had legitimate reasons for familiarizing themselves with the personal data within the scope of the medical opinion in question.

Country: Slovakia
Organization: Ministry of Interior of the Slovak Republic
Sector: Central body of state administration for protecting the constitutional system, public order, security of persons and property and more
Amount: The Authority did not impose a measure to remedy the identified deficiencies
Date: 17.04.2019
Article 5 section 1 letter a) GDPR The Office for the Protection of Personal Data dealt with a complaint against the Ministry of the Interior of the Slovak Republic for an alleged violation of the legislation on the protection of personal data.

The Office for the Protection of Personal Data dealt with a complaint against the Ministry of the Interior of the Slovak Republic for an alleged violation of the legislation on the protection of personal data, which was to be committed by the publication of the decision of the Regional Court of Senica, which was made public by public notice. This decision was also published 15 days after its publication, and the personal data of the person concerned were processed without authorisation (without legal basis). The Ministry of the Interior of the Slovak Republic cooperated with the Office and remedied the deficiencies voluntarily; the Office did not consider it necessary to impose remedial measures on the controller.

Service by public notice shall be effected by posting the document on the official notice board of the administrative body for a period of 15 days, as provided by law. At the same time, the administrative body is obliged to publish the document simultaneously in another customary manner, while the controller has chosen to publish it on the website as well. The Office is of the opinion that the publication of a decision containing the personal data of the data subject on the website of the controller after a period longer than that specified (15 days) constitutes a breach of Section 9(1). 1 of Law No 122/2013.

Additional Information:

Service by public notice is made by posting the document on the official board of the administrative body for a period of 15 days stipulated by law. At the same time, the administrative body is obliged to publish the document at the same time in another usual way, while the controller hase chosen to publish it also on the website The Office considers that the publication of a decision containing the personal data of the data subject on the controller's website after a period longer than the specified period (15 days) constitutes a breach of § 9 par. 1 of Act no. 122/2013.

Country: Slovakia
Organization: Municipality Veľká Lomnica
Sector: The basic role of the municipality in the exercise of self-government is to care for the versatile development of its territory and the needs of its inhabitants
Amount: The Authority did not impose a measure to remedy the identified deficiencies
Date: 11.02.2019
Article 10 section 2 of the Act 122/2013 on personal data protection The municipality of Veľká Lomnica violated the proposer's right to protection against unauthorized disclosure of information about the proposer by publishing a statement containing the proposer's personal information.

The applicant signed a petition addressed to the municipal council of the municipality Veľká Lomnica. The applicant's personal data from the petition and the personal data of other residents were published on the official notice board and on the Municipality's website. The Office considered that the Municipality Veľká Lomnica had violated the law by unlawfully disclosing this information from its information system of the petitioner and other persons, although Act No. 85/1990 does not provide for the purpose of disclosing the personal data of the petition's supporters, nor does it provide for a list of the personal data of the petition's supporters that may be disclosed. The Office has not imposed any measures on the operator to remedy the deficiencies found, since the personal data in question are no longer published.

In the present proceedings, the Office did not agree with the Controller's view that he was obliged under Law No 85/1990 to publish the result of the application as he did. The Office stated that the obligation to publish the result of the application does not affect the obligation arising from a special regulation and thus the obligation under Law No 122/2013 on the protection of personal data. For this reason, the provisions of Law No 85/1990 do not constitute a legal basis that would allow the operator to disclose the personal data of the supporters of the petition contrary to the requirements of Law No 122/2013. Similarly, the Office considered that the right to invite other persons to support the petition by signature and to provide signatures for that purpose in publicly accessible places does not imply the power of an authority to which the petition is addressed to disclose information about the persons supporting it.

Additional Information:

In the present proceedings the Office did not agree with the controller's opinion that he was within the meaning of Act no. 85/1990 obliged to publish the result of the petition as he did. The Office stated that the obligation to disclose the outcome of the petition is without prejudice to the obligation under a special regulation, and therefore the obligation under Act no. 122/2013 on personal data protection. For this reason provisions of Act no. 85/1990 does not constitute a legal basis which would allow the operator to disclose personal data of supporters of the petition contrary to the requirements of Act 122/2013. Similarly, the Office was of the opinion, that from the right to invite others to support the petition by signing it and to that end issue signatures in places accessible to the public, it is not possible to infer the authority of a public authority, to whom the petition was delivered, to disclose information about the persons supporting it.

Country: Slovakia
Organization: Municipality Bratislava - Ruzinov district
Sector: The basic role of the municipality in the exercise of self-government is to care for the versatile development of its territory and the needs of its inhabitants
Amount: The Authority did not impose a measure to remedy the identified deficiencies
Date: 02.05.2019
Article 5 section 1 letter f) GDPR Bratislava Ruzinov City District delivered the decision to the applicant, while the applicant was not an authorized entity to deliver the decision.

Proceedings on presumed violation of the GDPR provisions, which happened because the data controller, the Municipality of Bratislava - Ružinov, delivered to an electronic mailbox of Owl & Crow Association Limited, l.l.c., a decision containing personal data in the scope of surname, first name, address, information about the fact that and with what content he made a request for information, although the applicant was not entitled to deliver the decision in question.

The decision of the Controller, Bratislava - Municipality of Ružinov, in the proceedings on free access to information was delivered by the Operator to the electronic mailbox of Owl & Crow Association Limited, l.l.c., to which the applicant in the position of managing partner had access. As there were two managing directors in this company, and therefore two natural persons as statutory bodies, this procedure infringed Article 5(1)(f) of the GDPR, as the personal data were not processed in a manner that ensured adequate security and were subject to unauthorised processing. In the course of the proceedings, the Office also examined whether it was appropriate to impose a fine for the established breach of the GDPR. The Office concluded that it would not impose a fine, in particular in view of the seriousness and number of persons concerned.

Additional Information:

The decision of the controller, Bratislava - city district of Ružinov, in proceedings on free access to information was delivered by the operator to the electronic mailbox of Owl & Crow Association Limited, l.l.c., to which had access the applicant for disclosure of information in the position of managing partner. Since there were two directors and thus two natural persons as the statutory body in that company, those proceedings infringed Article 5 section 1 letter f of the GDPR, since the personal data were not processed in a manner guaranteeing adequate security and were exposed to unauthorized processing. In the proceedings, the Office also assessed whether it is appropriate to impose a fine for the violation of GDPR found. Office concluded that, having regard in particular to the gravity and the number of persons concerned, Office won't impose a fine.

Country: Czech Republic
Organization: Alza.cz a.s.
Amount: 588 €
Date: Unknown
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 6 (1) GDPR, Art. 7 (3) GDPR, Art. 12 (3) GDPR, Art. 29 GDPR Insufficient legal basis for data processing

The company got a copy of photographic ID of the personal data subject with his/her consent, however did not react to his/her consent withdrawal and continued in processing of his/her personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Unknown
Amount: 3.105 €
Date: 13.05.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5 (1) a) GDPR, Art. 5 (1) b) GDPR, Art. 32 (1) GDPR Inadequate legal basis for data processing and inadequate technical and organisational measures to guarantee information security

The Czech Data Protection Authority found that the controller used personal data of his client without his knowledge to open a bank account and that he had therefore not complied with the purpose of the processing. Furthermore, the controller did not ensure sufficient control of compliance with the relevant internal rules on personal data.

Authority: Czech Data Protection Authority (UOOU)

Link
Country: Czech Republic
Organization: Public service company - employer
Amount: 194 €
Date: 06.05.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 15 (1) GDPR Insufficient fulfilment of data subjects rights

Despite his e-mail request, the data controller did not provide his employee with information on the processing of his personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 9.704 €
Date: 21.03.2019
Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR Non-compliance with general data processing principles

The data were not adequate, relevant and limited to what is necessary for the purposes for which they are processed ('data minimisation'). Furthermore the data were not kept in a form which enables identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation').

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 582 €
Date: 28.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5 (1) f) GDPR, Art. 28 (3) GDPR Insufficient technical and organisational measures to ensure information security

The data have not been processed in a way that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality'). Furthermore, the controller has not concluded relevant agreements with processors concerning the processing of personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 776 €
Date: 26.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 15 (1) GDPR Insufficient fulfilment of data subjects rights

Despite their requests, the data controller has not provided the data subjects with information on the processing of their personal data.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Car renting company
Amount: 1.165 €
Date: 04.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5(1) a GDPR Insufficient fulfilment of information obligations

A person has rented a car and found out, that the car was tracked by the renting company, using GPS, although no information about the fact that the car is being tracked was provided. The Czech Data Protection Authority found that no information in the sense of Art. 13 GDPR and that Art. 6 (1) f) GDPR could not be the legal basis in the specific circumstances. The UOOU therefore found a violation of Art. 6 (1) f) GDPR. 5 (1) a) GDPR for which it imposed the fine.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Credit brokerage
Amount: 1.165 €
Date: 04.02.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 5(1) f GDPR Insufficient technical and organisational measures to ensure information security

Data have not been processed with an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage through appropriate technical or organisational measures ('integrity and confidentiality')

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Company (employer)
Amount: 388 €
Date: 10.01.2019
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 6 (1) GDPR Insufficient legal basis for data processing

A former employee of a company requested the deletion of his or her personal information, which was published on the employer's Facebook website and which was still available long after the termination of employment. The fine was imposed because the employer did not delete the information about the former employee.

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: Anonymous
Amount: 388 €
Date: 25.10.2018
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
Art. 15 GDPR Insufficient fulfilment of data subjects rights

The person concerned has not been provided with information on the processing of his/her personal data by the controller, despite his/her request

Authority: Czech Data Protection Auhtority (UOOU)

Link
Country: Czech Republic
Organization: One of the largest e-shops in Czech Republic
Amount: CZK 1.500.000
Date: 03.10.2018
INPLP Partner: Nielsen Legal, advokátní kancelář, s. r. o.
pre-GDPR Insufficient technical and organisational measures to ensure information security

One company employee failed to ensure adequate security of processing, resulting in over 735,000 customers losing their personal data.

