Infringements in numbers

On this page you will find an overview of all publicly announced fines for violations of the GDPR. We make every effort to ensure that this overview is complete, but we cannot guarantee its absolute completeness.

Country

Data Protection Authority

Controller/Processor

Date

Amount of the fine

Infringement of

Reason

Source

romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Vodafone România SA
25.03.2020 4.198 €
Art. 3 Para. 1 to 3 Law Nr. 506/2004
Art. 3 Para. 6 Law Nr. 506/2004
With a request via the website one customer could receive the contract of another customer Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Asociația SOS Infertilitatea
25.03.2020 2.000 €
Art. 58 Para. 1 lit. a GDPR
No reaction to a complaint by the supervisory authority Link
spain flag icon 128 Agencia española protección datos (AEPD)
XFERA MÓVILES, S.A.
25.03.2020 5.000 €
Art. 58 Para. 1 lit. a GDPR
Failure to comply with a grace period of 5 days to respond to a complaint by the supervisory authority Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Enel Energie Muntenia SA
25.03.2020 3.000 €
Art. 32 GDPR
Sending the first and last name, address, e-mail address and customer number of a customer by e-mail to another customer due to insufficient protective measures against misdirected mailings Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Dante Internațional S.A.
25.03.2020 3.000 €
Art. 6, Art. 21 Para. 3 GDPR
E-mail advertising despite objection to advertising Link
germany flag icon 128 Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Company
24.03.2020 50.000 €
Art. 12 Para. 1, Art. 28 Para. 9 GDPR
Violation of the requirement of transparency in the provision of information, absence of a data processing agreement Link
germany flag icon 128 Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Swimming pool operator
24.03.2020 12.000 €
Art. 28 Para. 9, Art. 6 Para. 1 GDPR
Unlawful video surveillance of employees and visitors, absence of data processing agreement in the relationship with the service provider for the maintenance of the cameras, absence of a data protection officer Link
greece flag icon 256 Hellenic Data Protection Authority (HDPA)
Míchou Dímitra Language and pedagogical centre
23.03.2020 3.000 €
Art. 15 Para. 1, 3 GDPR
Unjustified refusal of information Link
spain flag icon 128 Agencia española protección datos (AEPD)
Oliveros Ustrell, S.L.
19.03.2020 10.000 €
Art. 6 Para. 1 GDPR
Unlawful processing of personal data of a porting request Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Vodafone Romania SA
18.03.2020 14.309 RON
(3.000€)
Art. 5 Para. 1 lit. d, f, Para. 2
Incorrect sending of a reply to a notification to an incorrect e-mail address; insufficient technical and organisational measures Link
greece flag icon 256
Hellenic Data Protection Authority (HDPA)
PPC SA
18.03.2020 5.000 €
Art. 15 Para. 3 GDPR
Failure to respond to a data subject's request for a copy of the data within the time limit Link
spain flag icon 128 Agencia española protección datos (AEPD)
Telefónica Móviles España, S.A.U.
18.03.2020 30.000 €
Art. 58 Para. 2 lit. c GDPR
Lapse of a time limit to reply to a data subject concerning his request for access and erasure Link
spain flag icon 128 Agencia española protección datos (AEPD)
AMALFI SERVICIOS DE RESTAURACIÓN S.L.
17.03.2020 6.000 €
Art. 5 Para. 1 lit. c GDPR
Improper operation of a video surveillance system with a view of public space Link
spain flag icon 128 Agencia española protección datos (AEPD)
CENTRO DE ESTUDIOS DIRIGIDOS DELTA, S.L.
16.03.2020 5.000 €
Art. 5 Para. 1 lit. f GDPR
Unlawful sending of personal data to a third party via WhatsApp Link
spain flag icon 128 Agencia española protección datos (AEPD)
Private person
16.03.2020 4.000 €
Art. 6 Para. 1 lit. a GDPR
Unlawful taking of photographs without the consent of the data subjects Link
germany flag icon 128
Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Truck driver
14.03.2020 229 €
Art. 6 Para. 1 lit. f, 12 GDPR
Illegal operation of a dashcam in a truck and uploading the recordings to YouTube Link
spain flag icon 128 Agencia española protección datos (AEPD)
ownership community
12.03.2020 2.000 €
Art. 5 Para. 1 lit. c GDPR
Illegal surveillance of public space and lack of data protection notices Link
bulgaria flag icon 128
Commission for Personal Data Protection (CPDP)
utility company
12.03.2020 10.000 BGN
(5.113 €)
Art. 10 Para. 1 GDPR
Unlawful transmission of debt collection data of an alleged debtor Link
bulgaria flag icon 128
Commission for Personal Data Protection (CPDP)
TK EOOD
12.03.2020 5.000 BGN
(2.557 €)
Art. 25 Para. 1 GDPR
Insufficient measures to protect the principle and measures of privacy by design Link
bulgaria flag icon 128
Commission for Personal Data Protection (CPDP)
L.E. EOOD
12.03.2020 5.000 BGN
(2.557 €)
Art. 25 Para. 1 GDPR
Insufficient measures to protect the principle and measures of privacy by design Link
sweden flag icon 128 v2
Datainspektionen
Google LLC
11.03.2020 75.000.000 SEK
(6.992.842€)
Art. 5 Para. 1 lit. a, b, 6, 9, 10, 17 GDPR
Follow up audit with two cases from 2017:
Unlawful processing of special categories of personal data and data concerning criminal convictions and offences;
No erasure of search results


Delayed erasure of search result entries and unlawful processing of personal data by disclosing the identity of the applicant through tools of the webmaster and the web address on pages of Google
Link
denmark flag icon 128 Datatilsynet
Municipality of Gladsaxe
10.03.2020 100.000 DKK
(13.384 €)
Art. 5 Para. 1 lit. f GDPR
Violation of confidentiality by the theft of a computer containing personal data; inadequate hard disk security measures Link
denmark flag icon 128 Datatilsynet
Municipality of Hørsholm
10.03.2020 50.000 DKK
(6.692 €)
Art. 5 Para. 1 lit. f GDPR
Violation of confidentiality by the theft of a computer containing personal data; inadequate hard disk security measures Link
iceland flag icon 128 Persónuvernd
S.A.A. medicine institute
10.03.2020 3.000.000 ISK
(20.647 €)
Art. 5 Para. 1 lit. f, 32 GDPR
Violation of confidentiality by sending patient files to a former employee Link
iceland flag icon 128
Persónuvernd
Breiðholti school
10.03.2020 9.142 €
Art. 5 Para. 1 lit. f, 32 GDPR
Violation of confidentiality by sending personal data to students of the following semester Link
spain flag icon 128 Agencia española protección datos (AEPD)
GESTHOTEL ACTIVOS BALAGARES S.L.
09.03.2020 15.000 €
Art. 5 Para. 1 lit. f GDPR
Violation of confidentiality by reading a private letter before the general meeting Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
school Torre del Greco
06.03.2020 4.000 €
Art. 5 Para. 1 lit. a, c, 9 GDPR
Improper disclosure of staff member information, including health data, on the website Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
State school of art Neapel
06.03.2020 4.000 €
Art. 5 Para. 1 lit. a, c, 9 GDPR
Improper disclosure of staff member information, including health data, on the website Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
RTI - Reti Televisive Italiane s.p.a.
06.03.2020 20.000 €
Art. 5 Para. 1 lit. a, 6, 85 GDPR Art. 137 codice della privacy
Insufficient anonymisation of a person in a TV interview Link
spain flag icon 128 Agencia española protección datos (AEPD) Private person 06.03.2020 4.000 €
Art. 5 Para. 1 lit. c GDPR
Unauthorized illumination of public spaces with hidden video cameras and missing data protection notices.
Link
spain flag icon 128 Agencia española protección datos (AEPD)
VODAFONE ESPAÑA, S.A.U.
06.03.2020
60.000 €
Art. 6 Para. 1 GDPR
Identity forgery of a Vodafone employee for porting order of a new customer. Link
 spain flag icon 128 Agencia española protección datos (AEPD) merchant of the Bazar Susana  06.03.2020 3.200 €
Art. 5 Para. 1 lit. f GDPR
 
Inadequate labelling of video surveillance and unauthorised disclosure of video recordings  Link
 united kingdom flag icon 128  Information Commissioner´s Office (ICO)
Cathay Pacific Airways Limited
 
 04.03.2020
590.821 €
(500.000£)
 
Schedule 1 Part I No 7 DPA
Schedule 1 Part II No 9 DPA
Section 4(4) DPA
 
Far-reaching deficiencies in technical and organisational measures; significant security gaps made hacker attacks possible Link
poland flag icon 128
Urząd Ochrony Danych Osobowych (UODO)
City of Danzig 04.03.2020 4.647 €
Art. 5 Para. 1 lit. c GDPR
Art. 9 GDPR
Unauthorised use of a fingerprint scanner in the primary school canteen Link
netherlands flag icon 128
Autoriteit Persoonsgegevens
(AP)
Koninklijke Nederlandse Lawn Tennis Bond (KNLTB)  03.03.2020 525.000 € Art. 5 Para. 1 lit. a und Art. 6 Para. 1 GDPR Unlawful sale of members' personal data Link
spain flag icon 128 Agencia española protección datos (AEPD)
Solo Embrague
03.03.2020 1.800 € Art. 13 GDPR Missing data protection notice and cookie banner on the website Link
spain flag icon 128 Agencia española protección datos (AEPD)
Vodafone España, S.A.U.
03.03.2020 42.000 € Art. 5 Para. 1 lit. f, 32 GDPR Insufficient technical and organisational measures Link
spain flag icon 128 Agencia española protección datos (AEPD)
Vodafone España, S.A.U.
03.03.2020 40.000 € Art. 5 Para. 1 lit. a, 6 GDPR Unlawful processing of personal data - phone number. Link
spain flag icon 128 Agencia española protección datos (AEPD)
Vodafone España, S.A.U.
03.03.2020 24.000 € Art. 5 Para. 1 lit. b, 6 GDPR Unlawful processing of personal data - phone number. Link
united kingdom flag icon 128 Information Commissioner´s Office (ICO)
CRDNN Limited
02.03.2020 574.675 € (500.000£) Art. 19 PECR und Art. 55A DPA Unauthorised calls on a large scale Link
spain flag icon 128 Agencia española protección datos (AEPD) Vodafone ONO, S.A.U. 28.02.2020 48.000 € Art. 32 GDPR  Insufficient technical and organisational measures Link
spain flag icon 128 Agencia española protección datos (AEPD)   AEMA Hispánica 28.02.2020  3.600 € Art. 5 Para. 1 lit. f GDPR Failure to comply with the principle of integrity and confidentiality Link
spain flag icon 128
 
