GDPR fines and notices

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.[1] The following is a list of fines and notices issued under the GDPR, including reasoning.



Date Organisation Amount Issued by Reason(s)
2018-10 Hospital do Barreiro €400,000 Portugal (CNPD) "...based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization."[2]
2018-11-21 Knuddels.de (German social network) €20,000 Germany (LfDI) "...unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses."[3]
2019-06-18 Unnamed police officer €1,400 Germany (LfDI) Autonomously processing personal data for non-legal purposes.[4]
2019-01-21 Google LLC €50 million France (CNIL) Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising.[5][6]
2019-03-15 Bisnode (business, credit and market information) €220,000 Poland (UODO)

Covert scraping of personal data.[7]

2019-03-16 Lower Silesian Football Association €13,000 Poland (UODO)

Listing personal information of 585 referees on its website.[8]

2019-04-04 Rousseau (participatory democracy platform) €50,000 Italy (GPDP) Failing to protect users' personal data.[9]
2019-05-08 The Municipality of Bergen €170,000 Norway (Datatilsynet)

File with login credentials for 35,000 students and employees found in a public storage area.[10]

2019-05-16 MisterTango UAB (payment services) €61,500 Lithuania (ADA) Processing more personal data than is necessary for effecting of the payment.[11]
2019-05-28 Unnamed Belgian mayor €2,000 Belgium (GBA/APD) Misuse of personal data collected for local administrative purposes for election campaign purposes.[12]
2019-06 La Liga €250,000 Spain (AEPD) Poorly disclosing purpose for requesting GPS and microphone permissions within the football league's mobile app. When the app was open, it transmitted the user's location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds.[13][14]
2019-06-18 Sergic (real estate services) €400,000 France (CNIL)

Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates.[15]

2019-06-11 IDDesign A/S (furniture) DKK 1,5 million Denmark (Datatilsynet) Failure to delete personal data from an older system: processing personal data for a longer time than necessary.[16]
2019-06-18 Uniontrad Company (translation services) €20,000 France (CNIL)

Excessive video surveillance of employees; single, shared password for messaging system; ignoring earlier CNIL order to change practices.[17]

2019-06-24 EE (telecoms) £100,000 UK (ICO) Sending over 2.5 million direct marketing messages to its customers, without consent.[18][19]
2019-07-08 British Airways £183 million UK (ICO) Use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers.[20][21][22]
2019-06-27 UniCredit Bank Romania €130,000 Romania (ANSPDCP) Failure to implement appropriate technical and organisational measures[23][24]
2019-07-09 Marriott International £99 million UK (ICO) Failure to undertake sufficient due diligence when acquiring Starwood hotels group, whose systems where compromised in 2014, exposing approximately 339 million guest records[25]
2019-07-03 Marriott International €235,000 Turkey (KVKK) Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations[26]
2019-07-03 Cathay Pacific €88,000 Turkey (KVKK) Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations[27]
2019-07-16 HagaZiekenhuis €460,000 The Netherlands (AP) Insufficient security of medical records[28][29]
2019-07-25 Active Assurances €180,000 France (CNIL)

Failure to implement appropriate security measures.[30]

2019-07-25 PricewaterhouseCoopers €150,000 Greece (HDPA)

Unlawful processing of employee data.[31]

2019-08-21 Skellefteå High School Board €20,000 Sweden (SDPA)

Using facial recognition technology to monitor the attendance of students in school on an invalid legal basis; processing sensitive biometric data unlawfully and failure to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.[32]

2019-03-07 Unnamed bank €1,560 Hungary (NAIH)

Failure to erase and correct data at the request of the data subject. [33]

2019-03-07 Unnamed debt collector €1,560 Hungary (NAIH)

Breaching the principles of transparency and data minimisation. [34]

2019-??-?? Unnamed company €3,135 Hungary (NAIH)

Infringing a data subject's access rights. [35]

2019-08-12 Unnamed medical company €55,000 Austria (DSB)

Not appointing a DPO, not publishing its contact details or reporting those to the supervisory authority, obligatory consent of data subjects (Art. 7), not providing information (Art. 13, 14), no DPIA despite handling sensitive data (Art. 35). [36]

2019-08-12 Unnamed online retailer €7,000 Latvia (DSI)

Nonconformity with data subjects rights to erasure and non-cooperation with the supervisory authority. [37]

2019-09-19 Unnamed retailer €10,000 Belgium (GBA/APD) Demanding an electronic identity card to create a customer loyalty card.[38]
2019-09-20 Online retailer Morele.net €645,000 Poland (UODO)

Insufficient protection of personal data, leading to the exposure of data of about 2.2 million people[39]

2019-10-17 Vueling Airlines €30,000 Spain (AEPD) Failing to obtain valid consent to process customer cookies, as per privacy notice. [40]
2019-12-09 1&1 Ionos €9,550,000 Germany (BfDI)

Insufficient protection of personal data, failing to put “sufficient technical and organizational measures” in place to protect customer data in its call centers. Violation of article 32 of GDPR [41]

2019-12-17 Doorstep Dispensaree £275,000 UK (ICO) "cavalier attitude to data protection”, having left 500,000 patient records in an unsecured location [42]


References[edit]