Authority: The Office for Personal Data Protection

Link
Country: Denmark
Organization: Various companies
Amount: 361.000 €
Date: Period: 2018 -2019
INPLP Partner: NJORD Advokatpartnerselskab
Art. 5 (1) b) GDPR, Art. 5 (1) c) GDPR, Art. 5 (1) e) GDPR, Art. 5 (2) GDPR Inspections and proposed monetary fines for non-compliance with general data processing principles

The Danish Data Protection Agency has the authority and right to carry out data protection audits and inspections without a court order, including the right to demand access to all necessary premises where personal data are processed. The Danish Data Protection Authority carries out a number of planned inspections every year. During the past 1.5 years, the main subjects of the audits and inspections have been as follows: 2018: - Legal bases for processing of personal data, including the consent of the data subject - Deletion of personal data - Use of data processing equipment by the municipalities - Appointment of data protection officers - establishment of records of processing activities - The rights of the data subjects 2019: - Security measures of public authorities and private companies - Encryption of e-mails by private companies - The data subject's right of access to personal data processed by public authorities and private undertakings - Aggregation and compilation of personal data for resale by private companies - Data processors and data processing agreements - Daily monitoring - Data protection in relation to employees - Automated decision making and profiling The Danish Data Protection Authority has reported two companies to the Danish police and proposed two fines. The first proposed fine was a fine of DKK 1.2 million (approx. EUR 160,000) for a company's failure to take action to make personal data anonymous (e.g. timely deletion of personal data). The second was a fine of DKK 1.5 million (approx. EUR 201,000) for the company's failure to comply with the principle of storage limitation.

Authority: Danish Data Protection Authority (Datatilsynet)

Additional Information:

2018: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2018/jun/planlagte-tilsyn-indtil-udgangen-af-2018/

First half of 2019: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jan/planlagte-tilsyn-i-foerste-halvaar-af-2019/

Second Half of 2019: www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2019/jul/planlagte-tilsyn-for-andet-halvaar-af-2019/

Country: Greece
Organization: ALLSEAS MARINE S.A.
Amount: 15.000 €
Date: 13.01.2020
INPLP Partner: Zepos & Yannopoulos
Articles 12, 13 & 15 Article 5 par. 1(a) & par. 2 Article 5 par. 1 (b-f) Violation of an employee's right to access their personal data and unlawful operation of a CCTV system.

The senior manager of a shipping company filed a complaint with the Hellenic DPA alleging that such company (i) had not properly informed him of his data protection rights and refused to provide access to his personal data stored in his business computer, including corporate emails and files, and (ii) has unlawfully installed cameras at the company's premises. The case related to an investigation initiated by the company to the corporate emails and documents stored in the business computer of the senior manager and to extracts recorded by the company's CCTV following reasonable suspicion that the senior manager embezzled company's funds. When the senior manager asked to have access to his personal data stored in his business computer, the company refused to satisfy his right without providing adequate justification and did not inform him of the right to lodge a complaint with the Hellenic DPA. Also, it was found that the company had placed cameras, some of which were hidden, without any warning signs and notices, as required. The Hellenic DPA held that the conducting of an investigation on the business computer of the manager was conducted in accordance with the GDPR, since the investigation was limited to specific data relating only to one employee, and was based on the overriding legitimate interest of the company to protect its assets. The Hellenic DPA concluded that, although the investigation was lawful, the company had unlawfully refused to satisfy the right of access of the senior manager and operated the CCTV in violation of the GDPR and the regulatory framework.

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Greece
Organization: AEGEAN MARINE PETROLEUM NETWORK INC.
Amount: 150.000 €
Date: 19.12.2020
INPLP Partner: Zepos & Yannopoulos
Article 5 Violation of essential data protection principles mainly integrity and accountability

A marine bunkering company created a back-up of a database server which contained personal data. The personal data in question related to a branch's employees (e.g. documents, company profiles, email communications) as well as third parties whose offices were located in the same building and were informally using the same server. The fined company had also not implemented any policies/procedures for compliance with data protection legislation. The Hellenic DPA held that the company was responsible to implement measures of logical and technical distinction of the files it needed to back-up and to adequately inform all employees of the further processing and the reasons thereof. By indiscriminately cloning the server it violated the principles of transparency, data minimization, data integrity and accountability. It was given 3 months to implement the appropriate policies and procedures and render itself fully compliant.

Authority: HELLENIC DATA PROTECTION AUTHORITY

Link
Country: Italy
Organization: Eni Gas e Luce S.p.A. (electricity and gas)
Amount: 3.000.000 €
Date: 11.12.2019 (published on 17.01.2020)
INPLP Partner: R&P legal
Art. 5 and art. 32 of GDPR Breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘deregulated market’ conditions, due to the inadequacy of privacy policies adopted by Eni Gas e Luce S.p.A.

The investigation of the Italian DPA showed that, although the unlawful processing operations were carried out by data processors (agents and sellers) who acted in partial violation of the instructions given by ENI, the technical and organizational measures adopted by ENI were not adequate to the nature, context, purposes and risks of the processing, thus violating the principle of "accountability" imposed by GDPR. Several gaps emerged in the privacy policies implemented by ENI, that appeared to be deficient and ineffective, especially in terms of guaranteeing the accuracy of the data processed, the security of the processing and the control of the actions carried out by ENI’s data processors.

Authority: Italian Data Protection Authority

Link
Country: Italy
Organization: Eni Gas e Luce S.p.A. (electricity and gas)
Amount: 8.500.000 €
Date: 11.12.2019 (published on 17.01.2020)
INPLP Partner: R&P legal
Art. 5; art. 6; art. 7 and art. 25 of GDPR The violations include (i) the use of advertising calls without the consent of the contacted person; (ii) the absence of adequate technical and organisational measures; (iii) the unlawful data retention and (iv) the unlawful processing of personal data ac

The key point of this decision is based on the absence of the data subjects’ consent. Infact, in doing its telemarketing and teleselling activities, Eni didn’t match in a proper way its database with the “Opt-out Register”; it considered as prevalent the general consent given by data subjects to third parties for marketing purposes (lists providers), rather than the refusal to give consent, for the same kind of data processing, expressed by the same data subjects to ENI itself. According to the Italian DPA, these unlawful data processing operations were carried out as ENI did not take and implement technical and organizational measures, suitable for recording and update the users’ willness not to receive marketing communications.

Authority: Italian Data Protection Authority

Link
Country: Austria
Organization: Kebab restaurant
Sector: Private Sector
Amount: 1.800 € - reduced to 1.500 € by the Federal Administrative Court
Date: 25.11.2019
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) and c); Art. 6 (1) GDPR; § 50b (2) and § 50d (1) DSG 2000 / § 13 (3) and (5) DSG Monetary fine because of lack of insufficient legal basis for data processing, lack of video surveillance indication and excessive storage duration

The video surveillance covered public areas (especially a public street) and a neigbouring gas station. It was therefore not appropriate to the purpose of the processing and was not limited to the necessary extent. Apart form that the video surveillace was not appropriately indicated. Furhtermore, there was no deletion of the personal data recorded by the video surveillance within 72 hours and no separate protocol in this respect. The storage period was unreasonably long. The Federal Administrative Court confirmed the content of the DPA's decision, but reduced the amount of the fine by EUR 300 because the defendant reduced the storage period to the permissible level and sufficiently indicated the video surveillance, both while the proceedings were still in progress (BVwG Erkenntnis v. 25.11.2019, W211 2210458-1).

Authority: Federal Administrative Court (Bundesverwaltungsgericht "BvwG")

Link
Country: Austria
Organization: Private person. - Owner of a residential unit in an apartment building.
Sector: Private Sector
Amount: 2.200 €
Date: 20.12.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) GDPR, Art. 5 (1) c) GDPR, Art. 6 (1) GDPR, Art. 13 GDPR Monetary fine because of lack of insufficient legal basis for data processing

The fine was imposed on a private individual who used a video surveillance, which covered areas intended for general use by the residents of the residential complex (parking spaces, sidewalks, courtyard, garden and acess to building) and garden areas of an adjacent property. The video surveillance was not limited to areas which are under the exclusive control of the controller. The surveillance recorded the hallway and the entering and leaving of the apartments by the residents, thereby intervening in the very personal areas of life of the data subjects without their consent. It was therefore not proportionate to the purpose and not limited to a necessary extend. In addition the video surveillance were also not displayed properly.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: Private car owner
Sector: Private Sector
Amount: 300 €
Date: 27.09.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) GDPR, Art. 6 GDPR;  § 50d (1) DSG 2000 / § 13 (5) DSG Monetary fine because of lack of insufficient legal basis for data processing, lack of video surveillance indication

The private car owner had used two dash cams which covered public areas in front of and behind the vehicle in particular the public road traffic. The dash cams was insufficient for the purposes and not limited to the necessary extent. Furthermore, there was no deletion of the record data within the required time limits, no logging of the processing operations related to video surveillance and it was not marked as video surveillance. The dash cams were used illegaly.

Authority: Austrian Data Protection Authority (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: Sports betting company
Sector: Public Sector
Amount: 4.800 €
Date: 12.09.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
Art. 5 (1) a) and c); Art. 6 (1) GDPR; § 50b (1) and (2) and § 50d (1) DSG 2000 / § 13 (2), (3) and (5) DSG Monetary fine becuase of lack of insufficient legal basis for data processing, lack of video surveillance indication and excessive storage duration

The video surveillance system covered public areas in front of the entrance of the sports betting company. The video surveillance system was not limited to the necessary extent. In addition, the storage period was unreasonably long and there was no logging of the processing operations related to video surveillance. Furthermore, the monitored area was not marked as video surveillance. Surveillance of the public area in this way, i.e. to a large extent by private persons, is not permitted. The controller has lodged an appeal against this decision with the Federal Administrative Court.