 Agencia española protección datos (AEPD) Vodafone España, S.A.U.   27.02.2020  120.000 € Art. 5 Para. 1 lit. a, 6 GDPR Unlawful processing and disclosure of personal data Link
spain flag icon 128   Agencia española protección datos  (AEPD) XFERA MÓVILES, S.A.   26.02.2020 36.000 €  Art. 5 Para. 1 lit. a, 6 GDPR Absence of legal basis in the processing for the provision of a telecommunications service Link
spain flag icon 128  Agencia española protección datos (AEPD) Private person 21.02.2020 1.500 € Art. 5 Para. 1 lit. c GDPR Illegal surveillance of public roads and private property by video camera Link
spain flag icon 128   Agencia española protección datos  (AEPD)  
ELECTRIC RENTING GROUP, S.L.
 21.02.2020 2.500 € Art. 5 Para. 1 lit. f GDPR Sending advertising e-mails with an open distribution list  Link
spain flag icon 128  Agencia española protección datos (AEPD)  Hotel 18.02.2020  3.600 € Art. 5 Para. 1 lit. c GDPR Missing notice of and inadmissible video surveillance in a hotel Link
spain flag icon 128   Agencia española protección datos (AEPD)  MYMOVILES EUROPA 2000, SL  14.02.2020  1.500 €  Art. 13 GDPR Missing data protection notice and imprint on the website  Link
spain flag icon 128  Agencia española protección datos (AEPD) Colegio Arenales Carabanchel (School)   14.02.2020  3.000 € Art. 6 Para. 1 lit. a, 8 GDPR Lack of consent of a parent to use photos on the school's website  Link
spain flag icon 128  Agencia española protección datos (AEPD) Xfera Moviles S.A.   14.02.2020 30.000 €  Art. 5 Para. 1 lit. f, 32 GDPR Unauthorised third party access to telecommunications data  Link
spain flag icon 128  Agencia española protección datos (AEPD) VODAFONE ESPAÑA, SAU  14.02.2020 42.000 € Art. 5 Para. 1 lit. f GDPR Unauthorized access to a customer profile of another person Link
germany flag icon 128 Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit  Facebook Germany GmbH  13.02.2020 51.000 € Art. 37 Para. 7 GDPR Failure to notify the change of the Data Protection Officer Link
germany flag icon 128 Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit 
Hamburger Verkehrsverbund GmbH
13.02.2020 20.000 € Art. 33 Para. 1, 34 Para. 1 GDPR Late reporting and notification of data subjects after a data breach Link
spain flag icon 128   Agencia española protección datos (AEPD)
HM HOSPITALES 1989, S.A
 
13.02.2020 48.000 €  Art. 5 Para. 1 lit. a, 6 Para. 1 lit. a GDPR Improper opt-out consent in a hospital Link
spain flag icon 128   Agencia española protección datos (AEPD)  CASA GRACIO OPERATION, SLU 10.02.2020 6.000 €  Art. 5 Para. 1 lit. c GDPR Unauthorised video surveillance on public roads  Link
spain flag icon 128  Agencia española protección datos (AEPD) 
IBERDROLA CLIENTES, S.A.U.
 
07.02.2020 80.000 € Art. 5 Para. 1 lit. a, 6 GDPR Unlawful processing of personal data Link
spain flag icon 128  Agencia española protección datos (AEPD)  
Cafeteria Nagasaki
 04.02.2020 1.500 € Art. 5 Para. 1 llit. c GDPR Unauthorized video surveillance of public roads Link
spain flag icon 128  Agencia española protección datos (AEPD)
VODAFONE ESPAÑA, SAU
 
 03.02.2020 75.000 €  Art. 5 Para. 1 lit. a, 6 GDPR  Unlawful processing of personal data of a former customer Link
spain flag icon 128 Agencia española protección datos (AEPD)   
ZHANG BORDETA 2006, SL
 03.02.2020 3.600 € Art. 5 Para. 1 lit. c GDPR Unauthorized video surveillance of public roads Link
spain flag icon 128  Agencia española protección datos (AEPD)  Vodafone España, S.A.U.  03.02.2020 75.000 € Art. 6 Para. 1 GDPR Incorrect transfer of personal data to a third party through a phone number porting Link
spain flag icon 128  Agencia española protección datos (AEPD)  
BANCO BILBAO VIZCAYA ARGENTARIA SL.
 03.02.2020 6.667 € Art. 5, 6, 21 GDPR Inadmissible sending of advertising mail despite objection of the data subject Link
 spain flag icon 128  Agencia española protección datos (AEPD)  
VODAFONE ESPAÑA, SAU
 03.02.2020 50.000 €  Art. 5 Para. 1 lit. f GDPR Incorrect sending of invoices to third parties Link
 spain flag icon 128  Agencia española protección datos (AEPD)  
QUESERIA ARTESANAL AMECO S.L
 03.02.2020 5.000 € Art. 5 Para. 1 lit. a, 6 GDPR Unlawful processing of personal data -  missing legal basis Link
 spain flag icon 128  Agencia española protección datos (AEPD) Private person 03.02.2020 800 € Art. 6 Para. 1 GDPR Unauthorized creation of an erotic profile of a colleague using personal data  Link
 spain flag icon 128 Agencia española protección datos (AEPD)   Iberia Lineas Aereas de Espana, S.A. Operadora Unipersonal 03.02.2020  20.000 € Art. 5, 6, 21 GDPR Illegal sending of advertising material after confirmed withdrawal of consent Link
 spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone España, S.A.U.   03.02.2020  60.000 € Art. 5, 6 GDPR Unlawful processing of personal data  Link
 germany flag icon 128
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
 
Food craft businesses
 
 30.01.2020  100.000 €  Art. 5 Para. 1 lit. f GDPR Insufficient protection of personal data in an applicant portal Link
 italy flag icon 256  Garante per la protezione dei dati personali (GPD) university hospital of Verona 23.01.2020  30.000 €   Art. 5 Para. 1 lit. f, Art. 32 GDPR Unauthorized access to health data of colleagues through Insufficient technical and organizational measures  Link
 italy flag icon 256 Garante per la protezione dei dati personali (GPD)   university La Sapienza (Rom)  23.01.2020 30.000 €  Art. 5 Para. 1 lit. f, Art. 32 GDPR  Personal data of two persons, who reported illegal behaviour to the university, were put online due to insufficient technical and organisational measures Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) Eni gas e luce SpA (Italian mineral oil and energy group) 17.01.2020 8.500.000 € Art. 5 Para. 1 lit. a, Art. 32 GDPR The company made promotional calls without consent. In addition, there was a lack of technical and organizational measures to deal with users' advertising objections. In addition, retention periods were exceeded and data records no longer required were not erased. Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) Eni gas e luce SpA (Italian mineral oil and energy group) 17.01.2020 3.000.000 € Art. 5 Para. 1 lit. a GDPR Contract extension in the customer registration system without consent, in some cases despite prior termination by the data subjects Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Healthcare institution (Ungarn) 16.01.2020 1.500 € Art. 6 GDPR Private e-mails of former employees were not deleted and thus data without legal basis continued to be processed Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal Entirly Shipping & Trading SRL (Romanian Shipyard) 16.01.2020 10.000 € Art. 5 Para. 1 lit. c, Art. 6, Art. 9, Art. 13 GDPR Missing data protection notices, video surveillance in changing rooms and illegal processing of employee data Link
united kingdom flag icon 128 Information Commissioner's Office social worker 15.01.2020 482 € § 55 DPA (nationales Datenschutzrecht) Unlawful transmission of data on vulnerable young people to third parties Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) TIM SpA (Italian telecommunications company) 15.01.2020 27.802.946 € Art. 5 Para. 1 lit. a, b und e, Art. 7 Para. 1,2 GDPR Cold calls without consent, in some cases despite objections to advertising. Furthermore, incorrect and intransparent information on data processing in TIM apps. In addition, the IT systems used did not meet the requirements of Art. 25 Para. 1 GDPR (Privacy by Design). The recorded telephone orders were also stored for longer than permitted. Link1; Link2
italy flag icon 256 Garante per la protezione dei dati personali (GPD) municipality of Francavilla Fontana 15.01.2020 10.000 € Art. 5 Para. 1 lit. c, Art. 9 Para. 1,2 und 4 GDPR Publication of a document, with the settlement of legal costs of a court case on the website of the municipality of for a period of two months. The document contained, among other things, health data and bank details of the parties. Link
spain flag icon 128 Agencia española protección datos (AEPD) Zhang Bordeta 2006, S.L. (store and restaurant) 14.01.2020 3.600 € Art. 5 GDPR The restaurant owner installed a video surveillance system which, among other things, also recorded the sidewalk and thus public space Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal SC Enel Energie SA (Romanian energy company) 14.01.2020 6.000 € Art. 5 Para. 1, Para. 2, Art. 6, Art. 7 Para. 1, Art. 21 Para. 1 GDPR Customer data was processed contrary to the data protection principles. In addition, accountability could not be fulfilled, as consents could not be shown. In addition, an objection to consent was not observed Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Collection service provider 14.01.2020 4.487 € Art. 6 Para. 1 lit. f, Art. 21, Art. 17 GDPR Violation of the right to deletion, unlawful storage of data and violation of the dual obligation Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Hora Credit IFN SA (Romanian financial company)
13.01.2020 14.000 € Art. 5, Art. 25, Art. 32, Art. 33 Para. 1 GDPR Violation of the data protection principles according to Art. 5 GDPR. In addition, data was sent to the wrong recipients, which resulted from a lack of technical and organisational measures. Furthermore, a data-breach report was not sent within 72 hours. Link
greece flag icon 256 Hellenic Data Protection Authority (HDPA)
Allseas MARINE S.A. (Greek provider of maritime services)
13.01.2020 15.000 € Art. 5, Art. 32, Art. 24 Para. 1 GDPR Illegal operation and installation of a video surveillance system Link
 cyprus flag icon 128 Office of the Commissioner for Personal Data Protection
LGS Handling Ltd.
13.01.2020 70.000 € Art. 6 Para. 1 lit. f, Art. 9 GDPR Application of a calculation model to classify the sick leave of employees without a legal basis (this does not constitute a legitimate interest) Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection
Louis Travel Ltd.
13.01.2020 10.000 € Art. 6 Para. 1 lit. f, Art. 9 GDPR Application of a calculation model to classify the sick leave of employees without a legal basis (this does not constitute a legitimate interest) Link
 cyprus flag icon 128 Office of the Commissioner for Personal Data Protection   Louis Aviation Ltd. 13.01.2020 2.000 €  Art. 6 Para. 1 lit. f, Art. 9 GDPR Application of a calculation model to classify the sick leave of employees without a legal basis (this does not constitute a legitimate interest) Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection  ML PRO.FIT SOLUTIONS LTD (eShop for sports equipment) 13.01.2020 1.000 € Art. 6 GDPR Sending marketing SMS without consent Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection Cyprus Police 13.01.2020 9.000 € Art. 32 Para. 1 lit b und d GDPR Lack of technical and organizational measures regarding password protection Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection AG QUICKSPA LIMITED 13.01.2020 1.200 € Art. 5 Para. 1 lit. f, Art. 32 GDPR Sending of advertising SMS despite advertising objection by data subjects, resulting from insufficient technical and organizational measures Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection Social Insurance Services of the Ministry of Labor, Welfare and Social Insurance 13.01.2020 9.000 € Art. 32 GDPR No appropriate technical and organisational measures taken to secure data Link
spain flag icon 128 Agencia española protección datos (AEPD) VODAFONE ESPAÑA, S.A.U. 09.01.2020 3.000 € Art. 58 Para. 1 GDPR Requested information from the supervisory authority was not made available in due time. Link
united kingdom flag icon 128 Information Commissioner's Office DSG Retail Ltd 09.01.2020 586.972 €
Schedule 1 Part I No 7 DPA,Schedule 1 Part II No 9 DPA, Section 4(4) DPA
Hackers got hold of 14 million customer data due to insufficiently protected cash register systems Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) Tim SpA 09.01.2020 900.000 €
Art. 166 Gesetz Nr. 689/81, Art. 27 Gesetz Nr. 689/81
Retention periods were exceeded. In addition, unauthorised data storage took place Link
spain flag icon 128 Agencia española protección datos (AEPD)
EDP ENERGIA, S.A.U.
08.01.2020 75.000 €
Art. 6 Para. 1 lit. b GDPR
Inadequate authentication process Link
spain flag icon 128 Agencia española protección datos (AEPD)
VODAFONE ESPAÑA, S.A.U.
08.01.2020 44.000 €
Art. 5 Para. 1 lit. f GDPR
Violation of confidentiality through access to personal data of a third party Link
spain flag icon 128 Agencia española protección datos (AEPD)
EDP COMERCIALIZADORA S.A.
07.01.2020 75.000 €
Art. 6 Para. 1 lit. b GDPR
Unlawful processing of personal data and missing identity check Link
spain flag icon 128 Agencia española protección datos (AEPD)
Asociación de Médicos Demócratas
07.01.2020 10.000 €
Art. 6 Para. 1 GDPR
Illegal use of e-mail addresses without necessary consent Link
spain flag icon 128 Agencia española protección datos (AEPD)
XFERA MÓVILES, SA
03.01.2020 60.000 €
Art. 5 Para. 1, 6 Para. 1 GDPR
Inadequate verification of personal data that led to a link with a third party Link
greece flag icon 256
Hellenic Data Protection Authority (HDPA)
Aegean Marine Petroleum Network Inc.
31.12.2019 150.000 €
Art. 5, 6, 32 GDPR
Insufficient technical and organisational measures of a server Link
germany flag icon 128 Bundesnetzagentur (BNetzA)
Sky Deutschland Fernsehen GmbH & Co. KG
23.12.2019 250.000 €
§ 7 Para. 2 Nr. 2 UWG
Unlawful telephone calls and no suitable system for documenting and managing advertising consents Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Asociație de Proprietari
23.12.2019
2.389RON
(500 €)
 
