GDPR fines and notices: Difference between revisions

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.^[1] The following is a list of notable fines issued under the GDPR, including reasoning.

Date	Company	Amount	Fined by	Reason(s)
2018-10	Hospital do Barreiro	€400,000	Portugal (CNPD)	"...based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization." [2]
2018-11-21	Knuddels.de (German social network)	€20,000	Germany (LfDI)	"...unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses." [3]
2019-06-18	Unnamed police officer	€1,400	Germany (LfDI)	Autonomously processing personal data for non-legal purposes. [4]
2019-01-21	Google LLC	€50 million	France (CNIL)	Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising. [5] [6]
2019-06	La Liga	€250,000	Spain (AEPD)	Poorly disclosing purpose for requesting GPS and microphone permissions within the football league's mobile app. When the app was open, it transmitted the user's location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds.[7][8]
2019-06-18	Uniontrad Company (translation services)	€20,000	France (CNIL)	Excessive videosurveillance of employees; single, shared password for messaging system; ignoring earlier CNIL order to change practices.[9]
2019-06-18	Sergic (real estate services)	€400,000	France (CNIL)	Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. [10]
2019-05-08	The Municipality of Bergen	€170,000	Norway (Datatilsynet)	File with login credentials for 35,000 students and employees found in a public storage area. [11]
2019-03-15	Bisnode (business, credit and market information)	€220,000	Poland (UODO)	Covert scraping of personal data. [12]
2019-06-24	EE (telecoms)	£100,000	UK (ICO)	Sending over 2.5 million direct marketing messages to its customers, without consent.[13][14]
2019-06-11	IDDesign A/S (furniture)	DKK 1,5 million	Denmark (Datatilsynet)	Failure to delete personal data from an older system: processing personal data for a longer timer than necessary.[15]
2019-05-28	Unnamed Belgian mayor	€2,000	Belgium (GBA/ADP)	Misuse of personal data collected for local administrative purposes for election campaign purposes.[16]
2019-05-16	MisterTango UAB (payment services)	€61,500	Lithuania (ADA)	Processing more personal data than is necessary for effecting of the payment.[17]
2019-03-16	Lower Silesian Football Association	€13,000	Poland (UODO)	Listing personal information of 585 referees on its website. [18]
2019-04-04	Rousseau (participatory democracy platform)	€50,000	Italy (GPDP)	Failing to protect users' personal data. [19]

References

1. "L_2016119EN.01000101.xml". eur-lex.europa.eu. Archived from the original on 10 November 2017. Retrieved 28 August 2016. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
2. "Hospital Do Barreiro fined by Comissão Nacional de Protecção de Dados in 400,000 Euro for allowing improper access to clinical files". 24 June 2019. Retrieved 27 June 2019.
3. "Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR". 23 November 2018. Retrieved 27 June 2019.
4. "German Data Protection Authority of Baden-Württemberg fines an employee of a public body". 24 June 2019. Retrieved 26 June 2019.
5. Fox, Chris (21 January 2019). "Google hit with £44m GDPR fine". BBC News. Retrieved 14 June 2019.
6. Porter, Jon (21 January 2019). "Google fined €50 million for GDPR violation in France". The Verge. Retrieved 14 June 2019.
7. "LaLiga facing €250k fine for GDPR violations in app used to spy on users". TechRepublic. Retrieved 14 June 2019.
8. Geigner, Timothy. "La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates". Techdirt. Retrieved 14 June 2019.
9. Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
10. Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
11. "Administrative fine of 170.000 € imposed on Bergen Municipality". Datatilsynet. 12 April 2019. Retrieved 24 June 2019.
12. Lomas, Natasha (30 March 2019). "Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line". TechCrunch. Retrieved 24 June 2019.
13. "EE fined £100,000 for unlawful texts". BBC News. 24 June 2019. Retrieved 24 June 2019.
14. "ICO fines telecoms company EE Limited for sending unlawful text messages". ICO. 24 June 2019. Retrieved 24 June 2019.
15. "Danish DPA set to fine furniture company". 11 June 2019. Retrieved 24 June 2019.
16. Fiten, Bernd (3 June 2019). "First GDPR fine in Belgium: € 2000 imposed on a mayor". Retrieved 24 June 2019.
17. "First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania". 21 May 2019. Retrieved 24 June 2019.
18. Clark, Sam (17 May 2019). "Polish watchdog issues second GDPR fine". Global Data Review. Retrieved 24 June 2019.
19. "5Stars defend their digital democracy in face of privacy sanction". TechCrunch. 19 April 2019. {{cite web}}: |access-date= requires |url= (help); Missing or empty |url= (help); Text "https://www.politico.eu/article/davide-casaleggio-5stars-rousseau-platform-lashes-out-over-political-motivated-data-protection-fine/" ignored (help)