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

Link
Country: Austria
Organization: Private Person - Soccer Coach
Sector: Private Sector
Amount: 11.000 €
Date: 01.07.2018
INPLP Partner: Götzl Thiele EUROLAWYER® Rechtsanwälte
not available - The defandant appealed against the decision of the DSB - the case is yet not legally binding and therefore not published. Monetary fine because of non-compliance with lawful basis for data processing

A soccer coach monitored his female players secretly for years while they were taking a shower. The defandant appealed against the decision of the DPA

Authority: Austrian DPA (Österreichische Datenschutzbehörde "DSB")

Link
Country: Cyprus
Organization: State Hospital
Amount: 5.000 €
Date: 01.03.2019
INPLP Partner: tassos papadopoulos & associates LLC
Art. 15 GDPR Non-compliance with subjects' rights protection safeguards

The data controller could not grant a patient access to his or her own personal information because the file could not be identified. The patient complained to the Commissioner about this and the hospital was fined 5,000 euros.

Authority: Office of the Commissioner for Personal Data Protection Cyprus

Link
Country: The Netherlands
Organization: UWV (Dutch employee insurance service provider)
Sector: Private Sector
Amount: 900.000 €
Date: 31.10.2019
INPLP Partner: Cordemeyer & Slager
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

As UWV (the Dutch service provider for employee insurance - "Uitvoeringsinstituut Werknemersverzekeringen") did not use multi-factor authentication when accessing the online employer portal, security was insufficient. Employers and occupational health and safety services were able to access personal health data of employees in an absence system. A fine of EUR 900,000 was imposed if UWV did not provide proper multi-factor authentication by 31 October 2019. This date was postponed by the Dutch DPA to 1 March 2020 at the request of UWV.

Authority: Dutch Supervisory Authority for Data Protection (AP)

Link
Country: Turkey
Organization: Newspaper
Sector: Public Sector
Amount: 125.000 TL
Date: 09.12.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Unlawful processing of sensitive data

It has been determined that health data is processed unlawfully on the newspaper.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Bank
Sector: Private Sector
Amount: 100.000 TL
Date: 26.11.2019
INPLP Partner: Gün + Partners
Article 12 and 18(1) (b) Illegal use of customer data

There was illegal used of bank customers' data through the illegal access and use of its employees, and the DPA held that the bank has not taken adequate measures to protect personal data and also was in breach of its notification obligation.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Insurance Company
Sector: Public Sector
Amount: 100.000 TL
Date: 07.11.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Unlawful use of public data

It has been determined that use of public data for commercial purposes (to sell insurance services) not paralell with its professional data which is made public, was found unlawful.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Doctor
Sector: Private Sector
Amount: 50.000 TL
Date: 07.11.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Sending commercial messages to mobile phone

It has been determined that the use of personal data of teh data subject is not based on a legal reasoningç

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An airline company
Sector: Private Sector
Amount: 100.000 TL
Date: 01.10.2019
INPLP Partner: Gün + Partners
Article 4,6,12 and 18 of the DPL Failure to comply with duties related to ensuring information security + Insufficient legal basis for sensitive data processing

It has been determined by the KVKK that an airline company had processed sensitive personal data by taking a copy of national ID (which includes the blood type and religion information) and therefore decided to issue a penalty based on the lack of legal basis of such processing activity. The KVKK also ordered to stop the processing and destroy or anonymyse the data.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A mobile network operator company
Sector: Public Sector
Amount: NON
Date: 01.10.2019
INPLP Partner: Gün + Partners
Article 11 and 13 of the DPL NON

A complaint was submitted to the DPA stating that a data subject request has been declined after data subject has refused providing ID confirmation documents. The KVKK has stated in its decision that such demand can only be conducted by a public notary or with a e-signed document and ordered the company to act in compliance with the Regulation on Application to Data Controllers.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Facebook Inc
Sector: Public Sector
Amount: 1.600.000 TL
Date: 18.09.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

The decision is based on the data breach caused by an error in the "View As" system of Facebook. The data breach has lasted for 14 days and included sensitive personal data. It affected 280.959 people in Turkey. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA in the compulsory deadline.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A bank
Sector: Private Sector
Amount: 100.000 TL
Date: 18.09.2019
INPLP Partner: Gün + Partners
Article 4 and 12 of the DPL Insufficient technical and organisational measures to ensure information security + Non-compliance with general data processing principles

A complaint was issued to the KVKK regarding unlawful utilisation of personal data. It is stated in the decision that the bank employee has accessed to the personal data of customers and used it out of the scope of the processing. The KVKK has issued a penalty based the lack of technical and organisational measures.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Sevinç Eğitim Kurumları (Education Insitution)
Sector: Private Sector
Amount: 50.000 TL
Date: 18.09.2019
INPLP Partner: Gün + Partners
Article 3, 5, 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to comply witj duty of data controller to prevent unlawful data processing

It has been determined after a complaint that an education company has sent multiple SMS to people without any legal basis for such data processing. The KVKK states that such action requires explicit consent and therefore decides to issue a penalty based on failure to comply with the DPL regulations underlining that the institution did also not pay attention to the Communique sent by KVKK.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: S Şans Oyunları A.Ş
Sector: Public Sector
Amount: 180.000 TL
Date: 27.08.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the data subjects in the shortest time possible

A database was leaked to Internet by mistake from a betting company website. The data breach has not been detected by the company and therefore the number of people affected by it remain unknown. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the affected data subjects in the shortest time possible.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A tourism company
Sector: Technical Sector
Amount: 500.000 TL
Date: 27.08.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA and the data subjects in the compulsory deadline

A database of the company has been leaked after a cyberattack. The details of the breach could not have been totally determined since the company failed to detect and analyse the breach. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA and the affected data subjects in the compulsory deadline.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: NON
Sector: Technical Sector
Amount: NON
Date: 23.07.2019
INPLP Partner: Gün + Partners
Article 4 of the GDPR and relevant DPL regulations NON

The decision analyses whether the branch and liason offices of company based abroad shall register to the Data Controller Registry (VERBIS). KVKK has stated that if the branch offices and liason offices meet the criteria of the registry duty, they shall also, aside from the main company, register to the Data Controller Registry.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Dubmash Inc
Sector: Public Sector
Amount: 730.000 TL
Date: 17.07.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

It has been determined by the KVKK that Dubmash Inc was subject to a data breach affecting 679.269 people in Turkey. Data servers of Dubmash Inc was accessed by unidentified people on Internet and it is detected that personal data of people up to 162 million have been illegally sold. A penalty was issued based on the lack of sufficient technical and organisational measures and failure to notify the DPA and the people affected by the data breach.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An investment company
Sector: Private Sector
Amount: 75.000 TL
Date: 08.07.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Non-compliance with general data processing principles

A complaint was submitted to DPA regarding unlawful data processing of a data subject. The KVKK has determined that company processes data without a legal basis and therefore issued a penalty based on non-compliance with general data processing principles and insufficient legal basis.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Mimar Sinan Üniversitesi
Sector: Public Sector
Amount: NON
Date: 01.07.2019
INPLP Partner: Gün + Partners
Article 15 and 18 of the DPL Failure to comply with duties related to ensuring information security + Insufficient legal basis for sensitive data processing

The data controller has published application and exam results on a public page. A data subject has requested from data controller to remove the relevant personal data. The university did not respond to the application. KVKK has ordered the university to conduct a disciplinary proceeding and update the methods used in the publication of such data in a way that complies with the DPL regulations.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: NON
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 9 of the DPL Crossborder Data Transfer Requirements

The KVKK has stated that personal data occurded from the mail traffic conducted by Gmail is stored abroad in different parts of the world and users of such services shall meet the criteria of crossborder data transfers of DPL.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An asset management company
Sector: Technical Sector
Amount: 20.000 TL
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 5,12 and 18 of the T Insufficient technical and organisational measures to ensure information security + Non-compliance with general data processing principles

The KVKK has determined in its decision that the company has repeatedly sent the same SMS within the scope of the explicit consent to the data subject. It's considered to be non-compliant with the general data processing principles in terms of abuse of rights. That's why the KVKK has issued a penalty based on the lack of technical and organisational measures.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A joint-stock company
Sector: Technical and Organisational Sector
Amount: 50.000 TL
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 5,6 and 12 of the DPL Insufficient technical and organisational measures to ensure information security + Non-compliance with general data processing principles

The KVKK has stated in its decision that data controller shall not send any commercial purposed emails to data subjects without their explicit consent. That's why the KVKK has issued a penalty based on the lack of technical and organisational measures which allowed employees to send such emails.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A gym owner company
Sector: Technical Sector
Amount: Unknown
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 6 of GDPR, Article 4, 12 and 18 of the Turkish DPL Insufficient technical and organisational measures to ensure information security + Insufficient legal basis for data processing

The KVKK analyses the possibility of biometric data processing conditions for gyms in its decision. Relavant GDPR regulations and Turkish DPL regulations are evaluated in the decision. KVKK forbids the processing of such data underlining the principle of proportionality even though data subjects provide their explicit consents. A fine was issued based on the lack of technical and organisational measures. KVKK finally orders all data controllers to either destroy or anonymyse the relevant biometric data in terms of controlling the entrance and exit information of users.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: 50.000 TL
Date: 31.05.2019
INPLP Partner: Gün + Partners
Article 12 and 18 of the DPL Insufficient technical and organisational measures to ensure information security

A complaint was submitted to the DPA regarding a misdirected SMS. The KVKK has decided to issue a penalty based on the duty of data controller to prevent unlawful data processing.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Clickbus Seyahat Hizmetleri A.Ş.
Sector: Technical Sector
Amount: 1.000.000 TL
Date: 16.05.2019
INPLP Partner: Gün + Partners
Article 12 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

A fine of 1.000.000,00 TL was issued as a result of a data breach affecting 67.519 people in Turkey by Clickbus. A malware has been detected in the server of Clickbus, leaking personal data of people wihch lasted for 2 months. The KVKK has issued a penalty based the lack of technical and organisational measure and the delay of notification to the DPA for nearly 45 days.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Marriott International Inc.
Sector: Private Sector
Amount: 1.450.000 TL
Date: 16.05.2019
INPLP Partner: Gün + Partners
Article 12 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