Art. 12 Gesetz Nr. 190/2018
Improper disclosure of video surveillance photos Link
romania flag icon 128 
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
 
 Telekom Romania Mobile Communications SA  18.12.2019  
9.544RON
(2.000 €)
 Art. 5 Para. 1 lit. d, 32 Para. 1 lit. b, 2 GDPR  Insufficient technical and organisational measures for the protection of confidentiality Link
 spain flag icon 128 Agencia española protección datos (AEPD) 
SHOP MACOYN, S.L.
 
18.12.2019  5.000 € Art. 5 Para. 1 lit f GDPR Violation of confidentiality through visibility of other e-mail addresses in the advertising distribution list Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Employer 18.12.2019 1.512 € Art. 6 Para. 1 lit. b, 88 Para. 1 GDPR missing legal basis for storage and archiving in the e-mail account of a former employee Link
spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone Ono, S.A.U. 18.12.2019 3.000 € Art. 58 Para. 1 lit. a GDPR Failure to provide the supervisory authority with requested information in a timely manner Link
spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone Ono, S.A.U. 18.12.2019 3.000 € Art. 58 Para. 1 lit. a GDPR Failure to provide the supervisory authority with requested information in a timely manner Link
spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone España S.A.U. 18.12.2019 3.000 € Art. 58 Para. 1 lit. a GDPR Failure to provide the supervisory authority with requested information in a timely manner Link
spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone España S.A.U. 18.12.2019 3.000 € Art. 58 Para. 1 lit. a GDPR Failure to provide the supervisory authority with requested information in a timely manner Link
spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone España S.A.U. 18.12.2019 3.000 € Art. 58 Para. 1 lit. a GDPR Failure to provide the supervisory authority with requested information in a timely manner Link
spain flag icon 128 Agencia española protección datos (AEPD)  Vodafone España S.A.U. 18.12.2019 3.000 € Art. 58 Para. 1 lit. a GDPR Failure to provide the supervisory authority with requested information in a timely manner Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Globus Score SRL
17.12.2019 9.544RON
(2.000 €)
Art. 58 Para. 1 lit. a, e GDPR Insufficient interaction with the competent supervisory authority and lack of compliance Link
belgium flag icon 256
Autorité de protection des données (APD)
Nursing Organization
17.12.2019 2.000 € Art. 15, 17, 12 Para. 3, 4 GDPR Failure to comply with data subject's rights of access and erasure Link
spain flag icon 128 Agencia española protección datos (AEPD) 
LINEA DIRECTA ASEGURADORA, S.A.
16.12.2019 5.000 € Art. 6 Para. 1 lit. a, 7, 21 GDPR Sending advertising e-mails without consent Link
 sweden flag icon 128 v2
Datainspektionen
Nusvar AB
16.12.2019 35.000 € Art. 5 Para. 1 lit. c, 10 GDPR Disclosure of court cases and criminal information about Swedish citizens Link
romania flag icon 128
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
SC Enel Energie S.A. (Electricity Distributor)
16.12.2019 6.000 € Art. 5 Para. 1 lit. a, 6, 7 GDPR Unlawful processing of personal data and missing measures for the termination of notifications Link
romania flag icon 128
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Entirely Shipping & Trading S.R.L.
16.12.2019 5.000 € Art. 5 Para. 1 lit. c, 6, 7 GDPR Unlawful and excessive video surveillance of employees Link
romania flag icon 128
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Entirely Shipping & Trading S.R.L.
16.12.2019 5.000 € Art. 5 Para. 1 lit. c, 6, 7, 9 GDPR Unjustified processing of biometric data (fingerprints) as access to premises Link
 spain flag icon 128  Agencia española protección datos (AEPD) 
MEGASTAR, S.L.
 
 13.12.2019  1.600 €  Art. 5 Para. 1 lit. c, 13 GDPR  Illegal video surveillance of public traffic areas and lack of information on video surveillance Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Modern Barber SRL
13.12.2019 3.000 € Art. 58 Para. 1 lit. a, e GDPR Verspätete Bereitstellung von Informationen an die Aufsichtsbehörde Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Nicola Medical Team 17 SRL
13.12.2019 9.544RON
(2.000 €)
Art. 58 Para. 1 lit. a, e GDPR Late and insufficient provision of information to the supervisory authority Link
 spain flag icon 128   Agencia española protección datos (AEPD) 
Vodafone España S.A.U.
12.12.2019 18.000 €  Art. 5 Para. 1 lit. d GDPR Unlawful processing of contract data - unjustified billing to a former customer Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
Casa della Legalità e della Cultura Onlus
 
