GDPR fines and notices

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The General Data Protection Regulation (GDPR) is a European Union regulation that specifies standards for data protection and electronic privacy in the European Economic Area, and the rights of European citizens to control the processing and distribution of personally-identifiable information.

Violators of GDPR may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.[1] The following is a list of fines and notices issued under the GDPR, including reasoning.

Date Company Amount Issued by Reason(s)
2018-10 Hospital do Barreiro €400,000 Portugal (CNPD) "...based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization."[2]
2018-11-21 Knuddels.de (German social network) €20,000 Germany (LfDI) "...unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses."[3]
2019-06-18 Unnamed police officer €1,400 Germany (LfDI) Autonomously processing personal data for non-legal purposes.[4]
2019-01-21 Google LLC €50 million France (CNIL) Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising.[5][6]
2019-03-15 Bisnode (business, credit and market information) €220,000 Poland (UODO)

Covert scraping of personal data. [7]

2019-03-16 Lower Silesian Football Association €13,000 Poland (UODO)

Listing personal information of 585 referees on its website.[8]

2019-04-04 Rousseau (participatory democracy platform) €50,000 Italy (GPDP) Failing to protect users' personal data.[9]
2019-05-08 The Municipality of Bergen €170,000 Norway (Datatilsynet)

File with login credentials for 35,000 students and employees found in a public storage area.[10]

2019-05-16 MisterTango UAB (payment services) €61,500 Lithuania (ADA) Processing more personal data than is necessary for effecting of the payment.[11]
2019-05-28 Unnamed Belgian mayor €2,000 Belgium (GBA/ADP) Misuse of personal data collected for local administrative purposes for election campaign purposes.[12]
2019-06 La Liga €250,000 Spain (AEPD) Poorly disclosing purpose for requesting GPS and microphone permissions within the football league's mobile app. When the app was open, it transmitted the user's location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds.[13][14]
2019-06-18 Sergic (real estate services) €400,000 France (CNIL)

Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. [15]

2019-06-11 IDDesign A/S (furniture) DKK 1,5 million Denmark (Datatilsynet) Failure to delete personal data from an older system: processing personal data for a longer time than necessary.[16]
2019-06-18 Uniontrad Company (translation services) €20,000 France (CNIL)

Excessive video surveillance of employees; single, shared password for messaging system; ignoring earlier CNIL order to change practices.[17]

2019-06-24 EE (telecoms) £100,000 UK (ICO) Sending over 2.5 million direct marketing messages to its customers, without consent.[18][19]
2019-07-08 British Airways £183 million UK (ICO) Use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers.[20][21][22]
2019-06-27 UniCredit Bank Romania €130,000 Romania (ANSPDCP) Failure to implement appropriate technical and organisational measures[23][24]
2019-07-09 Marriott International £99 million UK (ICO) Failure to undertake sufficient due diligence when acquiring Starwood hotels group, whose systems where compromised in 2014, exposing approximately 339 million guest records[25]
2019-07-03 Marriott International €235,000 Turkey (KVKK) Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations[26]
2019-07-03 Cathay Pacific €88,000 Turkey (KVKK) Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations[27]
2019-07-16 HagaZiekenhuis €460,000 The Netherlands (AP) Insufficient security of medical records[28][29]

References[edit]

  1. ^ "L_2016119EN.01000101.xml". eur-lex.europa.eu. Archived from the original on 10 November 2017. Retrieved 28 August 2016.
  2. ^ "Hospital Do Barreiro fined by Comissão Nacional de Protecção de Dados in 400,000 Euro for allowing improper access to clinical files". 24 June 2019. Retrieved 27 June 2019.
  3. ^ "Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR". 23 November 2018. Retrieved 27 June 2019.
  4. ^ "German Data Protection Authority of Baden-Württemberg fines an employee of a public body". 24 June 2019. Retrieved 26 June 2019.
  5. ^ Fox, Chris (21 January 2019). "Google hit with £44m GDPR fine". BBC News. Retrieved 14 June 2019.
  6. ^ Porter, Jon (21 January 2019). "Google fined €50 million for GDPR violation in France". The Verge. Retrieved 14 June 2019.
  7. ^ Lomas, Natasha (30 March 2019). "Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line". TechCrunch. Retrieved 24 June 2019.
  8. ^ Clark, Sam (17 May 2019). "Polish watchdog issues second GDPR fine". Global Data Review. Retrieved 24 June 2019.
  9. ^ "5Stars defend their digital democracy in face of privacy sanction". Politico. 19 April 2019. Retrieved 27 June 2019.
  10. ^ "Administrative fine of 170.000 € imposed on Bergen Municipality". Datatilsynet. 12 April 2019. Retrieved 24 June 2019.
  11. ^ "First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania". 21 May 2019. Retrieved 24 June 2019.
  12. ^ Fiten, Bernd (3 June 2019). "First GDPR fine in Belgium: € 2000 imposed on a mayor". Retrieved 24 June 2019.
  13. ^ "LaLiga facing €250k fine for GDPR violations in app used to spy on users". TechRepublic. Retrieved 14 June 2019.
  14. ^ Geigner, Timothy. "La Liga Fined 250K Euros For Using Mobile App To Try To Catch 3rd Party Pirates". Techdirt. Retrieved 14 June 2019.
  15. ^ Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  16. ^ "Danish DPA set to fine furniture company". 11 June 2019. Retrieved 24 June 2019.
  17. ^ Lanois, Paul (21 June 2019). "Videosurveillance: CNIL issues fine of 20,000 euros against a small company in France". Fieldfisher. Retrieved 24 June 2019.
  18. ^ "EE fined £100,000 for unlawful texts". BBC News. 24 June 2019. Retrieved 24 June 2019.
  19. ^ "ICO fines telecoms company EE Limited for sending unlawful text messages". ICO. 24 June 2019. Retrieved 24 June 2019.
  20. ^ "British Airways faces record £183m fine for data breach". 8 July 2019. Retrieved 8 July 2019.
  21. ^ Sweney, Mark (8 July 2019). "BA faces £183m fine over passenger data breach". The Guardian. ISSN 0261-3077. Retrieved 8 July 2019.
  22. ^ "UK's ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users". TechCrunch. Retrieved 8 July 2019.
  23. ^ "First Fine For The Application Of Gdpr". 4 July 2019. Retrieved 9 July 2019.
  24. ^ "First fine by the Romanian Supervisory Authority". 5 July 2019. Retrieved 9 July 2019.
  25. ^ "Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach". 9 July 2019. Retrieved 15 July 2019.
  26. ^ "ICO proposes fines against British Airways and Marriott". 14 July 2019. Retrieved 15 July 2019.
  27. ^ "ICO proposes fines against British Airways and Marriott". 14 July 2019. Retrieved 15 July 2019.
  28. ^ "Haga beboet voor onvoldoende interne beveiliging patiëntendossiers". 16 July 2019. Retrieved 17 July 2019.
  29. ^ "Hague Hospital Fined €460,000 For Not Protecting Patient's Privacy". 16 July 2019. Retrieved 17 July 2019.