  1. ^ "L_2016119EN.01000101.xml". eur-lex.europa.eu. Archived from the original on 10 November 2017. Retrieved 28 August 2016.
  2. ^ "Hospital Do Barreiro fined by Comissão Nacional de Protecção de Dados in 400,000 Euro for allowing improper access to clinical files". 24 June 2019. Retrieved 27 June 2019.
  3. ^ "Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR". 23 November 2018. Retrieved 27 June 2019.
  4. ^ "German Data Protection Authority of Baden-Württemberg fines an employee of a public body". 24 June 2019. Retrieved 26 June 2019.
  5. ^ Fox, Chris (21 January 2019). "Google hit with £44m GDPR fine". BBC News. Retrieved 14 June 2019.
  6. ^ Porter, Jon (21 January 2019). "Google fined €50 million for GDPR violation in France". The Verge. Retrieved 14 June 2019.
  7. ^ Lomas, Natasha (30 March 2019). "Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line". TechCrunch. Retrieved 24 June 2019.
  8. ^ Clark, Sam (17 May 2019). "Polish watchdog issues second GDPR fine". Global Data Review. Retrieved 24 June 2019.
  9. ^ "5Stars defend their digital democracy in face of privacy sanction". Politico. 19 April 2019. Retrieved 27 June 2019.
  10. ^ "Administrative fine of 170.000 € imposed on Bergen Municipality". Datatilsynet. 12 April 2019. Retrieved 24 June 2019.
  11. ^ "First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania". 21 May 2019. Retrieved 24 June 2019.
  12. ^ Fiten, Bernd (3 June 2019). "First GDPR fine in Belgium: € 2000 imposed on a mayor". Retrieved 24 June 2019.
  13. ^ "LaLiga facing €250k fine for GDPR violations in app used to spy on users". TechRepublic. Retrieved 14 June 2019.
  14. ^ Geigner, Timothy. "La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates". Techdirt. Retrieved 14 June 2019.
  15. ^ Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  16. ^ "Danish DPA set to fine furniture company". 11 June 2019. Retrieved 24 June 2019.
  17. ^ Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  18. ^ "EE fined £100,000 for unlawful texts". BBC News. 24 June 2019. Retrieved 24 June 2019.
  19. ^ "ICO fines telecoms company EE Limited for sending unlawful text messages". ICO. 24 June 2019. Retrieved 24 June 2019.
  20. ^ "British Airways faces record £183m fine for data breach". 8 July 2019. Retrieved 8 July 2019.
  21. ^ Sweney, Mark (8 July 2019). "BA faces £183m fine over passenger data breach". The Guardian. ISSN 0261-3077. Retrieved 8 July 2019.
  22. ^ "UK's ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users". TechCrunch. Retrieved 8 July 2019.
  23. ^ "First Fine For The Application Of Gdpr". 4 July 2019. Retrieved 9 July 2019.
  24. ^ "First fine by the Romanian Supervisory Authority". 5 July 2019. Retrieved 9 July 2019.
  25. ^ "Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach". 9 July 2019. Retrieved 15 July 2019.
  26. ^ "ICO proposes fines against British Airways and Marriott". 14 July 2019. Retrieved 15 July 2019.
  27. ^ "ICO proposes fines against British Airways and Marriott". 14 July 2019. Retrieved 15 July 2019.
  28. ^ "Haga beboet voor onvoldoende interne beveiliging patiëntendossiers". 16 July 2019. Retrieved 17 July 2019.
  29. ^ "Hague Hospital Fined €460,000 For Not Protecting Patient's Privacy". 16 July 2019. Retrieved 17 July 2019.
  30. ^ Lanois, Paul (25 July 2019). "CNIL issues fine of €280.000 for failure to implement "basic security measures"". Fieldfisher. Retrieved 29 July 2019.
  31. ^ "Exercise of the Hellenic DPA's corrective powers pursuant to the GDPR for selection and application of inappropriate legal basis and violation of the principle of accountability by a company". HDPA. 30 July 2019. Retrieved 5 August 2019.
  32. ^ "Facial recognition in school renders Sweden's first GDPR fine". EDPB. 22 August 2019. Retrieved 3 September 2019.
  33. ^ "Hungary fines two companies for GDPR infringement". CMS. 19 March 2019. Retrieved 10 September 2019.
  34. ^ "Hungary fines two companies for GDPR infringement". CMS. 19 March 2019. Retrieved 10 September 2019.
  35. ^ "First GDPR fine in Hungary for breaching data subject's rights". Lexology. 15 February 2019. Retrieved 10 September 2019.
  36. ^ "Austrian DPA fines controller in the medical sector". EDPB. 12 August 2019. Retrieved 11 September 2019.
  37. ^ "Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer". EDPB. 3 September 2019. Retrieved 11 September 2019.
  38. ^ "The Belgian data protection authority imposes a fine of € 10,000". 19 September 2019. Retrieved 2 October 2019.
  39. ^ "Polish DPA imposes €645,000 fine for insufficient organisational and technical safeguards". 20 September 2019. Retrieved 2 October 2019.
  40. ^ "The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros". 17 October 2019. Retrieved 6 November 2019.
  41. ^ "BfDI verhängt Geldbußen gegen Telekommunikationsdienstleister". 9 December 2019. Retrieved 9 December 2019.
  42. ^ "Pharmacy incurs first ever UK data protection fine worth £275k". Pharmaceutical Journal. 20 December 2019. Retrieved 24 February 2020.