11.12.2019  20.000 € Art. 166 Para. 8 codice della privacy Unjustified stigmatisation of an insolvency administrator in an article - infringement of the right to be forgotten Link
 hungary flag icon 128  Nemzeti Adatvédelmi és Információszabadság Hatóság Unknown  11.12.2019  1.500 €  Art. 6 GDPR Processing of personal e-mails of a former employee without legal basis Link
 spain flag icon 128  Agencia española protección datos (AEPD)   Shop Macoyn, S.L.  10.12.2019  5.000 € Art. 32 GDPR Sending advertising e-mails with open distribution list (all recipient addresses were visible) Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal Hora Credit IFN SA 10.12.2019 14.000 € Art. 5, Art. 25, Art. 32, Art. 33 GDPR No adequate technical and organisational measures established. This resulted in the disclosure of personal data to third parties. In addition, no information about the data protection violation was provided Link
germany flag icon 128 Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) 1&1 Telecom GmbH 09.12.2019 9.550.000 € Art. 32 GDPR Callers obtained extensive information about personal customer data, due to a lack of authentication process Link
germany flag icon 128 Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) Rapidata GmbH 09.12.2019 10.000 € Art. 37 GDPR, § 38 BDSG No appointment of a data protection officer despite repeated requests Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Hospital 09.12.2019 90 € Art. 15 GDPR Infringement of the right of access of the data subjects. In addition, a copying fee was unlawfully levied Link
united kingdom flag icon 128 Information Commissioner's Office Nursing staff member 05.12.2019 532 € § 55 DPA Unauthorised access to social security documents (including those of children) Link
germany flag icon 128 Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz University Medical Center of Johannes Gutenberg-university Mainz 03.12.2019 105.000 € Art. 6, Art. 9 GDPR Technical and organisational deficits in patient management. A patient mix-up resulted in incorrect invoicing Link
spain flag icon 128 Agencia española protección datos (AEPD) CERRAJERIA VERIN S.L. 03.12.2019 1.500 € Art. 13 GDPR Missing data protection notice on the website. Link
united kingdom flag icon 128 Information Commissioner's Office
social welfare office worker
02.12.2019 828 GBP
700 €
§ 170 DPA Unauthorized access to social security records Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
SC CNTAR TAROM SA
29.11.2019 20.000 € Art. 32 Para. 1, 2, 4 GDPR Insufficient technical and organisational measures for ensuring purpose limitation as well as insufficient measures against unauthorised disclosure Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Royal President SRL
29.11.2019 2.500 € Art. 5 Para. 1 lit. f, 12 Para. 3, 4,
15, 32 Para. 1 lit. b GDPR
Refusal of a request for information and unfair disclosure of personal data Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
ING Bank N.V. Amsterdam
29.11.2019 80.000 € Art. 5 Para. 1 lit. f, 25, 32 Para. 1 lit. d GDPR Insufficient implementation of the principle of privacy by design and lack of technical and organisational measures Link
 spain flag icon 128  Agencia española protección datos (AEPD) AUDAX RENOVABLES, S.A.   29.11.2019 24.000 €  
Art. 6, 44.3.b LOPDGDD
Unauthorised disclosure of personal data to an energy supplier Link
 belgium flag icon 256 Autorité de protection des données (APD)  Mayor  28.11.2019 5.000 € Art. 5 Para. 1 lit. b, 6 Para. 4 GDPR Prohibited use of a list of persons for the purpose of election advertising Link1
Link2
 belgium flag icon 256  Autorité de protection des données (APD)  City Council  28.11.2019 5.000 €  Art. 5 Para. 1 lit. b, 6 Para. 4 GDPR  Prohibited use of a list of persons for the purpose of election advertising Link1
Link2
 spain flag icon 128   Agencia española protección datos (AEPD)  
IKEA IBÉRICA, S.A.U.
28.11.2019  10.000 € Art. 4 Nr. 11, 6 Para. 1 lit. a, 7 GDPR Unauthorized setting of up to 23 cookies on user end devices without prior consent or notification of the possibility of withdrawal. Link
spain flag icon 128   Agencia española protección datos (AEPD)
CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U.
28.11.2019 75.000 € Art. 6 Para. 1 lit. a GDPR Improper use of personal contract data for a new contract Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság
Hungarian military hospital
26.11.2019 2.500.000 HUF
(7.437 €)
Art. 24 Para. 1, 2, 32, 33 Para. 1 GDPR Failure to meet the 72-hour deadline for reporting a data breach and lack of technical and organisational measures Link
spain flag icon 128   Agencia española protección datos (AEPD)
XFERA MÓVILES, SA
26.11.2019 60.000 € Art. 32 GDPR Insufficient technical and organisational measures and lack of implementation of complaints Link
spain flag icon 128   Agencia española protección datos (AEPD)
CORPORACION DE RADIO Y TELEVISION ESPAÑOLA SA
26.11.2019 60.000 € Art. 32 GDPR Insufficient technical and organisational measures when handling personal data on a USB stick Link
spain flag icon 128   Agencia española protección datos (AEPD)
VIAQUA XESTIÓN INTEGRAL DE AUGAS DE GALICIA, SA
26.11.2019 60.000 € Art. 6 GDPR Insufficient technical and organisational measures when amending a contract Link
 romania flag icon 128  Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal  FAN Courier Express SRL 25.11.2019  11.000 €  Art. 5 Para. 1 lit. f, Art. 32 Para. 1, Para. 2 GDPR  No appropriate technical and organisational measures have been taken to protect customer data Link 
 romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal  BNP Paribas Personal Finance SA  22.11.2019   2.000 € Art. 12 Para. 3 GDPR  Failure to reply to a request for erasure made by a data subject within the prescribed period Link
france flag icon 128 Commission Nationale de l’Informatique et des Libertés (CNIL) FUTURA INTERNATIONALE 21.11.2019 500.000 € Art. 5 Para. 1 lit. c, Art. 12, Art. 13, Art. 14, Art. 21, Art. 44 GDPR Advertising calls without consent, sometimes despite opposition (cold calls). In addition, disregard for the processing principles and the rights of the data subjects Link
spain flag icon 128 Agencia española protección datos (AEPD) Telefónica Móviles España, S.A.U. 20.11.2019 30.000 € Art. 5 Para. 1 lit. d GDPR Customers received invoices with personal data of other customers Link
spain flag icon 128 Agencia española protección datos (AEPD) Maloney SPORTS BAR SL 19.11.2019 6.000 € Art. 5 Para. 1 lit. c GDPR infringement of the principle of data minimisation in connection with video surveillance Link
spain flag icon 128 Agencia española protección datos (AEPD) Confederación General del Trabajo 15.11.2019 3.000 € Art. 5 Para. 1 lit. f GDPR Unlawful disclosure of personal data to 400 trade union members Link
spain flag icon 128 Agencia española protección datos (AEPD) Vodafone España, S.A.U. 14.11.2019 60.000 € Art. 5 Para. 1 lit. f GDPR Billing data was sent to unauthorized third parties Link
 romania flag icon 128  Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal Vodafone Romania SA   14.11.2019  2.098 € Art. 13 Para. 1 lit q Gesetz Nr. 506/2004, Art. 13 Para. 5 Gesetz Nr. 506/2004, Art.12 Para. 1 Gesetz Nr. 506/2004 Advertising messages despite objection to advertising Link
 italy flag icon 256 Garante per la protezione dei dati personali (GPD)  ASL n. 2 Savonese   14.11.2019  8.000 €  Art. 5 Para. 1 lit. a, c, Art. 9 GDPR Transfer of health data without the consent of the data subjects Link 
 poland flag icon 128  Urząd Ochrony Danych Osobowych Unknown  13.11.2019  47 € Art. 5 Para.1 lit. d, f GDPR  a judicial officer has failed to exercise due diligence in the course of his duties Link 
spain flag icon 128 Agencia española protección datos (AEPD) TODOTECNICOS24H S.L. 11.11.2019 900 € Art. 13 GDPR Missing data protection notices Link
slovakia flag icon 128 Úrad na ochranu osobných údajov Sociálna poisťovňa (Social Insurance Institution) 11.11.2019 50.000 € Art. 32 Para. 1 lit. b GDPR Document with personal data was lost (fine is currently being contested) Link
spain flag icon 128 Agencia española protección datos (AEPD) MADRILEÑA RED DE GAS S.A.U. 08.11.2019 12.000 € Art. 5 Para. 1 lit. f GDPR violation of the integrity and confidentiality of customer data Link
spain flag icon 128 Agencia española protección datos (AEPD) CERRAJERO ONLINE S.L. 08.11.2019 900 € Art. 13 GDPR Missing data protection notices Link
spain flag icon 128 Agencia española protección datos (AEPD) Joker Premium Invex S.L. 07.11.2019 6.000 € Art. 6 Para. 1 lit. a, Art. 7  GDPR Advertising without the consent of the recipient Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) Comune di Tivoli (municipality of Tivoli) 07.11.2019 6.000 € Art. 5 Para. 1 lit. a,c, Art. 6 Para. 1 lit. c,e, Para. 3 lit.b GDPR Publication of personal data on the municipality website Link
poland flag icon 128 Urząd Ochrony Danych Osobowych ClickQuickNow Sp. z o.o. 06.11.2019 47.119 € Art. 7 Para. 3, Art. 12 Para. 2 GDPR The withdrawal of consent was much more complicated than the giving of consent Link
germany flag icon 128 Berliner Beauftragte für Datenschutz und Informationsfreiheit Deutsche Wohnen SE 05.11.2019 14.500.000 € Art. 5, Art. 25 GDPR Storage of data of former tenants in an archive system without legal basis and without possibility of erasure. Link
latvia flag icon 128 Datu valsts inspekcija Unknown 11.2019 150.000 € Art. 6 GDPR Illegal data processing Link
spain flag icon 128 Agencia española protección datos (AEPD) Vodafone España, S.A.U. 04.11.2019 60.000 € Art. 5 Para. 1 lit. f GDPR Transmission of documents containing invoice data from third parties Link
 netherlands flag icon 128 Autoriteit Persoonsgegevens  Menzis Group  04.11.2019 50.000 €  Art. 5 Para. 1 lit. b,f GDPR  disregard of the principles for the processing of personal data Link 
 greece flag icon 256 Hellenic Data Protection Authority (HDPA)  WIND ΕΛΛΑΣ ΤΗΛΕΠΙΚΟΙΝΩΝΙΕΣ ΑΕΒΕ   04.11.2019 20.000 €   Art. 21 Para.1 lit. a Νόμος 2472/1997 Νόμος 2472/1997, Art.13 Para. 4 Νόμος 3471/2006 Νόμος 3471/2006,  Advertising messages without consent, partly despite advertising objection Link 
 spain flag icon 128 Agencia española protección datos (AEPD)  VODAFONE ESPAÑA, S.A.U  04.11.2019  36.000 €   Art. 6 Para. 1 lit. a, b, Art. 5 Para. 1 lit. a GDPR  Processing of account data without legal basis  Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) National Revenue Agency 01.11.2019 28.129 € Art. 6 Para. 1 GDPR Non-purpose query of a register of persons on the current residence of a private person Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) H. K. 01.11.2019 5.113 € Art. 6 Para. 1 GDPR Processing of personal data without legal basis Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) Telecommunications provider 01.11.2019 11.758 € Art. 6 Para. 1 GDPR Processing of personal data without legal basis Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) Unknown 01.11.2019 1.789 € Art. 12 Para. 4 GDPR A justified request for access was not answered Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) E. K. 01.11.2019 511 € Art. 12 Para. 3, Art. 15 Para. 1 GDPR Late reply to a request for access Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) Ministry of the Interior 01.11.2019 5.112 € Art. 6 Para. 1 GDPR unlawful provision of personal data of a person wanted by the police Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) B. M. 01.11.2019 511 € Art. 58 Para. 1 lit. a, e GDPR Refusal to cooperate with the supervisory authority Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) Telecommunications company 01.11.2019 1.023 € Art. 6 Para. 1 GDPR Processing of personal data without legal basis Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
Partito Democratico
 31.10.2019  4.000 €  
162 Gesetz Nr. 689/81
27 Gesetz Nr. 689/81
 Transfer of personal data without consent Link
 netherlands flag icon 128  Autoriteit Persoonsgegevens  UWV (Dutch employee insurance service provider)  31.10.2019 900.000 € Art. 32 GDPR Insufficient technical and organisational measures and no multi-factor authentication in the employee portal Link
 austria flag icon 256 Datenschutzbehörde 
Österreichische Post Aktiengesellschaft
 
 29.10.2019  28.000.000 € Art. 5 Para. 1 lit. a
9 GDPR
Unauthorized processing of political preferences and sale to political parties. Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd 25.10.2019 70.000 € Art. 6, 9 GDPR Inappropriate profiling and monitoring of sick leave Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd 25.10.2019 10.000 € Art. 6, 9 GDPR Inappropriate profiling and monitoring of sick leave Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection LGS Handling Ltd, Louis Travel Ltd, and Louis Aviation Ltd 25.10.2019 2.000 € Art. 6, 9 GDPR Inappropriate profiling and monitoring of sick leave Link
germany flag icon 128 Datenschutzaufsichtsbehörde Baden-Württemberg medium-sized food company 24.10.2019 100.000 € Art. 5, 32 GDPR Insufficient technical and organisational measures for the protection of applicant data Link
 romania flag icon 128   Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Artmark Holding SRL
 
 22.10.2019  10.000 RON
(2.092 €)
 
Art. 13 Para. 1 lit. q Gesetz Nr. 506/2004
Art. 13 Para. 5 Gesetz Nr. 506/2004
Unlawful sending of advertising messages to data subjects without consent Link
poland flag icon 128 Urząd Ochrony Danych Osobowych
Municipality of Aleksandrów Kujawski
18.10.2019 40.000 PLN
(9.400 €)
Art. 28 GDPR Lack of written agreement on contract processing and insufficient back-up copies of City Council meetings Link
spain flag icon 128 Agencia española protección datos (AEPD) 
Xfera Móviles S.A.
16.10.2019 60.000 € Art. 6 Para. 1 GDPR Illegal advertising calls without prior consent of the data subjects Link
spain flag icon 128 Agencia española protección datos (AEPD) 
Iberdrola Clientes S.A.U.
16.10.2019 8.000 € Art. 31, 83 Para. 4 lit. a GDPR Lack of cooperation with the supervisory authority Link
spain flag icon 128 Agencia española protección datos (AEPD) 
Private person
16.10.2019 10.000 € Art. 5 Para. 1 lit. c GDPR Unauthorized video surveillance in the shared apartment Link
 cyprus flag icon 128
Office of the Commissioner for Personal Data Protection
Doctor
 11.10.2019  14.000 € Art. 5, 6 GDPR Unauthorized publication of sensitive patient data on a social media platform  Link
 spain flag icon 128 Agencia española protección datos (AEPD) 
Vueling Airlines S.A.
 