A fine of 1.450.000,00 TL was issued as a result of a data breach possibly affecting 1.24 million people in Turkey by Marriott International Inc. The breach was caused because of an unlawful access to database of Starwood Hotels for nearly 4 years, leaking personal data including financial information of data subjects. The KVKK has issued a penalty based on lack of technical and organisational measure and the delay of notification to the DPA for nearly 3 months.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Cathay Pasific Airway Limited
Sector: Technical Sector
Amount: 550.000 TL
Date: 16.05.2019
INPLP Partner: Gün + Partners
Article 12 of the DPL Insufficient technical and organisational measures to ensure information security + Failure to notify the DPA within the necessary timelimit

A fine of 550.000,00 TL was issued as a result of a data breach possibly affecting 1286 people in Turkey by Cathay Pasific. The breach was induced by a cyber attack and lasted for 2 months leaking important personal data such as Passport Numbers of Turkish citizens. The KVKK has issued a penalty based on the lack of technical and organisational measure and the delay of notification to the DPA for nearly 5 months.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: T.C. Ziraat Bankası A.Ş
Sector: Bank Sector
Amount: NON
Date: 02.05.2019
INPLP Partner: Gün + Partners
Article 5,6 and 18 of the the DPL Non-compliance with the notification obligation + Insufficient legal basis for data processing

A state bank so-called T.C. Ziraat Bankası A.Ş did not respond to a data subject request. Data subject has issued a complaint. KVKK has decided to order the Bank to comply with the Turkish DPL.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Facebook
Sector: Public Sector
Amount: 550.000 TL
Date: 11.04.2019
INPLP Partner: Gün + Partners
Art. 12 of the DPL Failure to implement sufficient measures to ensure information security, and to fulfill information obligations

Data breach, which has been on press under the name "Photohraph API" has been announced on 14.12.2018. Facebook has discovered an photograph API error that enabled third parties to access the photos of Facebook users. It has been stated that third parties may have had access to thereof for 12 days. The Authority found Facebook in failure to implement sufficient measures to ensure information security and to fulfil information obligations, since the Authority has not been notified and the individuals were started to be notified on 17.12.2018, although the breach was discovered on 19.09.2019.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: An energy company
Sector: Energy Sector
Amount: NON
Date: 25.03.2019
INPLP Partner: Gün + Partners
Article 4 and 5 of the DPL Explanation of legitimate interest for as a legal basis for Data Processing

The KVKK has decided that car plate numbers and other relevant data can be process by oil stations under the scope of the legitimate interest cause. KVKK also instructs the company to inform the data subjects in accordance with the legislation.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A supermarket (Full name dislosed)
Sector: Food Sector
Amount: NON
Date: 25.03.2019
INPLP Partner: Gün + Partners
Article 13 of the DPL Insufficient legal basis for data processing

A complaint was issued to KVKK regarding unlawful gathering of explicit consent by SMS (not clear enough and missing the required conditions) and the ambiguity of Information Notice. The KVKK has decided to order the company to update the Information Notice and requested from the company to anonymization of personal data collected before the DPL.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: NON
Date: NON
INPLP Partner: Gün + Partners
NON NON

A complaint was issued to KVKK regarding the unlawful gathering of personal data by a real person. The KVKK has decided that the act is subject to Turkish Criminical Code and therefore no penalty was issued.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Crime Sector
Amount: NON
Date: 24.12.2018
INPLP Partner: Gün + Partners
Article 17 and 15 of the DPL Criminal Proceeding Conditions

KVKK states in its decision that data leaks&breaches subject to Turkish Criminal Code shall only be evaluated by judiciary authorities and therefore decides not to rule on the issue.

Link
Country: Turkey
Organization: Pharmacy
Sector: Health Sector
Amount: Unknown
Date: 05.12.2018
INPLP Partner: Gün + Partners
Art. 6, 12 of the DPL Non-compliance with general data processing principles

Healt data that belong to a patient who uses drugs under medical supervision have been exposed to third parties by the pharmacy that provides the drugs, based on no grounds for processing. The Authority has decided that the action of the pharmacy violates the conditions specified under the law, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A bank
Sector: Financial Sector
Amount: NON
Date: 05.12.2018
INPLP Partner: Gün + Partners
Article 4(2) of the DPL Maximum data storage time limits

A request has been submitted to a bank to destroy relevant personal data. KVKK rules here that banks shall keep the data for 10 years based on the relevant regulations on the sector and therefore decides that bank do not have to destroy the data.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: A legal entity
Sector: Law Sector
Amount: NON
Date: 19.11.2018
INPLP Partner: Gün + Partners
Article 2,3 and 11 of the DPL Scope of the Law

KVKK States in its decision that the Law No. 6698 shall not apply to personal data of legal entities and therefore decides that data leaks&breaches subject to such activities are not in the scope of the law.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Public Institution
Sector: Public Sector
Amount: Instructed the Data Controller
Date: 16.10.2018
INPLP Partner: Gün + Partners
Art. 11, 15, 18 of the DPL Insufficient fulfilment of data subjects rights

The data subject has made an application to the Data Controller, requesting the Data Controller to delete its personal data. However received no sufficient responses. The Data Controller has been granted a term of 30 days to notify the data subject pertaining to the transactions that will be performed, however it has been detected that the Data Control failed to comply with this obligation. Therefore, the Authority has established administrative transaction against the Data Controller, pursuant to Article 18 of the Law.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: N/A
Date: 13.09.2018
INPLP Partner: Gün + Partners
Art. 3, 17 of the DPL Definition of Data Controller

The document signed by the data subject for occupational purposes has been shared by unidentified third parties on internet. It has been decided that although the data subject has been subject to data breach, unknown parties cannot be identified as data controller, and therefore the Authority decided that there were no transactions to be performed by the Authority.

Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: NON
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 28/1(c) of the Data Protection Law No. 6698 ("The DPL") Unknown

A real person has asked from the Authority to remove a newspaper column including their name, on grounds of data breach. The Authority has deemed the column a reflection of freedom of expression and dismissed the request, since the subject is found to be falling under the freedom of press. No details are specified pertaining to the content of the column.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Public Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12/1(c) of the DPL Failure to implement sufficient measures to ensure information security

The doctors at a hospital have disclosed the health report of a patient to a broad mass by means of sharing it on the internet and on social media platforms. The Authority ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Public Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12/1(c) of the DPL Non-compliance with the right of consent

A Data Controller has shared the personal data, gathered at a work application, of one of its data subjects with the other applicants with no legal basis. The Authority has decided that the same rule must apply when an enterprise composed of multiple companies share the data on the same platform, and it ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12/5 of the DPL Insufficient fulfilment of information obligations

A Data Controller has notified the Authority in 17 months and the related individuals in 10 months, regarding a data breach. The Authority founded the said term exceeding the limits of "the shortest course of time possible", which is specified under the Law. The Authority ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Technical Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4, 5(2) and 12 of the DPL Insufficient technical and organisational measures to ensure information security

A Data Controller has imposed the explicit consent as a condition of the agreement due to membership and the service. The Authority found the Data Controller in breach with the principle of being bounded and limited by law and good faith when processing the data, and deemed it abuse of right.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Private Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4/1(ç), 5/2(ç), 8/2 and 12(1) of the DPL Non-compliance with the principle of data minimization

The Court has requested the data pertaining to an individual from a Data Controller, and the Data Controller has transfered more personal data than required. The Authority decided that the Data Controller failed to ensure the security of the personal data, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Instructed the Data Controller
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 11 and 15(5) of the DPL Non-compliance with information obligations

The data subject has made an application to the Data Controller pertaining to its rights in scope of Article 11 of the Data Protection Law No. 6698. However, the Data Controller has not responded within the due course of time. The Authority has granted 30 days for response, and stated that the Data Controller will be subject to administrative fine othersiwse.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Instructed the Data Controller
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4 of the DPL Insufficient fulfilment of data subjects rights

A Data Controller has abstained from fulfilling the requests made by inactive customers, demanding from the Data Controller to delete their personal data. The Authority has instructed the Data Controller, by suggesting that it must not process the data of the inactive customers, in breach with the general principles, other than the purpose of storage, since it is obliged to store the data for 10 years.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 12 of the DPL Insufficient technical and organisational measures to ensure information security

A Data Controller has submitted a document including the personal data of one of its customers, to another individual that bears the same name as the customer. Also, one the Data Controller's employees has performed query on the data for personal purposes, without the consent of the data subject. The Authority has pointed out a vulnerability in the system, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 4(b), 4(c), 12(1) of the DPL Non-compliance with general data processing principles

A Data Controller has requested the customer to provide a document including personal data, which are not necessary for the transaction that is demanded by the customer. The Authority has deemed the request of the Data Controller in contradiction with good faith, and decided that it does not comply with the purpose, and eventually ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Unknown
Date: 02.08.2018
INPLP Partner: Gün + Partners
Art. 5, 12 of the DPL Failure to implement sufficient measures to ensure information security

A Data Controller has submitted contract samples to the employees of a company by means of e-mail. where it has written the names and home addresses of the individuals who are in charge of managing the processes on behalf of the company as correspondance address, instead of the company's address. The Authority decided that the Data Controller has failed in ensuring information security, and ruled on administrative fine.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Ready-wear Company
Sector: Business Sector
Amount: Unknown, also Instructed the Data Controller
INPLP Partner: Gün + Partners
26.07.2018 Insufficient technical and organisational measures to ensure information security

A data subject requested the Data Controller to delete and destroy its data, since the data has become available to third party accessing. The response it received from the company has been found insufficient. The Authority ruled administrative fine on the company that failed to provide sufficient measures to ensure the data, and granted it a term of 30 days to notify the customer pertaining to the transactions made regarding the matter.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Unknown
Sector: Business Sector
Amount: Instructed the Data Controller
Date: 26.07.2018
INPLP Partner: Gün + Partners
Art. 7 of the DPL Non-compliance with the right of consent, and information obligations

It has been detected that the Data Controller has made membership mandatory for the applicants at the course of a job application, and during the membership application, the applicants have been provided with only one box to click for both acknowledging that they have read the information text, and for accepting that they give consent for data processing. The Authority decided to give instruction to the Data Protection to separate the options. from each other.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: Turkey
Organization: Public Institution
Sector: Public Sector
Amount: N/A
Date: 28.06.2018
INPLP Partner: Gün + Partners
Art. 7 of the DPL Insufficient technical and organisational measures to ensure information security

A public officer has requested the Data Controller, which is a public institution, to destroy the data pertaining to an investigation case that has been conducted on the data subject. The Institution has rejected the request. The Authority decided that the term pertaining to the storage of personal files of public officers has not been expired pursuant to the legislation, and therefore has not ruled any fines.

