Jump to content

GDPR fines and notices: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Two small textual changes because we now include notices.
Added the UNICREDIT fine
Line 53: Line 53:
|-
|-
| 2019-07-08 || [[British Airways]] || £183 million || UK ([[Information Commissioner's Office|ICO]]) || Use of poor security arrangements that resulted in a 2018 [[web skimming]] attack affecting 500,000 consumers.<ref>{{Cite news|url=https://www.bbc.com/news/business-48905907|title=British Airways faces record £183m fine for data breach|date=2019-07-08|access-date=2019-07-08|language=en-GB}}</ref><ref>{{Cite news|url=https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-british-airways|title=BA faces £183m fine over passenger data breach|last=Sweney|first=Mark|date=2019-07-08|work=The Guardian|access-date=2019-07-08|language=en-GB|issn=0261-3077}}</ref><ref>{{Cite web|url=http://social.techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users/|title=UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users|website=TechCrunch|language=en-US|access-date=2019-07-08}}</ref>
| 2019-07-08 || [[British Airways]] || £183 million || UK ([[Information Commissioner's Office|ICO]]) || Use of poor security arrangements that resulted in a 2018 [[web skimming]] attack affecting 500,000 consumers.<ref>{{Cite news|url=https://www.bbc.com/news/business-48905907|title=British Airways faces record £183m fine for data breach|date=2019-07-08|access-date=2019-07-08|language=en-GB}}</ref><ref>{{Cite news|url=https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-british-airways|title=BA faces £183m fine over passenger data breach|last=Sweney|first=Mark|date=2019-07-08|work=The Guardian|access-date=2019-07-08|language=en-GB|issn=0261-3077}}</ref><ref>{{Cite web|url=http://social.techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users/|title=UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users|website=TechCrunch|language=en-US|access-date=2019-07-08}}</ref>
|-
| 2019-06-27 || [[UNICREDIT BANK S.A.]] || €130,000 || Romania ([[Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal|ANSPDCP]]) || failure to implement appropriate technical and organisational measures<ref>{{Cite web|url=https://www.dataprotection.ro/index.jsp?page=Comunicat_Amenda_Unicredit&lang=en|title=First Fine For The Application Of Gdpr|date=2019-07-04|access-date=2019-07-09|language=en-GB}}</ref><ref>{{Cite web|url=https://edpb.europa.eu/news/national-news/2019/first-fine-romanian-supervisory-authority_en|title=First fine by the Romanian Supervisory Authority|date=2019-07-05|access-date=2019-07-09|language=en-GB}}</ref>
|}
|}


Revision as of 09:43, 9 July 2019

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.[1] The following is a list of fines and notices issued under the GDPR, including reasoning.

Date Company Amount Issued by Reason(s)
2018-10 Hospital do Barreiro €400,000 Portugal (CNPD) "...based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization."[2]
2018-11-21 Knuddels.de (German social network) €20,000 Germany (LfDI) "...unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses."[3]
2019-06-18 Unnamed police officer €1,400 Germany (LfDI) Autonomously processing personal data for non-legal purposes.[4]
2019-01-21 Google LLC €50 million France (CNIL) Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising.[5][6]
2019-03-15 Bisnode (business, credit and market information) €220,000 Poland (UODO)

Covert scraping of personal data. [7]

2019-03-16 Lower Silesian Football Association €13,000 Poland (UODO)

Listing personal information of 585 referees on its website.[8]

2019-04-04 Rousseau (participatory democracy platform) €50,000 Italy (GPDP) Failing to protect users' personal data.[9]
2019-05-08 The Municipality of Bergen €170,000 Norway (Datatilsynet)

File with login credentials for 35,000 students and employees found in a public storage area.[10]

2019-05-16 MisterTango UAB (payment services) €61,500 Lithuania (ADA) Processing more personal data than is necessary for effecting of the payment.[11]
2019-05-28 Unnamed Belgian mayor €2,000 Belgium (GBA/ADP) Misuse of personal data collected for local administrative purposes for election campaign purposes.[12]
2019-06 La Liga €250,000 Spain (AEPD) Poorly disclosing purpose for requesting GPS and microphone permissions within the football league's mobile app. When the app was open, it transmitted the user's location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds.[13][14]
2019-06-18 Sergic (real estate services) €400,000 France (CNIL)

Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. [15]

2019-06-11 IDDesign A/S (furniture) DKK 1,5 million Denmark (Datatilsynet) Failure to delete personal data from an older system: processing personal data for a longer time than necessary.[16]
2019-06-18 Uniontrad Company (translation services) €20,000 France (CNIL)

Excessive video surveillance of employees; single, shared password for messaging system; ignoring earlier CNIL order to change practices.[17]

2019-06-24 EE (telecoms) £100,000 UK (ICO) Sending over 2.5 million direct marketing messages to its customers, without consent.[18][19]
2019-07-08 British Airways £183 million UK (ICO) Use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers.[20][21][22]
2019-06-27 UNICREDIT BANK S.A. €130,000 Romania (ANSPDCP) failure to implement appropriate technical and organisational measures[23][24]

References

  1. ^ "L_2016119EN.01000101.xml". eur-lex.europa.eu. Archived from the original on 10 November 2017. Retrieved 28 August 2016. {{cite web}}: Unknown parameter |dead-url= ignored (|url-status= suggested) (help)
  2. ^ "Hospital Do Barreiro fined by Comissão Nacional de Protecção de Dados in 400,000 Euro for allowing improper access to clinical files". 24 June 2019. Retrieved 27 June 2019.
  3. ^ "Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR". 23 November 2018. Retrieved 27 June 2019.
  4. ^ "German Data Protection Authority of Baden-Württemberg fines an employee of a public body". 24 June 2019. Retrieved 26 June 2019.
  5. ^ Fox, Chris (21 January 2019). "Google hit with £44m GDPR fine". BBC News. Retrieved 14 June 2019.
  6. ^ Porter, Jon (21 January 2019). "Google fined €50 million for GDPR violation in France". The Verge. Retrieved 14 June 2019.
  7. ^ Lomas, Natasha (30 March 2019). "Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line". TechCrunch. Retrieved 24 June 2019.
  8. ^ Clark, Sam (17 May 2019). "Polish watchdog issues second GDPR fine". Global Data Review. Retrieved 24 June 2019.
  9. ^ "5Stars defend their digital democracy in face of privacy sanction". Politico. 19 April 2019. Retrieved 27 June 2019.
  10. ^ "Administrative fine of 170.000 € imposed on Bergen Municipality". Datatilsynet. 12 April 2019. Retrieved 24 June 2019.
  11. ^ "First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania". 21 May 2019. Retrieved 24 June 2019.
  12. ^ Fiten, Bernd (3 June 2019). "First GDPR fine in Belgium: € 2000 imposed on a mayor". Retrieved 24 June 2019.
  13. ^ "LaLiga facing €250k fine for GDPR violations in app used to spy on users". TechRepublic. Retrieved 14 June 2019.
  14. ^ Geigner, Timothy. "La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates". Techdirt. Retrieved 14 June 2019.
  15. ^ Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  16. ^ "Danish DPA set to fine furniture company". 11 June 2019. Retrieved 24 June 2019.
  17. ^ Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  18. ^ "EE fined £100,000 for unlawful texts". BBC News. 24 June 2019. Retrieved 24 June 2019.
  19. ^ "ICO fines telecoms company EE Limited for sending unlawful text messages". ICO. 24 June 2019. Retrieved 24 June 2019.
  20. ^ "British Airways faces record £183m fine for data breach". 8 July 2019. Retrieved 8 July 2019.
  21. ^ Sweney, Mark (8 July 2019). "BA faces £183m fine over passenger data breach". The Guardian. ISSN 0261-3077. Retrieved 8 July 2019.
  22. ^ "UK's ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users". TechCrunch. Retrieved 8 July 2019.
  23. ^ "First Fine For The Application Of Gdpr". 4 July 2019. Retrieved 9 July 2019.
  24. ^ "First fine by the Romanian Supervisory Authority". 5 July 2019. Retrieved 9 July 2019.
Retrieved from "https://en.wikipedia.org/w/index.php?title=GDPR_fines_and_notices&oldid=905473002"