 10.10.2019  30.000 € Art. 5 GDPR Insufficient and faulty cookie banner on the website Link
 austria flag icon 256 Datenschutzbehörde  
Medical outpatient clinic
 
10.10.2019 50.000 € Art. 7, 12, 13, 14, 35 GDPR  Lack of appointment of a data protection officer; incomplete information sheet regarding consent;
Failure to provide information on health data and to carry out a data protection impact assessment
Link
 cyprus flag icon 128  Office of the Commissioner for Personal Data Protection
Eleftherios Demetriou
 
03.10.2019 2.000 €  Art. 6 Para. 1 lit. a, 21 GDPR Illegal sending of SMS messages without consent and possibility of withdrawal Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection DIKO 03.10.2019 3.000 €  Art. 6 Para. 1 lit. a, 21 GDPR Inadmissible advertising calls and failure to observe the right of objection Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection
Candidate for the EU Parliament
03.10.2019 2.000 € Art. 5 Para. 1 lit. b, 6 Para. 1 lit. a GDPR Sending unauthorised election advertising Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection
City Council of the municipality of Aradippou
03.10.2019 1.000 € Art. 5 Para. 1 lit. b, 6 Para. 1 lit. a GDPR Unauthorised processing and disclosure of salary data and unauthorised transfer to third parties Link
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection
AstroBank Ltd
03.10.2019 2.000 € Art. 6 Para. 4 GDPR Unauthorized processing of personal data of a seller of a real estate without consent Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
Tgroup s.r.l.
02.10.2019 6.400 €
Art. 13, 23, 161, 152 Para. 2 codice della privacy
Failure to verify consent to process personal data before activating a SIM card Link
romania flag icon 128   Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Raiffeisen Bank S.A.
01.10.2019 150.000 € Art. 32 Para. 1, 2, 4 GDPR Unlawful use of WhatsApp for credit reports Link
romania flag icon 128   Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Vreau Credit S.R.L.
01.10.2019 20.000 € Art. 32 Para. 1, 2, 4, 33 GDPR Improper use of WhatsApp to submit personal credit history information;
No information to data subjects about the transfer of data to third parties
Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság
Municipality of Kerepes
01.10.2019 5.000.000 HUF
(15.111 €)
Art. 5 Para. 1 lit. a, b, c,
12, 13 GDPR
Unlawful and unnecessary video surveillance; lack of reference by an authority to the legitimate interest;
Insufficient data protection information on video surveillance
Link
 bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   Bank 30.09.2019  511 €   Art. 5 Para. 1 lit. a, Art. 6 GDPR Processing of personal data without legal basis   Link
 greece flag icon 256 Hellenic Data Protection Authority (HDPA)  Hellenic Telecommunications Agency SA 30.09.2019   200.000 € Art. 21 Para. 3, Art. 25 GDPR  The right to object has been violated in 8,000 cases due to a technical error Link 
 slovakia flag icon 128 Úrad na ochranu osobných údajov  Slovak Telekom, a.s.   27.09.2019  40.000 € Art. 32 GDPR  Loss of personal data    Link
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal INTELIGO MEDIA SA 26.09.2019 9.000 € Art. 5 Para. 1 lit. a, Art. 6 Para. 1 lit. a, Art. 7 GDPR Ineffective consent for the sending of newsletter Link
spain flag icon 128 Agencia española protección datos (AEPD)  Restaurant 20.09.2019 12.000 € Art. 5 Para. 1 lit. a GDPR Unauthorized installation of video cameras at the workplace Link
germany flag icon 128 Berliner Beauftragte für Datenschutz und Informationsfreiheit Delivery Hero Germany GmbH 19.09.2019 195.407 € Art. 15, Art. 17, Art. 21 GDPR Failure to delete former customer data and unauthorised advertising e-mails in several cases Link
belgium flag icon 256 Autorité de protection des données merchant 19.09.2019 10.000 € Art. 5 Para. 1 lit. c, Art. 6 Para. 1 GDPR To issue a customer card, an identity card had to be presented Link
united kingdom flag icon 128 Information Commissioner's Office Superior Style Home Improvements Ltd. 17.09.2019 177.400 € Art. 21 PECR, § 55A DPA Unauthorised advertising calls Link
poland flag icon 128 Urząd Ochrony Danych Osobowych Morele.net Sp. z o. o. 10.09.2019 660.000 € Art. 32 GDPR Unauthorised access to 2.2 million personal data due to inadequate security measures Link
 bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   National Revenue Agency   03.09.2019 28.100 €   Art. 6 Para. 1, Art. 58 Para. 2 lit. e, Art. 83 Para. 5 lit. a GDPR Unlawful processing of personal data for the purpose of enforcement proceedings Link 
latvia flag icon 128  Datu valsts inspekcija   merchant of an online shop  29.08.2019 7.000 €  Art. 17 GDPR  Rights of the data subjects were violated several times ("right to be forgotten).  Link
 bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   DSK Bank  28.08.2019  511.247 €  Art. 32 GDPR  Due to a lack of technical measures, personal data of about 33,500 customers were stolen Link 
 spain flag icon 128 Agencia española protección datos (AEPD)    VODAFONE ONO, S.A.U  28.08.2019 48.000 €   Art. 32 GDPR Disclosure of customer data in the online customer area to a third party Link 
austria flag icon 256 Datenschutzbehörde (DSB) Company in the medical sector 22.08.2019 50.000 € Art. 13, Art. 37 GDPR Failure to comply with information obligations and failure to appoint a data protection officer Link
austria flag icon 256 Datenschutzbehörde (DSB) soccer coach 22.08.2019 11.000 € Art. 6 GDPR Years of secret filming of the female players in the shower Link
sweden flag icon 128 v2 Datainspektionen Swedish school in the municipality of Skellefteå 21.08.2019 18.740 € Art. 5 Para. 1 lit. c, Art. 9, Art. 35, Art. 36 GDPR Face recognition for presence control Link
spain flag icon 128 Agencia española protección datos (AEPD)   Brothel operator 19.08.2019 9.000 € Art. 5 Para. 1 lit. c GDPR Illegal video surveillance in a private dwelling used illegally as a brothel Link
spain flag icon 128 Agencia española protección datos (AEPD)   AVON Cosmetics 16.08.2019 60.000 € Art. 6 GDPR Misuse of personal data, without prior verification of identity Link
 spain flag icon 128 Agencia española protección datos (AEPD)     TELEFONICA MOVILES ESPAÑA, S.A.U. 12.08.2019  36.000 €  Art. 5 Para. 1 lit. a GDPR Unintentional inclusion of third party billing data in the telephone bill Link 
united kingdom flag icon 128 Information Commissioner's Office Hudson Bay Finance Ltd 12.08.2019
-
Sec. 7 DPA no fine only threat of execution! Link
 spain flag icon 128  Agencia española protección datos (AEPD)    Géstion De Cobros, Yo Cobro, SL (Collection agency)   10.08.2019  60.000 €  Art. 5 Para. 1 lit. f GDPR Sending e-mails to the employer address of a debtor, which he had not deposited Link 
 spain flag icon 128 Agencia española protección datos (AEPD)    Brothel operator  08.08.2019  20.000 €   Art. 5 Para. 1 lit. c GDPR  Illegal video surveillance in a building used as a brothel Link 
romania flag icon 128 Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal UTTIS INDUSTRIES SRL 06.08.2019 2.500 € Art. 5 Para. 1 lit. c, Art. 12, Art. 13, Art. 6 GDPR Violation of information obligations in video surveillance Link
germany flag icon 128 Landesbeauftragte für den Datenschutz Nordrhein-Westfalen (LDI) Private person 05.08.2019 200 € Art. 5, Art. 6 GDPR Recording and publication of public road traffic Link
united kingdom flag icon 128  Information Commissioner's Office 
Making it Easy Ltd.
 
02.08.2019 189.180 € § 40 DPA Unauthorised advertising calls despite objection by the parties addressed  Link
 bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)    municipality of K. 01.08.2019 7.669 € Art. 5 Para. 1 GDPR Violation of the principles of processing Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   Unknown 01.08.2019 10.000 € Art. 5 Para. 1 lit. b GDPR Infringement of the principle of purpose limitation Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   national social security 01.08.2019 2.556 € Art. 32 GDPR Insufficient technical and organisational measures Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   financial institution AD 01.08.2019 5.112 € Art. 5 Para. 1 GDPR violation of the principles of processing Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   financial institution EOOD 01.08.2019 5.112 € Art. 6 Para. 1 GDPR violation of the lawfulness of the processing Link
greece flag icon 256 Hellenic Data Protection Authority (HDPA)
PricewaterhouseCoopers Business Solutions S.A.
30.07.2019 150.000 € Art. 5 Para. 1 lit. a, b und c GDPR
Art. 13 Para. 1 lit. c GDPR
Art. 14 Para. 1 lit. c GDPR
violation of the principles of transparency, purpose limitation and data minimisation, violation of information obligations Link
germany flag icon 128 Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (LfDI) Baden-Württemberg
Company from the financial sector
30.07.2019 80.000 € Art. 5 Para. 1 lit. f GDPR violation of the principle of integrity and confidentiality Link
france flag icon 128 Commission Nationale de l’Informatique et des Libertés (CNIL) Active Assurances 25.07.2019 180.000 € Art. 32 GDPR Customer files were freely accessible on the Internet Link
united states of america flag icon 128 Federal Trade Commission (FTC) Facebook Inc.  24.07.2019
4.536.999.350 €
FTC Order 2012 FTC Act Violation of data protection regulations and FTC Act  Link
 united states of america flag icon 128 Federal Trade Commission (FTC)   Equifax Inc. 22.07.2019  
508.130.081
 €
Section 13(b) FTC Act
15 § 53(b) U.S.C.
16 Part 314 C.F.R.
Sections 501-504 GLB Act
§§ 6801- 6804 U.S.C.
15 § 45(a) U.S.C. 
Theft of credit rating data from 147 million people Link
 spain flag icon 128 Agencia española protección datos (AEPD)     VODAFONE ESPAÑA, S.A.U  22.07.2019 30.000 € Art. 5 Para. 1 lit. f GDPR Sending a purchase confirmation from one customer to another customer by mistake Link
united kingdom flag icon 128 Information Commissioner's Office
Life at Parliament View Ltd.
 