Authority: Turkish Data Protection Authority (KVKK)

Link
Country: France
Organization: Futura Internationale
Sector: Business Sector
Amount: 500.000 €
Date: 21.11.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 21 GDPR Unsatisfactory execution of the rights of the data subjects

Futura Internationale was fined for cold calling after several complainants had received cold calling although they had told the caller directly and by mail that they did not want it. The CNIL's on-site investigation at Futura Internationale revealed that Futura Internationale had received several letters objecting to cold calling, that it had stored excessive information about clients and their health, and that Futura Internationale had not informed individuals about the processing of their personal data or the recording of telephone conversations.

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: ACTIVE ASSURANCES (car insurer)
Sector: Business Sector
Amount: 180.000 €
Date: 25.07.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

A large number of customer accounts, customer documents (including copies of driving licences, vehicle registrations, bank statements and documents) to determine whether a person's driving licence had been withdrawn and other personal data were easily accessible online. The CNIL criticised password management (unauthorised access was possible without any authentication).

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: Insurance Company Description
Sector: Business Sector
Amount: 180.000 €
Date: 18.07.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
missing Monetary fine

An investigation by the CNIL revealed that the documents registered by the company's clients in their personal accounts were accessible to other people by changing the numbers at the end of the URL addresses displayed in the browser. The CNIL imposed a fine of 180,000 euros on the company for having taken inadequate security measures. In determining the amount of the fine, the CNIL took particular account of the sensitivity of the data and documents concerned (identity cards, information relating to the offences, bank details, etc.) and the number of persons concerned.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Employer - UNIONTRAD COMPANY
Sector: Business Sector
Amount: 20.000 €
Date: 13.06.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 5 (1) c) GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 32 GDPR Poor legal basis for data processing

Between 2013 and 2017, the CNIL received complaints from several employees of a company filmed at their workplace. The CNIL drew the company's attention to the rules to be observed when installing cameras in the workplace, in particular that employees must not be constantly filmed and that information on data processing must be provided. No satisfactory measures were taken during the period stipulated. As a result, the CNIL conducted a second audit in October 2018, which confirmed that the employer continued to breach data protection laws when recording employees using video surveillance. In setting the amount of the fine, the CNLIN took into account the size (9 employees) and the financial situation of the company, which had a negative net result in 2017 (turnover of EUR 885,739 in 2017 and a negative net result of EUR 110,844), in order to retain a dissuasive but proportionate administrative penalty.

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: SERGIC (Real Estate)
Sector: Business Sector
Amount: 400.000 €
Date: 28.05.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

The CNIL based the penalty on two grounds: lack of security measures and excessive data retention. Details of the two reasons: The user documents uploaded by the tenant candidates (including identity cards, health cards, tax assessment notices, certificates from the Family Allowance Fund, divorce decrees, bank statements) were accessible online without any authentication procedure. Although the vulnerability had been known to the company since March 2018, it was not resolved until September 2018. Furthermore, the company kept the documents submitted by the candidates longer than necessary. The CNIL took into account, among other things, the seriousness of the breach (lack of diligence in remedying the vulnerability and the fact that the documents contained intimate aspects of users' lives), the size of the company and its financial situation.

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: Google Inc.
Sector: Public Sector
Amount: 50.000.000 €
Date: 21.01.2019
INPLP Partner: Alain Bensoussan Avocats Lexing
Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 5 GDPR Lack of legal basis for data processing

Following complaints from the Austrian organisation "None Of Your Business" and the French NGO "La Quadrature du Net", a fine of 50 million euros was imposed. The complaints were filed on 25 and 28 May 2018, immediately after the entry into force of the GDPR. The complaints concerned the creation of a Google account when configuring a mobile phone with the Android operating system. Reasons for the high fine: lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The consents obtained were not "specific" and not "unequivocal" (Art. 4 No. 11 GDPR).

Authority: French Data Protection Authority (CNIL)

Link
Country: France
Organization: Telecom Company Description
Sector: Business Sector
Amount: 250.000 €
Date: 26.12.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

The company experienced a data breach involving the personal information of more than 2 million customers over a two-year period because the company failed to reactivate an authentication feature on its website that had been disabled for a trial period. The company was fined for failing to ensure the security of its customers' personal information. The CNIL determined the amount of the fine taking into account the company's rapid reactivity in remedying the security breach and the many measures taken to limit the consequences of the breach.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Multinational Transportation Network Company
Sector: Business Sector
Amount: 400.000 €
Date: 19.12.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

In November 2017, the company revealed to the press that in 2016, two individuals succeeded in stealing the personal data of 57 million users of its services by accessing a server on which the personal data is stored using credentials accessible on a software development platform. Following the investigation, the CNIL decided that the company had failed to fulfil its obligations to ensure the security of its users' personal data.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Online Advertising Company Description
Sector: Business Sector
Amount: missing
Date: 30.10.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
missing Formal Notice

A CNIL investigation revealed that the company was collecting geolocation data on mobile devices without consent in order to run advertising campaigns on mobile applications. Note: In February 2019, the CNIL closed the solicitation procedure after the Company met the requirements of the solicitation.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Video Hosting Platform Description
Sector: Public Sector
Amount: 50.000 €
Date: 24.07.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

In 2016, hackers were able to access the credentials of a video hosting platform company's administrator account stored on a software development platform, giving them access to information about the users of the video hosting platform. The hacked data included 82.5 million email addresses and 18.3 million encrypted passwords. The company was fined for failing to adequately secure the personal data of customers on its platform.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Social Housing Public Organisation Description
Sector: Business Sector
Amount: 30.000 €
Date: 24.07.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

The organisation was fined for unlawfully processing the personal data of the tenants. The CNIL considers that the processing of tenants' personal data in order to send a letter criticising a government announcement is unrelated to the original purpose of collecting this data, i.e. managing a property portfolio and applications for social housing.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Social Housing Non-Profit Organisation
Sector: Business Sector
Amount: 75.000 €
Date: 21.06.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

June 2017: The investigation by the CNIL showed that changing the path of the URL of the company's website allowed access to documents (tax assessment notices, passports, identity cards, residence permits and pay slips) uploaded by other users. The company was fined under Article 34 of the French Data Protection Act for failing to take adequate measures to ensure the security of users' personal data.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Optical Retail Company
Sector: Business Sector
Amount: 250.000 €
Date: 07.05.2018
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Fine

The CNIL found that the company had not implemented an appropriate method of authenticating customers on its website to allow them to access their invoices. As a result, customers were able to access the documents (which included names, addresses, health records and, in some cases, social security numbers) of another customer. In determining the amount of the fine, the CNIL took into account the sensitivity of the information, the number of clients involved and the fact that more than 334,000 records were compromised in the course of the infringement. Note: A decision of the Conseil d'État (Supreme Administrative Court) of 17 April 2019 reduced the administrative fine to 200,000 euros, as the company reacted quickly to remedy the lack of security of its website.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: France
Organization: Toy Manufacturer
Sector: Business Sector
Amount: missing
Date: 20.11.2017
INPLP Partner: Alain Bensoussan Avocats Lexing
pre-GDPR Formal Notice

Investigations by the CNIL in 2017 revealed that the company was collecting personal information from users (including children) via the microphone of connected toys and the applications associated with the toys. The CNIL issued a formal notice against the company for failing to adequately ensure the safety of the device that enables toys to be linked to computers, for failing to inform users properly and for failing to take adequate measures to ensure the safety and confidentiality of the data collected.

Authority: CNIL - French Data Protection Autority (National Commission for Informatics and Liberties)

Link
Country: Belgium
Organization: Website operator
Sector: Public Sector
Amount: 15.000 €
Date: 17.12.2019
INPLP Partner: Time.lex
Art. 6 and 7 GDPR, and Art. 12 and 13 GDPR Insufficient legal basis for data processing (no lawful consent); and violation of transparency obligations

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for failure to comply with cookie legislation. The website initially provided false information in its privacy policy, which was furthermore unavailable in the website's own languages. The site also used third party analytics cookies ("Google Analytics", "Google Tag Manager" and "Google Adsense") without valid consent via a cookie banner - consent boxes were already ticked.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Mayor
Sector: Business Sector
Amount: 5.000 €
Date: 25.11.2019
INPLP Partner: Time.lex
Art. 5 (1) b) GDPR, Art. 6 GDPR Violation of purpose limitation principle, and insufficient legal basis for data processing

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Candidate in local elections
Sector: Business Sector
Amount: 5.000 €
Date: 25.11.2019
INPLP Partner: Time.lex
Art. 5 (1) b) GDPR, Art. 6 GDPR Violation of purpose limitation principle, and insufficient legal basis for data processing

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the unauthorized use of personal data (e-mail addresses obtained during previous contacts between a veterinarian and his clients) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Merchant
Sector: Business Sector
Amount: 10.000 €
Date: 17.09.2019
INPLP Partner: Time.lex
Art. 5 (1) c) GDPR; Art. 6 GDPR; Art. 12 and 13 GDPR Violation of proportionalitypprinciple, no legal basis, and violation of transparency obligations

The Litigation Chamber of the Belgian Data Protection Authority imposed a fine of 10,000 euros on a merchant who used the national Belgian electronic identity card (eID) to create customer loyalty cards. The chamber ruled that the data on the card was used unlawfully. Moreover, it noted that the eID card was the only way for customers to obtain a loyalty card, so that no free and valid consent was given. Customers were not also informed in detail about the conditions of data processing.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Belgium
Organization: Mayor
Sector: Business Sector
Amount: 2.000 €
Date: 28.05.2019
INPLP Partner: Time.lex
Art. 5 (1) b) GDPR, Art. 6 GDPR Violation of purpose limitation principle, and insufficient legal basis for data processing

The administrative fine was imposed by the Litigation Chamber of the Belgian Data Protection Authority for the improper use of personal data (e-mail addresses obtained during previous administrative contacts) for election campaign purposes.

Authority: Belgian Data Protection Authority (GBA-APD)

Link
Country: Romania
Organization: Entirely Shipping&Trading S.R.L.
Sector: Private Sector
Amount: 5.000 €
Date: 16.01.2020
INPLP Partner: Wolf Theiss
Articles 12 and 13, Article 5 alin. (1) a) - c),e), Articles 6, 7 and 9 Breach of the controller's obligation to inform data subjects Breach of the principles governing the processing of personal data Lack of legal basis for the processing of data Failure to comply with the conditions for consent

The Controller has excessively processed the employees' personal data by using the video surveillance cameras installed in the offices and changing rooms. Furthermore, the Controller processed biometric data (fingerprints) of the employees, even though other, less intrusive means to protect the privacy of the data subjects could have been used for the same purpose. The controller was also fined for not providing evidence to inform data subjects about the processing of their personal data. Moreover, the supervisory authority established that the controller had processed the personal data of a former employee without a legal basis by continuing to use these data in electronic correspondence for the purpose of carrying out the company's activities after the termination of the employment contract.

Link
Country: Romania
Organization: Enel Energie S.A.
Sector: Private Sector
Amount: 3.000 €
Date: 14.01.2020
INPLP Partner: Wolf Theiss
Article 5(1),d) and (2), Articles 6 and 7, Article 21(1) Infrigement of data accuracy principle Lack of legal basis for data processing Non-observance of the data subject's right to object

The sanctions were imposed on the basis of a complaint claiming that the controller illegally processed the data of the petitioner - the data subject - because the controller could not prove that he had obtained the consent of the data subject to receive communications to his e-mail address. In addition, the data controller did not take the appropriate measures to prevent the transmission of notifications, despite the fact that the data subject had repeatedly exercised his right to object.

Link
Country: Romania
Organization: Hora Credit IFN S.A.
Sector: Private Sector
Amount: 10.000 €
Date: 13.01.2020
INPLP Partner: Wolf Theiss
Article 5, Articles 25 and 32, Artcle 33 Breach of data accuracy and confidentiality principles; Inssuficient organisational and technical measures; Failure to comply with the deadline to notify the personal data breach to the supervisory authority

Lack of evidence of compliance with the principles of accuracy and confidentiality. Failure to take proper technical and organisational measures to avoid unauthorised disclosure of customers' personal data. Failure to notify the Romanian Data Protection Authority within 72 hours of becoming aware of the breach of personal data security.

Link
Country: Romania
Organization: Homeowners Association
Sector: Private Sector
Amount: 500 €
Date: 23.12.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of adeqaute organisational and technical measures

Failure to implement relevant technical and organisational measures in relation to personal data processed through a video surveillance system Failure to properly inform the data subjects.

Link
Country: Romania
Organization: Globus Score S.R.L.
Sector: Private Sector
Amount: 2.000 €
Date: 16.12.2019
INPLP Partner: Wolf Theiss
Article 83 (5), e) corroborated with Article 58 (1), a), e) Lack of cooperation with Romanian Data Protection Authority

The measures imposed by the data protection authority have not been fulfilled.

Link
Country: Romania
Organization: Modern Barber S.R.L.
Sector: Private Sector
Amount: 3.000 €
Date: 13.12.2019
INPLP Partner: Wolf Theiss
Article 83 (5) corroborated with Article 58 (1), a), e) Lack of cooperation with Romanian Data Protection Authority

Failure to comply with the measures imposed by the Romanian Data Protection Authority.

Link
Country: Romania
Organization: Nicola Medical Team 17 S.R.L.
Sector: Private Sector
Amount: 2.000 €
Date: 13.12.2019
INPLP Partner: Wolf Theiss
Article 83 (5),(6) corroborated with Article 58 (1), a), e) Lack of cooperation with Romanian Data Protection Authority

The measures imposed by the data protection authority have not been fulfilled.

Link
Country: Romania
Organization: SC CNTAR TAROM S.A.
Sector: Private Sector
Amount: 20.000 €
Date: 29.11.2019
INPLP Partner: Wolf Theiss
Art. 32 GDPR Lack of suitable organisational and technical measures

Failure to take appropriate organisational and technical measures to guarantee that all persons acting under his authority and having access to personal data process them only in accordance with internal procedures and at his request This resulted in one employee having unauthorised access to the booking application, whereby the respective employee was able to photograph a list of personal data of 22 passengers and publish it on the Internet.

Country: Romania
Organization: Royal President S.R.L.
Sector: Private Sector
Amount: 2.500 €
Date: 29.11.2019
INPLP Partner: Wolf Theiss
Article 12, Article 15, Article 5(1), f), Article 32 Lack of adeqaute organisational and technical measures Link
Country: Romania
Organization: ING Bank N.V. Amsterdam - Bucharest Subsidiary
Sector: Private Sector
Amount: 80.000 €
Date: 25.11.2019
INPLP Partner: Wolf Theiss
Article 25, Article 5 (1),f), Article 32 Lack of required organisational and technical measures

Failure to implement appropriate technical and organisational measures regarding and to integrate adequate guarantees into the automated data processing system of card payments settlement, affecting a number of 225,525 customers whose payment operations were doubled during the period 8-10.10.2018.

Link
Country: Romania
Organization: FAN COURIER EXPRESS S.R.L.
Sector: Private Sector
Amount: 11.000 €
Date: 25.10.2019
INPLP Partner: Wolf Theiss
Article 32, Article 5 (1),f) Lack of required organisational and technical measures

Failure to implement adequate technical and organizational measures to ensure a level of security corresponding to the risk of the processing, which led to the loss of personal data (name, surname, card number, security card, card holder address, personal identification number, serial number and identity card number , IBAN account number, approved credit limit, correspondence address) and the unuathorized access to such data of over 1,100 individuals.

Link
Country: Romania
Organization: BNP Paribas Personal Finance SA Paris Bucharest Subsidiary (CETELEM IFN S.A.)
Sector: Private Sector
Amount: 2.000 €
Date: 22.10.2019
INPLP Partner: Wolf Theiss
Article 12 Failure to comply with the deadline for responding to the request of data subject

Failure to reply to a data subject's request for deletion of personal data within one month of receipt of the request

Link
Country: Romania
Organization: INTELIGO MEDIA SA
Sector: Private Sector
Amount: 9.000 €
Date: 15.10.2019
INPLP Partner: Wolf Theiss
Article 5(1), a), b), Article 6(1), a), and Article 7 Inadequate legal basis for data processing

Failure to obtain the users' explicit consent under the conditions provided for in the GDPR. During the process of registration on the avocatnet.ro website, the company provided an unfilled box for users to express their request not to receive newsletters by e-mail. If a user has not ticked the box, he/she will automatically become a subscriber to the newsletter of the data controller without express permission.

Link
Country: Romania
Organization: Raiffeisen Bank SA
Sector: Private Sector
Amount: 150.000 €
Date: 09.10.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of required organisational and technical measures

Failure to take appropriate organisational and technical measures to guarantee that all persons acting under his authority and having access to personal data process these data in accordance with internal procedures. Credit scoring information was exchanged via the WhatsApp platform.

Link
Country: Romania
Organization: Vreau Credit SRL
Sector: Private Sector
Amount: 20.000 €
Date: 09.10.2019
INPLP Partner: Wolf Theiss
Articles 32 and 33 Lack of appropriate organisational and technical measures

Breach of data security and failure to inform the Romanian data protection authority of the security violation in a timely and unjustified manner. Unauthorized / illegal procession of personal data of customers via the WhatsApp platform.

Link
Country: Romania
Organization: UTTIS INDUSTRIES S.R.L.
Sector: Private Sector
Amount: 2.500 €
Date: 06.08.2019
INPLP Partner: Wolf Theiss
Article 12, Article 5, paragraph 1, letter c) in conjunction with Article 6 failure to comply with the obligation to provide transparent information and the principle of data minimisation

The data subjects were not notified of the use of their image by the video surveillance system. In addition, the person in charge disclosed the personal identification number of his employees by posting a report on their participation in the training courses on the company notice board.

Link
Country: Romania
Organization: LEGAL COMPANY & TAX HUB S.R.L.
Sector: Private Sector
Amount: 3.000 €
Date: 12.07.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of suitable organisational and technical measures

Failure to take appropriate technical and organisational measures to ensure a level of security adequate to the risks represented by the processing. This has resulted in the unauthorised disclosure and access to personal data of certain individuals carrying out transactions through the website of the controller.

Link
Country: Romania
Organization: WORLD TRADE CENTER BUCHAREST S.A.
Sector: Private Sector
Amount: 15.000 €
Date: 08.07.2019
INPLP Partner: Wolf Theiss
Article 32 Lack of required organisational and technical measures

Failure to take measures to guarantee that the data is not disclosed to unauthorised persons. A printed paper list used to control breakfast participation, which includes the personal data of 46 customers who stayed at the data controller's hotel, was photographed by unauthorised persons and disclosed through online publication.

Link
Country: Romania
Organization: UNICREDIT BANK S.A.
Sector: Private Sector
Amount: 130.000 €
Date: 04.07.2019
INPLP Partner: Wolf Theiss
Article 25 (1), Article 5 (1) c) Lack of appropriate organisational and technical measures

Failure to take adequate security and organisational measures leading to the online disclosure of the identity cards and addresses of 337,042 affected persons.

Link
Country: Spain
Organization: Viaqua Xestión Integral Augas de Galicia
Amount: 60.000 €
Date: 21.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Inadequate legal basis for data processing

Processing (modification) of a customer's personal data contained in a contract by a third party without the customer's consent.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Corporación radiotelevisión espanola
Sector: Private Sector
Amount: 60.000 €
Date: 19.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

CORPORACIÓN RADIOTELEVISIÓN ESPAÑOLA and the trade union have reported a security breach to the AEPD after six unencrypted USB sticks containing personal data were lost. The breach affected approximately 11,000 people, including identification data, employment data, data on criminal convictions and health data.