19.07.2019  94.481 €  § 55 DPA Unlawful disclosure of customer data Link
netherlands flag icon 128  Autoriteit Persoonsgegevens  HagaZiekenhuis 16.07.2019 460.000 € Art. 32 GDPR Patient data was freely accessible due to inadequate safety precautions Link
bulgaria flag icon 128  Commission for Personal Data Protection (CPDP) National Tax Authority 16.07.2019
2.607.495 €
 
Art. 32 GDPR Insufficient technical and organisational measures enabled access to personal data of over 5 million people  Link
united kingdom flag icon 128   Information Commissioner's Office Marriott International Inc.  09.07.2019
110.738.620
 Art. 32 GDPR Data on 339,000,000 hotel guests was accessible because of an open system that allowed hackers to access it Link
united kingdom flag icon 128 Information Commissioner's Office  British Airways  08.07.2019  
183.390.000
 €
Art. 32 GDPR Cyber attack led to the theft of credit card numbers and other personal data from over 500,000 customers  Link
 romania flag icon 128  Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Legal Company & Tax Hub SRL
05.07.2019  3.000 € Art. 32 GDPR Insufficient protective measures on the website allowed free access to personal data  Link
 spain flag icon 128 Agencia española protección datos (AEPD)     VODAFONE ESPAÑA, S.A.U  03.07.2019 40.000 € Art. 6 Para. 1 lit. a und b GDPR Processing of customer data (account data and phone number) without legal basis Link
 romania flag icon 128  Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
World Trade Center Bucharest SA
02.07.2019  15.008 € Art. 32 GDPR Insufficient protective measures on the website allowed free access to personal data  Link
germany flag icon 128 Bundesnetzagentur (BNetzA) Vodafone Kabel Deutschland GmbH 02.07.2019 100.00 € §§ 95, 149 Para. 1 Nr. 16 TKG Unauthorised advertising calls despite objection by the parties addressed Link
greece flag icon 256 Hellenic Data Protection Authority (HDPA)
European Election Candidate
01.07.2019 2.000 € Art. 11 Νόμος 3471/2006 Νόμος 3471/2006 Sending e-mail election advertising without consent Link
bulgaria flag icon 128  Commission for Personal Data Protection (CPDP) BOEC 01.07.2019
767 €
 
Art. 6 Para. 1 GDPR Unlawful processing of personal data  Link
 romania flag icon 128  Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal
Unicredit Bank SA
27.06.2019  129.962 € Art. 5 Para. 1 lit. c, 25 GDPR Free access to 300,000 customer data on the Internet due to insufficient technical and organizational measures  Link
hungary flag icon 128 
Nemzeti Adatvédelmi és Információszabadság Hatóság
 
 Unknown 25.06.2019 15.462 € Art. 33 GDPR Reporting the loss of an unencrypted USB stick containing 1,700 law enforcement data only after 45 days Link
united kingdom flag icon 128 Information Commissioner's Office  EE Limited  24.06.2019  
118.748
 €
Art. 22 PECR Over 2,500,000 direct marketing messages sent without customer consent  Link
united kingdom flag icon 128 Information Commissioner's Office  Managing Director  24.06.2019  
1.240
 €
§ 55 DPA Unlawful collection of personal data and their sale  Link
 spain flag icon 128 Agencia española protección datos (AEPD)     VODAFONE ESPAÑA, S.A.U  20.06.2019 21.000 € Art. 6 Para. 1 lit. a und b GDPR Processing of customer data after the end of the contractual relationship (without legal basis) Link
germany flag icon 128 Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (LfDI) Baden-Württemberg
Policeman
18.06.2019 1.400 € Art. 5 und 6 GDPR Unlawful collection of police data for contacting a woman Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
Facebook Ireland Ltd.
14.06.2019 1.000.000 €
Art. 13 codice della privacy
Art. 23 codice della privacy
Art. 157 codice della privacy
Art. 161 codice della privacy
Art. 162 codice della privacy
Art. 164 codice della privacy
Art. 167 codice della privacy
Storage of data of over 200,000 people and their friends without consent Link
united kingdom flag icon 128 Information Commissioner's Office  Smart Homes Protection Ltd.  13.06.2019  
106.790
 €
Art. 22 PECR Unauthorised advertising calls despite objection by the parties addressed  Link
france flag icon 128 Commission Nationale de l’Informatique et des Libertés (CNIL) SAS UNIONTRAD COMPANY 13.06.2019 20.000 € Art. 5 Para. 1 lit. c GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 32 GDPR
Unlawful surveillance of employees with a video surveillance system Link
spain flag icon 128 Agencia española protección datos (AEPD)     VODAFONE ESPAÑA, S.A.U  11.06.2019 250.000 € Art. 5 Para. 1 lit. a GDPR
Art. 7 Para. 3 GDPR
Processing of location data of the user and transfer of these to the operator, activation of the mobile phone microphone Link
united kingdom flag icon 128 Information Commissioner's Office  Account Manager
(Stockport Homes Ltd.)
 07.06.2019  
356 €
§ 55 DPA Unlawful database searches  Link
united kingdom flag icon 128 Information Commissioner's Office  staff member (charity organisation)  06.06.2019  
720 €
§ 55 DPA Unlawful storage and transmission of personal data Link
greece flag icon 256 Hellenic Data Protection Authority (HDPA)
ΑΝΑΝΕΩΣΗ ΙΔΙΩΤΙΚΟ ΙΑΤΡΕΙΟ ΙΑΤΡΙΚΗ ΜΟΝΟΠΡΟΣΩΠΗ ΕΤΑΙΡΕΙΑ ΠΕΡΙΟΡΙΣΜΕΝΗΣ ΕΥΘΥΝΗΣ
04.06.2019 5.000 € Art. 11 Νόμος 3471/2006 Νόμος 3471/2006 Advertising calls without consent Link
denmark flag icon 128 Datatilsynet 
IDDesign A / S (furniture manufacturer)
 
 03.06.2019 200.858 €  Art. 5 Para. 1 lit. e GDPR Exceeding the permitted storage period of 385,000 customer data records Link
spain flag icon 128 Agencia española protección datos (AEPD)     
AMADOR RECREATIVOS, S.L.
 01.06.2019 4.800 € Art. 5 Para. 1 lit. c GDPR Unlawful recording of a public route Link
czech republic flag icon 128 
Úřad pro ochranu osobních údajů
 
Unknown  31.05.2019 392 € Art. 15 Para. 1 GDPR No response to a request for access from a data subject Link
 belgium flag icon 256
Autorité de protection des données
Mayor 29.05.2019 2.000 €  Art. 5 Para. 1 lit. b GDPR
Art. 6 GDPR
Unlawful use of e-mail addresses for sending election advertising Link
france flag icon 128 Commission Nationale de l’Informatique et des Libertés (CNIL)
Sergic Immobilier
28.05.2019 400.000 € Art. 5, 32 GDPR Unlawful storage of data records, free access for everyone via the Internet Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)
Medoc s.r.l.
23.05.2019 1.250 €
Art. 169 codice della privacy
Insufficient technical and organisational measures Link
hungary flag icon 128  Nemzeti Adatvédelmi és Információszabadság Hatóság Sziget Kulturális Menedzser Iroda Zártkörűen Működő Részvénytársaság (organiser of the Sziget Festival) 23.05.2019  91.931 € Art. 5 Para. 1 lit. b und c GDPR
Art. 5 Para. 2 GDPR
Art. 6 GDPR 
Processing of photos and other personal data of participants in a check-in system without consent Link
 italy flag icon 256  Garante per la protezione dei dati personali (GPD)
municipality of Ferrara
 
 23.05.2019   24.000 €
Art. 13 codice della privacy
 
 Insufficient information Link
 lithuania flag icon 128  
Valstybinė duomenų apsaugos inspekcija
UAB MisterTango
 
 16.05.2019 61.500 €  Art. 5, 32, 33 GDPR Improper processing and publication of personal data; unacceptably long storage Link
 czech republic flag icon 128  
Úřad pro ochranu osobních údajů
Unknown   13.05.2019 3.105 €  Art. 5 Para. 1 lit. a, b, 32 GDPR  Insufficient technical and organisational measures Link
spain flag icon 128 Agencia española protección datos (AEPD)
Vodafone España, S.A.U.
07.05.2019 27.000 € Art. 5 Para. 1 lit. d GDPR Inadequate erasure of personal data as well as dispatch of messages to a former customer Link
united kingdom flag icon 128
Information Commissioner's Office
Hall and Hanley Ltd.
07.05.2019 120.000 GBP
(142.384 €)
Art. 22 PECR Unauthorised sending of direct marketing SMS Link
spain flag icon 128
Agencia española protección datos (AEPD)
ENDESA ENERGÍA Xxi, S.L.U.
06.05.2019 60.000 € Art. 5 Para. 1 lit. f GDPR Unauthorised disclosure of personal data to a third party Link
czech republic flag icon 128
Úřad pro ochranu osobních údajů
Unknown
06.05.2019 5.000 CZK
(194 €)
Art. 15 Para. 1 GDPR Violation of the information obligations of a public utility company Link
cyprus flag icon 128
Office of the Commissioner for Personal Data Protection
Breikot Management Ltd
06.05.2019 3.000 € Art. 5 Para. 1 lit. c GDPR violation of the principle of data minimisation Link
cyprus flag icon 128
Office of the Commissioner for Personal Data Protection
Sigma Live Ltd
06.05.2019 5.000 € Art. 6 Para. 1 lit. a GDPR Disclosure of the face of a witness without his/her express consent Link
cyprus flag icon 128
Office of the Commissioner for Personal Data Protection
Altius Insurance Ltd
06.05.2019 4.000 € Art. 6 Para. 1 lit. a, b GDPR Illegal sending of advertising messages via SMS through random generation of phone numbers Link
 cyprus flag icon 128  
Office of the Commissioner for Personal Data Protection
 
P.TH. Upkeep & Net Services Ltd
06.05.2019 3.400 €  Art. 6 Para. 1 lit. a GDPR Unlawful dispatch of a newsletter despite clear objection to advertising Link
portugal flag icon 128
Comissão Nacional de Protecção de Dados (CNPD)
Unknown 06.05.2019 107.000 €
artigo 7 de janeiro, alterado pela Decreto-Lei n.º 62/2009 Decreto-Lei n.º 62/2009
Unauthorised e-mail advertising without express consent or direct marketing purposes Link
 bulgaria flag icon 128  Commission for Personal Data Protection (CPDP)
AR Ltd.
 
01.05.2019  100.000 BGN
(5.112 €)
Art. 6 Para. 1 GDPR Unauthorised processing of personal data Link
 bulgaria flag icon 128   Commission for Personal Data Protection (CPDP) Unknown  01.05.2019   1.000 BGN
(511 €)
 Art. 6 Para. 1 GDPR  Unauthorised processing of personal data Link
norway flag icon 128 Datatilsynet
Oslo kommune Utdanningsetaten
29.04.2019 2.000.000 NOK
(120.000 €)
Art. 32 GDPR Insufficient technical and organisational measures in an app of the education agency; no security in the transfer of health data of the children Link
spain flag icon 128 Agencia española protección datos (AEPD)
VODAFONE ONO, S.A.U.,
26.04.2019 36.000 € Art. 5 Para. 1 lit. f GDPR Sending advertising mails without a blind copy in the distribution list Link
poland flag icon 128
Urząd Ochrony Danych Osobowych
Dolnośląski Związek Piłki Nożnej (Lower Silesian Football Association) 25.04.2019 55.751 PLN
(13.000 €)
Art. 5 Para. 1 lit. f, 32 Para. 1 lit. b GDPR Unlawful disclosure of personal data of arbitrators Link
hungary flag icon 128
Nemzeti Adatvédelmi és Információszabadság Hatóság
Unknown 17.04.2019 3.000.000 HUF
(9.4000 €)
Art. 5 Para. 1 lit. a, 6 GDPR Unlawful processing and transmission of a datasheet containing personal data to a third party Link
united kingdom flag icon 128
Information Commissioner's Office
Plan My Funeral Avalon Ltd.
16.04.2019 80.000 GBP
(94.913 €)
Art. 22 PECR Unauthorised telephone calls for advertising purposes without consent Link
 greece flag icon 256
Hellenic Data Protection Authority (HDPA)
 