Link
Country: Spain
Organization: Xfera Moviles S.A.
Sector: Business Sector
Amount: 60.000 €
Date: 19.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

An individual complainant had recently received an SMS from Xfera Móviles to be addressed to a third party, which enabled him to access the account and personal data of this third party via the telephone number and password obtained by SMS on the Xfera Móviles website.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Telefónica SA
Sector: Financial Sector
Amount: 30.000 €
Date: 14.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR Failure to comply the general data processing principles

Telefónica had charged the complainant different fees in relation to the operation of a telephone line that the complainant had never heard of. The reason was that the complainant's bank account was linked to another Telefónica customer, which meant that the charges were debited from the complainant's account. In the AEPD's opinion, this was in violation of the principle of accuracy as required by Article 5(1)(d) GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: General Confederation of Labour ('CGT')
Sector: Private Sector
Amount: 3.000 €
Date: 13.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Inadequate legal basis for data processing

With a view to convening a meeting, the CGT sent personal details of the complainant, including her residential address, family situation, pregnancy status and the date of an active case of abuse and harassment, by e-mail to 400 union members without her permission.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: TODOTECNICOS24H S.L.
Sector: Private Sector
Amount: 900.000 €
Date: 07.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Insufficient fulfilment of information obligations

TODOTECNICOS24H had collected personal data without providing precise details of the data collected in its data protection declaration pursuant to Article 13 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Cerrajero Online
Sector: Private Sector
Amount: 1.500 €
Date: 06.11.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Insufficient fulfilment of information obligations

The company had been collecting personal data without providing detailed information about the data collection in its privacy statement under Article 13 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Jocker Premium Invex
Sector: Public Sector
Amount: 6.000 €
Date: 31.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Inadequate legal basis for data processing

Jocker Premium Invex had sent postal advertisements and commercial offers to the applicant after registration for a local census. Data such as first name, surname and postal address were only sent to the public administration.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: VODAFONE ESPANA, S.A.U.
Sector: Business Sector
Amount: 36.000 €
Date: 25.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing

The plaintiff, whose data had been provided to the company by his authorised subsidiary, was contacted by the company that was offering its services, which he refused. Since Vodafone España continued to offer him services and demanded payment from him, Vodafone España had processed the plaintiff's personal data without his consent.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Xfera Moviles S.A.
Sector: Private Sector
Amount: 60.000 €
Date: 16.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Inadequate legal basis for data processing

Xfera Movile has made use of personal data with no legal basis for the establishment of a telephone contract and has continued the processing of personal data even if the data subject has requested to stop the processing.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Iberdrola Clientes
Sector: Business Sector
Amount: 8.000 €
Date: 16.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 31 GDPR Lack of cooperation with the supervisory authority

The electricity company Iberdrola Clientes had declined to apply to a person to change electricity supplier, because it claimed that its data would be added to the solvency list. The AEPD then demanded information from Iberdrola Clientes about the option of including the person's data in the solvency list, to which the company did not reply. This failure to cooperate with the AEPD constituted a breach of Article 31 of the GDPR.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Vueling Airlines
Sector: Business Sector
Amount: 30.000 €
Date: 01.10.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Inadequate legal basis for data processing

The Spanish data protection authority (AEPD) has fined Vueling Airlines 30,000 euros for not providing users with the ability to refuse their cookies and force them to use them when they want to surf its website. In other terms, it was not possible to surf the Vueling site without accepting their cookies. The AEDP imposed a sanction of 30,000 euros, which could be reduced to 18,000 euros for immediate payment.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: AVON COSMETICS
Sector: Private Sector
Amount: 60.000 €
Date: 16.08.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Insufficient legal basis for data processing

One consumer complained that AVON COSMETICS had processed his data illegally without properly verifying his identity, resulting in his data being incorrectly registered in a list of claims, which prevented him from cooperating with his bank. As a result, a third party had used the consumer's personal data fraudulently.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: TODOTECNICOS24H S.L.
Sector: Private Sector
Amount: 900 €
Date: 11.07.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Information obligation non-compliance

The company TODOTECNICOS24H collected personal data without specifying how this data was collected.

Authority: Spanish Data Protection Authority (AEPD)

Link
Country: Spain
Organization: VODAFONE ONO, S.A.U.
Sector: Private Sector
Amount: 36.000 €
Date: 28.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) f) GDPR Non-compliance with general data processing principles

The Spanish data protection authority imposed a fine on a mobile phone company for disclosing to the complainant, via the mobile phone application "My Vodafone", personal data of third parties, consisting of billing data.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: Cerrajero Online
Sector: Private Sector
Amount: 1.500 €
Date: 11.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 13 GDPR Information obligation non-compliance

The Company gathered personal information without specific information about the collection of this information.

Authority: Spanish Data Protection Authority (AEPD)

Link
Country: Spain
Organization: Professional Football League (LaLiga)
Sector: Business Sector
Amount: 250.000 €
Date: 11.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) a), Art. 7 (3) GDPR Insufficient fulfilment of information obligations

The national football league (LaLiga) was imposed a fine for providing an app that accessed the microphone of the user's mobile phone once a minute to identify pubs that show football matches without having to pay a fee. The AEPD considers that the LaLiga did not provide sufficient information to users of the app about this practice. In addition, the app did not meet the requirements for revoking consent.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Xfera Moviles S.A.
Sector: Private Sector
Amount: 60.000 €
Date: 04.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 GDPR, Art. 6 GDPR Insufficient legal basis for data processing

The Spanish data protection authority imposed a fine on a mobile phone operator for reporting the plaintiff's personal data to the credit and equity solvency file in connection with an alleged debt that had already been paid at the time of the report.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: VODAFONE ESPAÑA, S.A.U.,
Sector: Private Sector
Amount: 40 €
Date: 03.06.2019
INPLP Partner: Andersen Tax & Legal
Art. 6 GDPR Insufficient legal basis for data processing

The Spanish DPA imposed a fine on a mobile telephone company for the processing of personal data in order to charge the applicant for a Netflix service which it had not used. However, according to the Spanish data protection authority, the company did not exercise the minimum level of care to verify the identity of the data subject.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: AMADOR RECREATIVOS, S.L
Sector: Business Sector
Amount: 8.000 €
Date: 25.05.2019
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) c) GDPR Failure to comply the general data processing principles

The Spanish DPA imposed a fine on an amusement machine distributor for dismissing an employee on the basis of data collected without permission via a GPS locator installed in his device. This application resulted in the employee staying at home during working hours without working. The employee was not informed about such data collection beforehand.

Authority: Spanish DPA (Agencia Española de Protección de Datos - AEPD)

Link
Country: Spain
Organization: Madrileña Red de Gas
Sector: Technical Sector
Amount: 12.000 €
Date: 21.01.2019
INPLP Partner: Andersen Tax & Legal
Art. 32 GDPR Failure to implement sufficient measures to ensure information security

The gas company did not have the technical measures necessary to check the identity of the data of the persons involved. A third party claimed that the company had sent its information in relation to a request by e-mail to a third party.

Authority: Spanish Data Protection Authority (AEPD)

Link
Country: Spain
Organization: ENDESA (energy supplyer)
Sector: Energy Sector
Amount: 60.000 €
Date: 02.01.1900
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) f) GDPR Insufficient legal basis for data processing

The complainant's bank account was debited by ENDESA, whose beneficiary was a third party who had been convicted of criminal offences and had been granted a two-year injunction in respect of the applicant, her residence and her work. Instead, at the request of the plaintiff, ENDESA erroneously deleted her data and inserted the data of the third party. The AEPD found that the disclosure of the applicant's data to the third party constituted a serious breach of the principle of confidentiality.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: VODAFONE ESPANA, S.A.U.
Sector: Business Sector
Amount: 5.000 €
Date: 02.01.1900
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) d) GDPR Failure to comply the general data processing principles

The Spanish Telecommunications and Information Agency (SETSI) concluded that Vodafone must refund a customer for costs that were wrongly charged to it. Despite this, Vodafone reported the customer's personal data to a credit rating agency (BADEXCUG). The AEPD found that this conduct violated the principle of accuracy.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Debt collecting agancy (GESTIÓN DE COBROS, YO COBRO SL)
Sector: Business Sector
Amount: 60.000 €
Date: Unknown
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) f) GDPR Insufficient legal basis for data processing

After the applicant allegedly failed to repay a microcredit to an online credit agency, the claim was assigned to the collection agency. The latter then began to send e-mails not only to the e-mail address provided by the applicant, but also to an institutional e-mail address of his workplace, which can be reached by any employee who was never provided by the applicant.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: VODAFONE ESPANA, S.A.U.
Sector: Private Sector
Amount: 27.000 €
Date: Unknown
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) d) GDPR Insufficient fulfilment of data subjects rights

Although the complainant (a former Vodafone customer) had requested Vodafone to erase his data in 2015 and this request was approved by the company, he continued to receive more than 200 SMS from the company from 2018 onwards. Vodafone stated that this happened because the complainant's mobile phone number was mistakenly used for testing purposes and inadvertently appeared in various customer files of customers other than the complainant. As the company agreed to both the payment and the admission of responsibility, the fine was reduced to EUR 27 thousand in accordance with Spanish administrative law.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Spain
Organization: Restaurant
Sector: Business Sector
Amount: 12.000 €
Date: Unknown
INPLP Partner: Andersen Tax & Legal
Art. 5 (1) a) GDPR, Art. 6 GDPR Insufficient legal basis for data processing

A restaurant attempted to impose disciplinary action on an employee by utilizing images from a cell phone video recorded by another employee in the restaurant for evidential purposes.

Authority: Spanish Data Protection Authority (aepd)

Link
Country: Germany
Organization: Large Social Media Company
Sector: Business Sector
Amount: 51.000 €
Date: 13.02.2020
INPLP Partner: Derra, Meyer & Partner
Art. 37 GDPR Lack of appointment of data protection officer

Altough Facebook Ireland had appointed a data proteciton officer for all Facebook companies located in the EU, Facebook Germany GmbH did not notify this appointment to the Hamburg Data Protection Authority. The fine was calculated only on the basis of the turnover of the German branch (EUR 35 million) and not on the basis of Facebooks worldwide turnover. As relevant factors for the calculation were named inter alia that the omitted notification was immediately made up for, Facebook acted negligently and did not violate the duty to appoint a data protection officer but only the notification obligation.

Authority: Data Protection Authority of Hamburg

Link
Country: Germany
Organization: Unknown
Sector: Business Sector
Amount: 9.550.000 €
Date: 09.12.2019
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR Inadequate technical and organisational measures to ensure information security

The Controller provides telecommunication services. The company's customer service team identified the caller simply by name and date of birth. The Federal Data Protection Officer did not consider this identification procedure to be sufficient in accordance with Art. 32 GDPR. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale.

Authority: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Link
Country: Germany
Organization: Unknown
Sector: Business Sector
Amount: 10.000 €
Date: 09.12.2019
INPLP Partner: Derra, Meyer & Partner
Art. 37 GDPR Lack of appointment of data protection officer

The Internetprovider has not fulfilled its legal obligation under Article 37 GDPR to appoint a data protection although the Federal Data Protection Officer requested to do so. Therefore, the controller was fined.

Authority: The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Link
Country: Germany
Organization: Unknown
Sector: Business Sector
Amount: 105.000.000 €
Date: 03.12.2019
INPLP Partner: Derra, Meyer & Partner
Art. 5 GDPR Non-compliance with general data processing principles

Several violations of the GDPR in relation to patient mix-ups in the admission of the patient result in this fine. The mix-up led to erroneous billing. This revealed structural technical and organizational deficits in patient management.

Authority: Data Protection Authority of Rheinland-Pfalz

Link
Country: Germany
Organization: Huge rental company
Sector: Business Sector
Amount: 145.000.000 €
Date: 30.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 5 GDPR, Art. 25 GDPR Non-compliance with general data processing principles

In 2017, in the course of an inspection the Berlin Data Protection Authority urgently recommended an adjustment of the archive system. However, in March 2019, the company was still unable to either demonstrate a clean-up of its database or present legal reasons for the continued storage. To remedy the deficiencies the company solely did make preliminary preparations. However, those measures did not suffice to align the storage of personal data with the legal requirements. Therefore, the Berlin Data Protection Authority imposed a fine for an infringement of Article 25 (1) GDPR and Article 5 GDPR during the period between May 2018 and March 2019 was therefore mandatory. (Press Release 711.412.2, November 5th 2019, Berlin Commissioner for Data Protection, www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PR-Translation-Fine_DW.pdf)

Authority: Data Protection Authority of Berlin

Link
Country: Germany
Organization: Unknown
Sector: Health Sector
Amount: 80.000 €
Date: 17.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR No sufficient measures to ensure information security

A digital publication inadvertently disclosed personal health data relating to several persons due to insufficient data security mechanisms.

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Unknown
Sector: Private Sector
Amount: 80.000
Date: 17.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR No sufficient measures to ensure information security

A company of the finance sector disposed personal data insufficiently.

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Huge rental company
Sector: Private Sector
Amount: 15 fines of between 6.000 € and 17.000 €
Date: 01.10.2019
INPLP Partner: Derra, Meyer & Partner
Art. 5 GDPR, Art. 25 GDPR Non-compliance with the principles of data processing

The Berlin Data Protection Authority fined a company between 6,000 and 17,000 euros in 15 specific individual cases for the improper storage of personal data of tenants. (Press release 711.412.2, 5 November 2019, Berlin Commissioner for Data Protection, www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2019/20191105-PR-Translation-Fine_DW.pdf)

Authority: Data Protection Authority of Berlin

Link
Country: Germany
Organization: Food Delivery Service Company
Sector: Business Sector
Amount: 195.407 €
Date: 19.09.2019
INPLP Partner: Derra, Meyer & Partner
Art. 15 GDPR, Art. 17 GDPR, Art. 21 GDPR Failure to comply with the rights of the data subjects

According to the investigations of the Berlin Data Protection Authority, a company had not erased accounts of former customers in ten cases, although these data subjects had not been active on the company's delivery service platform for years - in one case for about 10 years. In addition, eight former customers had complained about unsolicited advertising e-mails from the company. One data subject, who had expressly objected to the use of his data for advertising purposes, nevertheless received further 15 advertising e-mails from the company. In further five cases, the company did not provide the data subjects with the necessary information or only after the intervention of the Berlin Data Protection Authority.

Authority: Data Protection Authority of Berlin

Link
Country: Germany
Organization: Police Officer
Sector: Private Sector
Amount: 1.400 €
Date: 09.05.2019
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR Insufficient legal basis for data processing

Using his official user ID, but without reference to official duties, a police officer used the Central Traffic Information System of the Federal Motor Transport Authority to query the owner data of the license plate of a person he did not know well. After that, he carried out a query with the Federal Network Agency, in which he queried the personal data and the house and mobile phone numbers stored there. Using this mobile phone number, he contacted the person by telephone. He did that all without official justification or consent from the injured party. Through queries for private purposes and the use of the phone for private contact, the police officer processed personal data on his own responsibility. This violation is not attributable to the police officer's office, as he commited the offence exclusively for private purposes and not in the exercise of his official duties. The prohibition of punishment in Sect. 28 of the respectice Local Data Protection Act (Landesdatenschutzgesetz - LDSG), according to which the sanctions of the GDPR cannot be imposed on public authorities, does therefore not apply in this case.

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Private Bank
Sector: Private Sector
Amount: 50.000 €
Date: 01.03.2019
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR Inadequate legal basis for data processing

The fine was imposed on a bank which had unlawfully processed "personal data of all former customers". The bank admitted that it kept data on former customers in order to keep a black list, so that it would not provide these persons with a new bank account. Initially, the bank justified this with reference to the German Banking Act to take security measures against customers suspected of money laundering. The Berlin Data Protection Authority held this to be illegal. The Berlin Data Protection Authority argues that only those who are actually suspected of money laundering or who have other valid reasons for refusing a new account may be included in a settlement file. At the moment, it is unclear whether the fine proceesding are legally concluded.

Authority: Data Protection Authority of Berlin

Country: Germany
Organization: Private person
Sector: Private Sector
Amount: 2.500 €
Date: 05.02.2019
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR, Art. 5 GDPR Insufficient legal basis for data processing

8 The fine was impossed against a private individual who sent lots of e-mails within 3 months in 2018, in which he used personal e-mail addresses visible to all recipients, from which each recipient could read countless other recipients. The man was accused of ten offences and between 131 and 153 personal mail addresses were identifiable in his mailing list.

Authority: Data Protection Authority of Sachsen-Anhalt

Link
Country: Germany
Organization: Small shipping company
Sector: Business Sector
Amount: 5.000 €
Date: 23.01.2019
INPLP Partner: Derra, Meyer & Partner
Art. 28 of the GDPR Violation of Art. 28 GDPR

The controller lacked an agreement on data processing with the Spanish service provider. Report according to the following website (no official statement): www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html

Authority: Data Protection Authority

Additional Information:

No official statement: www.heise.de/newsticker/meldung/DSGVO-5000-Euro-Bussgeld-fuer-fehlenden-Auftragsverarbeitungsvertrag-4282737.html

Country: Germany
Organization: Unknown
Sector: Private Sector
Amount: 20.000 €
Date: 01.12.2018
INPLP Partner: Derra, Meyer & Partner
Art. 83 (4) a) GDPR, Art. 33 (1) GDPR, Art. 34 (1) GDPR Failure to comply with the obligation to provide information

A personal data breach (Art. 4 Subsect. 12 GDPR) was not notified in time (Art. 33 GDPR) and also the affected subjects were not made informed (Art. 34 GDPR).

Authority: Data Protection Authority of Hamburg

Link
Country: Germany
Organization: Social Media Chat Platform
Sector: Private Sector
Amount: 20.000 €
Date: 21.11.2018
INPLP Partner: Derra, Meyer & Partner
Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

After a hacker attack in July, the personal data of approximately 330,000 users, such as passwords and e-mail addresses, became known. The controller has notified this personal data breach (Art. 4 Subsect. 12 GDPR) according to Art. 33 GDPR to the respective data protection authority and also cooperated with the data protection authority. Due to the cooperation and the performance of the controller, the fine was only 20.000,00

Authority: Data Protection Authority of Baden-Wuerttemberg

Link
Country: Germany
Organization: Unknown
Sector: Private Sector
Amount: 118.000 €
Date: Unknown
INPLP Partner: Derra, Meyer & Partner
Art. 6 GDPR Insufficient legal basis for data processing

Unlawful disclosure of personal data to third parties via social media.

Authority: Data Protection Authority of Saarland

Link
Country: Norway
Organization: Public Roads Administration of Norway
Amount: 367.000 € (NOK 4.000.000)
Date: Norwegian Data Protection Authority (Datatilsynet)
INPLP Partner: Gjessing Reimers
Art 17 GDPR, Art 25 GDPR The public roads administration had failed to comply with its obligations under the GDPR Article 17 (Right to erasure)

The public roads administration of Norway is the controller for a system processing and storing personal data from the toll road systems of Norway, i.e. data collected when different identifiable vehicles pass the different public toll stations. This information is then used for billing the owners of the vehicles. Under the Norwegian accounting rules, personal data pertaining to customer invoicing must be stored for 5 years after the end of the accounting year, however the public roads administration had not deleted any personal data from its system upon expiry of the 5 year term, as the data system used for the processing did not have functionality for deletion. The public roads administration had therefore failed to comply with its obligations under the GDPR Article 17 (Right to erasure), as well as having failed to implement functionality in the data solution that would allow such deletion, in violation of the GDPR Article 25 (Data protection by design and by default). The DPA have has been threatened with a fine of NOK 4,000,000. The public roads administration has been given a deadline until 23 March 2020 to give its account, after which the DPA will make a final decision in the case.

{$page.footerData}