 
One Team Ανώνυμη Εταιρία Διοργανώσεων και Ολοκληρωμένης Επικοινωνίας
15.04.2019 30.000 € Art. 4, 5, 7, 10 Νόμος 2472/1997  Unlawful processing of personal data from social media platforms; Insufficient technical and organisational measures Link
germany flag icon 128 Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (LfDI) Baden-Württemberg company from the financial sector 12.04.2019 80.000 € Art. 5, 32 GDPR Improper processing/disposal of personal data Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)
Vincall s.r.l.s
11.04.2019 2.018.000 €
Art. 13, 26, 161, 162, 167 codice della privacy
Illegal transfer of data from a call center to the energy company without informing the data subjects Link
united kingdom flag icon 128 Information Commissioner's Office
Bounty (UK) Limited
11.04.2019 400.000 GBP
(474.850 €)
DPP1 DPA
Unlawful disclosure of personal data and health data without informing the data subjects Link
italy flag icon 256
 Garante per la protezione dei dati personali (GPD)
AD Sphera Group srl
11.04.2019 2.400 €
Art. 13 codice della privacy
Insufficient data protection information regarding the contact and application forms on the website Link
germany flag icon 128 Berliner Beauftragte für Datenschutz und Informationsfreiheit
N26 GmbH
10.04.2019 50.000 € Art. 5, 6 GDPR Unlawful processing of former customers on a blacklist for the prevention of money laundering Link
united kingdom flag icon 128 Information Commissioner's Office
True Visions Productions
10.04.2019 120.000 GBP
141.901 €)
§ 55 a DPA Illegal video surveillance of patients in a hospital without consent and insufficient information Link
bulgaria flag icon 128
Commission for Personal Data Protection (CPDP)
medical office
08.04.2019 1.000 BGN
(511 €)
Art. 5 Para. 1 lit. a, 6, 9 Para. 1, 2 GDPR Unauthorised disclosure of patient data when taking over a medical office and the associated software Link
 hungary flag icon 128  Nemzeti Adatvédelmi és Információszabadság Hatóság Employer   05.04.2019 600.000 HUF
(1.820 €)
 Art. 15 GDPR Failure to comply with a data subject's right of access Link
 united kingdom flag icon 128  Information Commissioner's Office practice staff member   05.04.2019 120 GBP
(142 €)
 § 55 DPA Unauthorized sending of application documents to the private e-mail address  Link
 italy flag icon 256   Garante per la protezione dei dati personali (GPD)
Rousseau, Movimento 5 Stelle (Internet platform operator)
 
04.04.2019  50.000 € Art. 32 GDPR  Insufficient technical and organisational measures of a platform/host service operator Link
united kingdom flag icon 128  Information Commissioner's Office
City Council of Newham
04.04.2019 140.000 GBP
(170.940 €)
§ 55 DPA Unauthorised disclosure of personal data to other recipients; no reporting of the data protection violation Link
italy flag icon 256   Garante per la protezione dei dati personali (GPD)
Vestas srl
28.03.2019 4.000 € Art. 13, 23 Para. 3 codice della privacy Inadmissible prohibition to link the online reservation on the website to the processing for market research and direct marketing Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)
„А.Р.” ЕООД
26.03.2019 10.000 BGN
(5.110 €)
Art. 5 Para. 1 lit. a, 6 GDPR Insufficient legal basis for processing personal data of a data subject Link
poland flag icon 128 Urząd Ochrony Danych Osobowych
stock company Bisnode AB
26.03.2019 934.000 PLN
(220.000 €)
Art. 14 GDPR Insufficient information for the collection of over 6 million personal data Link
united kingdom flag icon 128  Information Commissioner's Office
Grove Pension Solutions Ltd
26.03.2019 40.000 GBP
(47.098 €)
Art. 22 PECR Sending direct marketing e-mails without consent Link
denmark flag icon 128 Datatilsynet
Taxa 4x35
25.03.2019 1.200.000 DKK
(21.521 €)
Art. 5 Para. 1 lit. e GDPR Processing of personal customer data without relevant purpose Link
 portugal flag icon 128  
Comissão Nacional de Protecção de Dados (CNPD)
 
Unknown
25.03.2019  2.000 €  Art. 13 Para. 1, 2 GDPR  Lack of information when using a video surveillance system  Link
 spain flag icon 128  Agencia española protección datos (AEPD)  
IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL
23.03.2019  5.700 €
Art. 21 Para. 1 LSSI
Insufficient erasure of personal data after confirmation of the right to erasure of the data subject or a former customer Link
 hungary flag icon 128
Nemzeti Adatvédelmi és Információszabadság Hatóság
 
Demokratikus Koalíció (political party)
 
21.03.2019  11.000 HUF
(34.862 €)
Art. 33, 34 GDPR Lack of information to the data protection authority about a data breach and insufficient documentation Link
 czech republic flag icon 128  
Úřad pro ochranu osobních údajů
 Unknown 21.03.2019 250.000 CZK
(9.740 €)
Art. 5 Para. 1 lit. c, e GDPR Unauthorised and unnecessary recording of telephone conversations and biometric authentication for concluding contracts Link
portugal flag icon 128 Comissão Nacional de Protecção de Dados (CNPD) Unknown 19.03.2019 2.000 € Art. 13 GDPR Insufficient information for the use of a video surveillance system and cooperation with the supervisory authority Link
united kingdom flag icon 128  Information Commissioner's Office
Vote Leave Ltd.
19.03.2019 40.000 GBP
(47.182 €)
Art. 21 PECR Unlawful text messages by e-mail without consent Link
italy flag icon 256   Garante per la protezione dei dati personali (GPD)
Enel Energia s.p.a.
19.03.2019 80.000 €
Art. 27, 162 Gesetz Nr. 689/81
Insufficient technical and organisational measures, which led to a transfer to third parties; insufficient deletion periods Link
norway flag icon 128 Datatilsynet
municipality of Bergen
18.03.2019 1.600.000 NOK
(170.000 €)
Art. 5 Para. 1 lit. f, 32 GDPR Insufficient technical and organisational measures in the protection of personal data of a primary school, especially of minors Link
italy flag icon 256   Garante per la protezione dei dati personali (GPD)
municipality of Porto Sant'Elpidio
14.03.2019 10.000 €
Art. 162 Gesetz Nr. 689/81
Unauthorised disclosure of a list of names with personal data and documents Link
 hungary flag icon 128  Nemzeti Adatvédelmi és Információszabadság Hatóság  financial institution 04.03.2019 1.000.000 HUF
(3.165 €)
Art. 5 Para. 1 lit. b, c, 6, 13 Para. 3, 17 Para. 1 GDPR Violation of the principles of data minimization and purpose limitation Link
 cyprus flag icon 128  
Office of the Commissioner for Personal Data Protection
 
state hospital
 01.03.2019 5.000 € Art. 15 GDPR Unlawful denial of a patient's right to access Link
 bulgaria flag icon 128  
Commission for Personal Data Protection (CPDP)
 school  01.03.2019  1.000 BGN
(511 €)
Art. 6 Para. 1 GDPR  Unlawful processing of personal data Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) health care institution  01.03.2019  1.000 BGN
(511 €)
Art. 12, 15 Para. 1 GDPR Insufficient response to a request for access Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)
Telecommunications company
 01.03.2019  53.000 BGN
(27.095 €)
Art. 6 Para. 1 GDPR Unlawful processing of personal data of a former customer Link
 czech republic flag icon 128 Úřad pro ochranu osobních údajů   online platform role play game
28.02.2019  585 €  Art. 5 Para. 1 lit. f, Art. 32 GDPR  Unauthorized access to data records by third parties due to lack of security precautions  Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Mayor of Kecskemét 28.02.2019 3.100 € Art. 5 Para. 1 lit. a, Art. 6 GDPR Unlawful disclosure of personal data of a whistleblower Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP) Telecommunications provider 26.02.2019 27.095 € Art. 5 Para. 1 lit. a, Art. 6 GDPR Registration of customers without effective consent Link
czech republic flag icon 128 Úřad pro ochranu osobních údajů  company (unknown) 26.02.2019 780 € Art. 15 GDPR Refusal of information to a data subject Link
 bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)  Employer  22.02.2019   511 € Art. 5 Para. 1 lit. b, c, Art. 12, Art. 15 Para. 1 lit. a-c, g, Art. 15 Para. 3 GDPR  Right of access was not fully and timely fulfilled Link 
 hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság   Collection agency 20.02.2019   1.576 € Art. 5 Para. 1 lit. a, c GDPR  Lack of information on retention obligations Link 
 malta flag icon 128  Information and Data Protection Commissioner Lands Authority
18.02.2019   5.000 €  Art. 5, Art. 32 GDPR Insufficient security measures on the website, which made personal data visible Link 
cyprus flag icon 128 Office of the Commissioner for Personal Data Protection newspaper Politis 15.02.2019 10.000 € Art. 5 Para. 1 lit. c, Art. 6 GDPR Illegal publication of pictures and names of two police officers Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) doctor 14.02.2019 16.000 € Art. 4 Para. 1 lit. a,b, Art. 13 Para. 4 codice della privacy Unauthorized use of e-mail addresses for election advertising Link
germany flag icon 128 Landesbeauftragter für den Datenschutz Sachsen Anhalt Private person 13.02.2019 2.629 € Art. 5, Art. 6 GDPR Sending several e-mails in which the (personal) e-mail addresses of all recipients were visible (over several months with up to 1,600 recipients) Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Bank 08.02.2019 1.571 € Art. 5 Para. 1 lit. d GDPR Repeatedly sending the credit card debt of a data subject by SMS to the wrong number Link
portugal flag icon 128 Comissão Nacional de Protecção de Dados Unknown 05.02.2019 20.000 € Art. 15 Para. 1 lit. e GDPR Insufficient fulfilment of the right to access Link
czech republic flag icon 128 Úřad pro ochranu osobních údajů car rental 04.02.2019 1.168 € Art. 5 Para. 1 lit. a, Art. 13 GDPR GPS tracking of a customer without their knowledge or consent Link
czech republic flag icon 128 Úřad pro ochranu osobních údajů credit mediation 04.02.2019 1.170 € Art. 5 Para. 1 lit. f, Art. 32 GDPR no adequate security in the processing of personal data was ensured Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) sole proprietor 02.02.2019 11.940 € Art. 4 Para. 1 lit. f, Art. 28, Art. 162 Para. 2 codice della privacy Disproportionately long storage of video camera recordings Link
germany flag icon 128   Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit Unknown  01.02.2019   20.000 € Art. 33 Para. 1, Art. 34 Para. 1, Art. 83 Para. 4 lit. a GDPR   Late notification of a data breach and non-notification of data subjects Link 
italy flag icon 256 Garante per la protezione dei dati personali (GPD) health administration Alessandria 31.01.2019 16.000 € Art. 162 Gesetz Nr. 
689/1981
, Art. 13, Art. 23, Art. 26, Art. 75, Art. 76 codice della privacy
Publication of patient data in a health dossier Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD) Istituto di Istruzione Superiore C. (institute of higher education) 31.01.2019 4.000 € Art. 22 codice della privacy, Art. 162, Art. 167 Gesetz Nr. 
689/1981
Disclosure of lists of names of severely disabled teaching staff Link
 italy flag icon 256 Garante per la protezione dei dati personali (GPD)  Istituto Comprensivo Paolo Stefanelli (school Paolo Stefanelli) 31.01.2019   4.000 € Art. 22 codice della privacy, Art. 162 Gesetz Nr. 689/81  Disclosure of lists of names of severely disabled teaching staff  Link 
 italy flag icon 256  Garante per la protezione dei dati personali (GPD)  municipality of Catania, Italien 31.01.2019   6.000 € Art. 19 Para. 3 codice della privacy, Art. 22 Para. 8 codice della privacy  Disclosure of personal identification data Link 
 italy flag icon 256 Garante per la protezione dei dati personali (GPD)   CT BAR 31.01.2019   12.000 € Art. 4 Para. 1 lit. f codice della privacy, Art. 28 codice della privacy  Unauthorized storage of video recordings  Link
germany flag icon 128 Unabhängiges Datenschutzzentrum Saarland Private person 29.01.2019 118 € Art. 6 GDPR Publication of personal data to a third party via a social media account Link
france flag icon 128 Commission Nationale de l’Informatique et des Libertés (CNIL) Google Inc. 21.01.2019 50.000.000 € Art. 4 Para. 11, Art. 13, Art. 14, Art. 6, Art. 5 GDPR violation of numerous data protection principles (transparency, purpose limitation, etc.) Link1 Link2
 bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)   Bank  17.01.2019  500 €  Art. 5 Para. 1 lit. a, Art. 6 GDPR  Processing of personal data without legal basis  Link
germany flag icon 128   Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg Unknown  15.01.2019   80.000 € Art. 9 GDPR   Publication of health data on the Internet Link 
 czech republic flag icon 128 Úřad pro ochranu osobních údajů   Employer 10.01.2019  390 €  Art. 6 GDPR  Personal data of a former employee were not deleted, despite several requests.  Link
bulgaria flag icon 128 Commission for Personal Data Protection (CPDP)  financial institution 01.01.2019 511 € Art. 5 Para. 1 lit. b GDPR Processing of personal data to obtain private knowledge without legal basis Link
hungary flag icon 128 Nemzeti Adatvédelmi és Információszabadság Hatóság Unknown 21.12.2018 3.200 € Art. 12 Para. 4, Art. 13, Art. 15, Art. 18 Para. 1 lit. c GDPR Insufficient fulfilment of data subjects' rights and information obligations Link
austria flag icon 256 Datenschutzbehörde (DSB) Private person 20.12.2018 2.200 € Art. 5 Para. 1 lit. a, c, Art. 6 Para. 1 GDPR Video surveillance of common areas without sufficient notice Link
germany flag icon 128 Bundesnetzagentur (BNetzA) callcenter company SG Sales and Distribution GmbH 18.12.2018 300.000 € § 7 Para. 2 Nr. 2 UWG Maximum fine for illegal phone advertising Link
 italy flag icon 256 Garante per la protezione dei dati personali (GPD)  representative of Western Union Payment Services Ireland Limited   13.12.2018  8.000 € Art. 4 codice della privacy, Art. 23 codice della privacy  Processing of personal data without legal basis  Link 
 italy flag icon 256 Garante per la protezione dei dati personali (GPD)   Ministero dell’Istruzione, dell’Università e della Ricerca–Ufficio Scolastico Regionale per la Lombardia–Ufficio III–Ambito territoriale di Bergamo  13.12.2018   4.000 € Art. 19 Para. 3 codice della privacy, Art. 162 Para. 2 codice della privacy, Art. 167 codice della privacy  Online disclosure of disciplinary measures against an employee  Link
germany flag icon 128 Bundesnetzagentur (BNetzA) ENERGYsparks GmbH 10.12.2018 300.000 € § 7 Para. 2 Nr. 2 UWG Phone advertising without consent Link
austria flag icon 256 Datenschutzbehörde (DSB) Kebab Restaurant 23.11.2018 1.500 € Art. 5 Para. 1 lit. a, Art. 13, Art. 6 Para. 1, Art. 5 Para. 1 lit. c GDPR Video surveillance without legal basis and without data protection information Link
 germany flag icon 128
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Knuddels GmbH & Co. KG
22.11.2018  20.000 €  Art. 32 Para. 1 lit. a GDPR Insufficient technical and organisational measures in the protection of passwords and user names Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)  
Legea s.p.a.
21.11.2018 2.400 €
Art. 13 codice della privacy
No data protection information when processing personal data via online collection forms Link
spain flag icon 128  Agencia española protección datos (AEPD)
Vodafone España, S.A.U.
19.11.2018 5.000 € Art. 5 Para. 1 lit. d GDPR failure to comply with the general principles of data processing Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)  
Comune di Buccino
07.11.2018 4.000 €
Art. 19 Para. 3 codice della privacy
Publication of personal data on the website of the municipality Link
luxembourg flag icon 128
Autoriteit Persoonsgegevens
UWV - Uitvoeringsinstituut Werknemersverzekeringen
30.10.2018 900.000 € Art. 32 Para. 1 lit.b GDPR Insufficient technical and organisational measures when using an online employer portal Link
czech republic flag icon 128
Úřad pro ochranu osobních údajů
company 25.10.2018 10.000 CZK
(387 €)
Art. 15 GDPR Refusal to provide information Link
united kingdom flag icon 128
 Information Commissioner's Office
Facebook Ireland Ltd
25.10.2018 500.000 GBP
(579.000 €)
DPP1, DPP7 Schedule 1 DPA
Unlawful and unnecessary transfer of personal data from the App Link
italy flag icon 256
Garante per la protezione dei dati personali (GPD)  
I.N.M.I. Lazzaro Spallanzani
25.10.2018 4.000 €
Art. 19 Para. 3 codice della privacy
Unauthorized publication of patient data on the website Link
italy flag icon 256
Garante per la protezione dei dati personali (GPD)  
Partito Democratico – Abruzzo
25.10.2018 2.400 €
Art. 13 Para. 5 lit. c codice della privacy
Improper mailing of an election campaign brochure without appropriate data protection information Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)  
Agenzia immobiliare Toscocountry di Pizzi Claudia
11.10.2018 4.000 €
Art. 4 Para. 1 lit. f, 28 codice della privacy
Unauthorized sending of real estate information to the business e-mail address without consent Link
czech republic flag icon 128 Úřad pro ochranu osobních údajů
Nemocnice Tábor, as
30.09.2018 40.000 CZK
(1.565 €)
§ 13 Para. 1 bis 4 Zákon o ochraně osobních údajů
Insufficient technical and organisational measures, especially access authorizations to patient files Link
austria flag icon 256
Datenschutzbehörde (DSB)
car owner
27.09.2018 330 € Art. 5 Para. 1 lit. a, c, 6 GDPR Illegal use of a Dashcam Link
italy flag icon 256 Garante per la protezione dei dati personali (GPD)  
Axa Assicurazioni S.p.A.
27.09.2018 4.000 € Art. 4 Para. 1 lit. f, 28 codice della privacy Incorrect sending of e-mails Link
austria flag icon 256 Datenschutzbehörde (DSB)
betting location
12.09.2018 4.800 € Art. 5 Para. 1 lit. a, c, 6, 13 GDPR Illegal use of a surveillance camera with regard to public roads; unreasonable deletion periods and no data protection notices. Link
portugal flag icon 128 Comissão Nacional de Protecção de Dados
Centro Hospitalar Barreiro Montijo
22.08.2018 400.000 € Art. 5 Para. 1 lit. f, 32 GDPR Insufficient technical and organisational measures of a database with patient information Link
 italy flag icon 256  Garante per la protezione dei dati personali (GPD)  
Fastweb S.p.A.
 
 26.07.2018  600.000 €  
Art. 13, 23, 37, 130 Para. 3 lit. c Nr. 3, 161, 162 Para. 2, 163, 164 Para. 1, 2 lit. a, b, c, d codice della privacy
Unlawfully aggressive telemarketing without consent or despite objection; profiling; lack of control measures at merchant Link
 germany flag icon 128 Bundesnetzagentur (BNetzA)  CenturyBiz GmbH 19.07.2018 20.000 €
§ 7 Para. 2 Nr. 2 UWG
 
Unauthorised telephone calls/advertising Link
 italy flag icon 256  Garante per la protezione dei dati personali (GPD)     
Comune di Volla
11.07.2018 10.000 €  Art. 33, 34 Para. 1 lit. c, d codice della privacy Insufficient technical and organisational measures in a protocol system Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
Azienda Semplice s.r.l.
21.06.2018 16.000 € Art. 13, 23 codice della privacy Unlawful phone calls without consent for the relevant purpose Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)    doctor 22.05.2018 10.000 €
Art. 33, 34, Anhang B Nr. 2 codice della privacy
Insufficient technical and organisational measures for the processing of patient data Link
 germany flag icon 128  Bundesnetzagentur (BNetzA) E Wie Einfach GmbH 11.05.2018 140.000 €  § 7 Para. 2 Nr. 2 UWG Illegal phone calls without consent; Incorrect processing of consent data from address traders  Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)    Unknown 26.04.2018 20.000 €
Art. 23, 28 codice della privacy
Unlawful processing of patient data without consent Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
Marigliano Gianpaolo
18.04.2018 50.000 € Art. 23 codice della privacy Processing of personal data without consent; activation of 15 telephone cards Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
Futur3 s.r.l.
18.04.2018 50.000 € Art. 23 codice della privacy Unlawful linking of a free WiFi hotspot with consent for marketing purposes Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
I Tel s.r.l.
05.04.2018 230.000 € Art. 23 codice della privacy Unlawful processing of personal data through activation of telephone cards Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)    Entrepreneur 21.03.2018 92.000 € Art. 23 codice della privacy Unlawful processing of personal data of patients without consent Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
Istituto Tecnico Statale Commerciale e per Geometri Masullo Theti
15.03.2018 12.000 €
Art. 154 Para. 1 lit. c codice della privacy
Prohibited use of surveillance cameras Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
Carriere Italia s.r.l.
08.03.2018 10.400 €
Art. 13 codice della privacy
Art. 11 Gesetz Nr. 689/81
Unlawful processing of personal health data without consent Link
italy flag icon 256  Garante per la protezione dei dati personali (GPD)   
candidate for regional council
05.02.0218 12.000 €
Art. 4 codice della privacy
Unlawful processing of personal data for election advertising without consent Link
united kingdom flag icon 128  Information Commissioner's Office  The Carphone Warehouse Ltd  10.01.2018  400.000 GBP
(452.422 €)
Section 4(4) DPA
 Insufficient technical and organisational measures against hacker attacks Link

 

Your contact person:

Jens Engelhardt

Managing Partner | External Data Protection Officer

Lawyer
Specialist lawyer for Copyright and Media Law
Specialist lawyer for Intellectual Property Law
Specialist lawyer for IT Law

Your contact person:

Erdem Durmus

External Data Protection Officer

CIPP/E
Cerificates of competence for data protection officers
Basic certificate of project management from GPM